Dynamic VLANs not working (once more)

This question has come up a few times, but I have the impression, some things have changed recently. I am trying to set up RADIUS assigned dynamic VLANs in my wifi. I am following this article for that.
My current test device is a TP-Link TL-WDR4300 v1 (ath9k), if that works, I would follow with a TP-Link Archer C2600 (ath10k).
I am connecting to the same RADIUS server that already successfully serves a Unifi-based dynamic VLAN setup on another site.
However, here, logread complains that the RADIUS did not serve a VLAN id ...

Thu Aug 11 21:15:03 2022 daemon.info hostapd: wlan0: STA 7a:9e:d2:af:b4:61 IEEE 802.11: authenticated
Thu Aug 11 21:15:03 2022 daemon.info hostapd: wlan0: STA 7a:9e:d2:af:b4:61 IEEE 802.11: associated (aid 1)
Thu Aug 11 21:15:03 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-STARTED 7a:9e:d2:af:b4:61
Thu Aug 11 21:15:03 2022 daemon.notice hostapd: wlan0: CTRL-EVENT-EAP-PROPOSED-METHOD vendor=0 method=1
Thu Aug 11 21:15:03 2022 daemon.info hostapd: wlan0: STA 7a:9e:d2:af:b4:61 IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept
Thu Aug 11 21:15:03 2022 daemon.warn hostapd: wlan0: STA 7a:9e:d2:af:b4:61 IEEE 802.1X: authentication failed - EAP type: 25 (PEAP)
Thu Aug 11 21:15:04 2022 daemon.info hostapd: wlan0: STA 7a:9e:d2:af:b4:61 IEEE 802.11: disassociated
Thu Aug 11 21:15:08 2022 daemon.info hostapd: wlan0: STA 7a:9e:d2:af:b4:61 IEEE 802.11: deauthenticated due to local deauth request
Thu Aug 11 21:15:17 2022 daemon.notice hostapd: wlan0-1: AP-STA-DISCONNECTED f4:46:37:80:69:e8

The RADIUS should be serving this:

Tunnel-Type = 13
Tunnel-Medium-Type = 6  
Tunnel-Private-Group-Id = 4 

Are the written equivalents mentioned in this question instead of the numerical types required for hostapd?

Here are the config files:
wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT40'
	option country 'DE'
	option channel '12'
	option txpower '20'
	option cell_density '0'
	option noscan '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'DiscoveryOne'
	option auth_server '10.165.40.156'
	option acct_secret '[...]'
	option encryption 'wpa2'
	option nasid 'ae36-750firstfloor'
	option ieee80211w '2'
	option auth_secret '[...]'
	option acct_server '10.165.40.156'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option dynamic_vlan     '2'
        option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option cell_density '0'
	option country 'DE'
	option channel '128'
	option htmode 'HT40'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'DiscoveryOne'
	option auth_server '10.165.40.156'
	option acct_secret 'MvWfihH7nVTnEkUM'
	option encryption 'wpa2'
	option nasid 'ae36-750firstfloor5ghz'
	option ieee80211w '2'
	option auth_secret '[...]'
	option acct_server '10.165.40.156'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option dynamic_vlan     '2'
        option vlan_tagged_interface 'eth0'
	option vlan_bridge 'br-vlan'
	option vlan_naming '0'

config wifi-iface 'wifinet2'
	option ssid 'DiscoveryOneIoT'
	option encryption 'psk2'
	option device 'radio0'
	option mode 'ap'
	option key '[...]'
	option network 'IOT'

network

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'

config interface 'lan'
	option proto 'dhcp'
	option device 'br-lan'

config device 'wan_eth0_2_dev'
	option name 'eth0.2'
	option macaddr '90:f6:52:f2:5b:bd'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option description 'LAN'
	option ports '0t 2 3 4 5 1t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option vid '2'
	option description 'WAN'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0.1'

config switch_vlan
	option device 'switch0'
	option vlan '3'
	option vid '3'
	option description 'DMZ'

config switch_vlan
	option device 'switch0'
	option vlan '4'
	option vid '4'
	option description 'GUEST'
	option ports '0t 1t'

config switch_vlan
	option device 'switch0'
	option vlan '5'
	option vid '5'
	option description 'IOT'
	option ports '0t 1t'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'eth0.4'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'eth0.5'

config interface 'IOT'
	option proto 'dhcp'
	option device 'br-iot'

config interface 'GUEST'
	option proto 'dhcp'
	option device 'br-guest'

I have this set up working (and before have seen this error message too). From memory the RADIUS looks right (using Synology Radius myself).

I believe I saw these errors when playing with vlan file. I’ll edit this post with relevant config later.

That would be great, thanks.

I have noticed by now that the RADIUS actually translates those numbers to the respective strings. The response with radclient is

Received Access-Accept Id 221 from 10.165.40.156:1812 to 10.166.20.109:38102 length 35
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "4"

So this should be fine ...

(On the other hand, I just noticed that Ubiquiti seems to have changed something in the controller, the respective settings are missing in the new version of the controller and dynamic VLAN do NOT seem to work on the other site. Instead everyone ends up in the main net, which is rather infuriating ...)

I’m travelling. Just remembered I posted config snippets in a previous reply on another topic:
Dynamic VLAN + Radius config snippets

Thanks! I will test that.