We should be able to troubleshoot this further if you post at least one of your swtichport configs. Have you been attempting this on a port configured as an access port?

See here my config for this switch.

Flash that firmware back up to 2.5.5.47. That was all obviously unnecessary.

From Sx250 CLI Guide for 2.4.5 (doesn't appear to be an appurtenant guide published for 2.5.5.47), p. 74:

Multi-Host Mode
The multi-host mode manages the authentication status of the port: the port is authorized after
at least one host is authorized.

When a port is unauthorized and the guest VLAN is enabled, untagged traffic is remapped to
the guest VLAN. Tagged traffic is dropped unless the VLAN tag is the guest VLAN or the
unauthenticated VLANs. If guest VLAN is not enabled on the port, only tagged traffic
belonging to the unauthenticated VLANs is bridged.

When a port is authorized, untagged and tagged traffic from all hosts connected to the port is
bridged based on the static vlan membership configured at the port.

[Emphasis added.]   

I think you'll probably want to give that entire 802.1X Commands section a read, but it's looking less and less like this "Smart Switch" feature set supports RADIUS attributes.

Two things to try:

1. Configure Port 8 as a VLAN 11 access port on the switch and try again—no RADIUS attributes included with authorization.
2. Configure Port 8 as a general VLAN 1 untagged, VLAN 11 port (i.e. 1U/PVID, 11T) on the switch and try again—no RADIUS attributes included with authorization.

I'm pretty sure that I've confirmed before that setting vlans on the ports themselves and using radius auth simply sets the hardcoded vlan id. But in the common interest;

0. the switch is back to 2.5.5.47

1. setting the port to vlan 11/access mode and disabling the radius server from sending the attributes: the radius auth works, and the port is set for vlan 11, as expected.

2. set the port for General, 1U,1P,11T, no radius reply attributes, the radius auth works, and the port is set to vlan 1, as expected.

3. your quote about the port being assigned based on the static vlan port configuration - yes, but the very next paragraph is my quote from the manual that states that this behaviour can be overridden by setting the RADIUS VLAN assignment in the Port Authentication page. I see no such option on my Port Authentication pages on my sg250s. That is the crux of the problem, I think.

I think this series of devices are simply configured to not do this and Cisco forgot to remove that part of the manual from the 3xx series or something.

Your complete RADIUS and 802.1X configurations on the switch really should be thoroughly audited against all relevant sections of both the 2.5.5 Admin Guide and the 2.4.5 CLI Guide.

Relevant, from Sx250 Admin Guide for 2.5.5, p. 361:

Host Modes with Guest VLAN
The host modes work with guest VLAN in the following way:

• Single-Host and Multi-Host Mode
Untagged traffic and tagged traffic belonging to the guest
VLAN arriving on an unauthorized port are bridged via the
guest VLAN. All other traffic is discarded. The traffic 
belonging to an unauthenticated VLAN is bridged via the VLAN.

• Multi-Sessions Mode
Untagged traffic and tagged traffic, which does not belong
to the unauthenticated VLANs and that arrives from unauthorized
clients, are assigned to the guest VLAN using the TCAM rule
and are bridged via the guest VLAN. The tagged traffic
belonging to an unauthenticated VLAN is bridged via the VLAN. 
This mode cannot be configured on the same interface with 
policy-based VLANs.

If the tunnel-private-group ID attribute is provided as a VLAN name, the VLAN with 
this name most [sic] be statically configured on the device. If a VLAN ID (2-4094)
is used in this attribute, after a supplicant is authenticated, the VLAN will be 
created dynamically.

The device supports the 802.1x authentication mechanism, as described in the standard,
to authenticate and authorize 802.1x supplicants.

No idea why those last two paragraphs seem to be included under that heading, but regardless and again, seems to confirm remapping via RADIUS attribute is possible.

Go back to original zero-config on Port 8 except for 802.1X authentication enabled (i.e. "dot1x port-control auto".)

All other policy-based VLANs (e.g. GVRP) globally disabled?

Security > RADIUS > [check RADIUS server] > Edit > Usage Type: 802.1X . . . is that properly configured? From the 2.5.5 Admin Guide, p. 328:

• Usage Type—Enter the RADIUS server authentication type. The options are:

- Login—RADIUS server is used for authenticating users that ask to administer the device.

- 802.1x—RADIUS server is used for 802.1x authentication.

- All—RADIUS server is used for authenticating user that ask to administer the device and 
for 802.1X authentication.  

Re: your step #1, try configuring Port 8 as a VLAN 1 access port, just to see if you can get it to flip to VLAN 11 after authentication.

Re: your step #2, try 1T, 11P, 11U—if only to see how the switch behaves. We know authentication has to take place on now tagged-but-unauthorized VLAN 1—and then that port will already have been statically configured for all VLAN 11-tagged traffic once authorized.

in step 1, the switch assigns vlan 1

in step 2. the switch assigns vlan 11

to verify step 2, I changed the radius reply to a nonvlan 11 vlan and the client still got vlan 11

GVRP is globally disabled.

radius config is set to ALL.

I have tried multiple iterations of config on this switch (disabling smartport, setting the interfaces to NONE for vlan memberships, changing them from access to general ports, and more). I cannot find a way to get this device to assign vlans from radius.

I do not think the sg250 range is incapable of assigning vlans as informed by radius reply attributes and thus the documentation is misleading. Either that, or perhaps there's a bug in the firmware.

Thanks for your help.

I think we agree that if it's at all possible, the implementation is pretty terrible. And misleading documentation is an understatement—version ambiguities, copied-and-pasted tables of contents with incorrect pagination, unclear layout, etc. (although my feeling is that the answer probably is buried somewhere). You'd be justified in abandoning this switch on that basis alone.

You're welcome.