Effect of RADIUS-assigned ACLs when multiple clients are using the same port
Some network configurations may allow multiple clients to authenticate through a single port where a RADIUS server assigns a separate, RADIUS-assigned ACL in response to each client's authentication on that port. In such cases, a given client's inbound traffic is allowed only if the RADIUS authentication response for that client includes a RADIUS-assigned ACL. Clients authenticating without receiving a RADIUS-assigned ACL are immediately de-authenticated. For example, in the following figure, clients A through D authenticate through the same port (B1) on an switch running software release xx.14.01 or greater.
In this case, the RADIUS server must be configured to assign an ACL to port B1 for any of the authorized clients authenticating on the port.