Effect of RADIUS-assigned ACLs when multiple clients are using the same port

Some network configurations may allow multiple clients to authenticate through a single port where a RADIUS server assigns a separate, RADIUS-assigned ACL in response to each client's authentication on that port. In such cases, a given client's inbound traffic is allowed only if the RADIUS authentication response for that client includes a RADIUS-assigned ACL. Clients authenticating without receiving a RADIUS-assigned ACL are immediately de-authenticated. For example, in the following figure, clients A through D authenticate through the same port (B1) on an switch running software release xx.14.01 or greater.

Example of multiple clients authenticating through a single port

In this case, the RADIUS server must be configured to assign an ACL to port B1 for any of the authorized clients authenticating on the port.