After the RADIUS server authenticates a device, if no role is configured on the server, it sends an empty access accept packet to the switch. The switch translates this empty packet to assign an auth-role to the device. The switch then checks if an auth-role is configured on that port and assigns this role to the device.