Hi Colin,
As your comment above: "The Initial Role in the AAA profile is "logon", which means that the client will stay in the "logon" role if it does not pass mac authentication. If you want the client's role to be restricted even more, you would change that role to something else." I have some confuse and hope you help.
1.Do you mean is client will receive "logon role " if it does not mac authentication ( default policies include allow http, https, dns,dhcp...), so it still have network connectivity ?
2.So if it pass authentication, what is the role it will stay on?
3. If i want to deny all client, who does not pass authentication ( include mac , 802.1x ...) i need an " Initial Role " with a deny any any rule?