Hi Paul,
You have two options to enhance your edge-port security besides just VLAN separation with RFC 3580 operation:
- Policy, that is most likely configured in XMC GUI due to lot of capabilities, and enforced to all the devices at once, then in Radius you would want to assign additional attribute to your Access-Accept response, ie. Filter-id=;
- UPM script, that would be a script trigerred upon user authentication, and in Radius you have to specify a Vendor-Specific Attribute that would call the script by its name; inside you can play with some authentication variables like user port or so and apply dynamic ACLs to it (more to do in CLI for that);
For Policy to be working, Filter-id should have it's value pointing to a policy name that exists on a device (like Filter-id=guest).
Please let us know what approach do you prefer and if you use XMC or not, then we could help you walk through relevant portions of configuration.
Also, your current config might be useful here.
Regards,
Tomasz