I had a bit of a surprise making some changes to our planned NAC setup, and I want to make sure this is not a bug and is an expected behavior.  It's great if this is "normal".

We have 9200L access switches and ISE 3.1 in place.  The switch ports use dot1x and some simple profiling and posture policies on ISE.  All is working well.  While I knew that a single access port can have multiple hosts connected and each treated uniquely by NAC--such as with an ACL or posture state--what I didn't expect is that each can be on a different vlan.  This is not a question of trunking or pruning, and not a question about an IP phone.  Just an access port behavior.

The port in question is a host bridging multiple VMs and not using NAT.  If each client logs in with dot1x, which is our policy, I found each can be in a different vlan and operate normally.  I should note the VLANs are assigned by ISE.  Surprise!  Is this an expected behavior of NAC and a Catalyst 9200L?  The VM host is not configured for vlan tagging.  It's just my desktop.

Hope I explained it well enough.  I want to make sure we're not leveraging a bug or unintended behavior if we use this for special situations like the one I have.