Currently in my lab guests on my network are assigned to our guest vlan via the RAC in the ACS server.
Now I could also change the RAC to not assign the vlan and instead use the dot1x guest-vlan command on the switch ports.
I'm wondering if there is a preferred method, argument for/against each, or it's just two different ways of skinning the same cat? The only benefit I can see using the RAC is if that vlan should ever change, it would only need to be changed in one spot instead of on every single switch port.
I guess the same question could be asked for the auth-fail vlan setting (assuming you aren't denying them access via the NAP).