My attempts to reply to this were lost in the ether, so I will try again.
I understand you can have multiple identity sources, but outside of Terminal Services, you can only have one identity per IP. From sk131792:
"Most of Identity Awareness sources (except for AD Query, which is configurable) are overwriting existing information regarding the same IP.
Therefore, once a new user association is received by PDP, the old data on this IP will be overwritten and a log of "A secondary session request was received from the same IP. This caused logout of the current session" will be presented in SmartLog.
The PDP flow is:
Identity information is received for IP x.x.x.x
PDP checks if we already have information for IP x.x.x.x on our database.
IP x.x.x.x contains information for different user name / machine name.
New user name / machine information will overwrite the old one.
Log message "A secondary session request was received from the same IP. This caused logout of the current session" will be presented on SmartLog."
So I log in to my desktop and Identity Collector sees the events in the AD logs and maps my name to the IP. I then authenticate in Captive Portal with a RADIUS account, which according to the above, should overwrite my Identity Collector/AD identity. Now in R80.40 at least (I am on R80.20), there is a capability for Identity Awareness to combine different identities to one IP address ("Identity Conciliation"). However, based on sk146835, identities gathered from Identity Collector and Captive Portal cannot co-exist on one IP address:
"Some identity sources such as Identity Agent, Terminal Server, Captive Portal, and Remote Access VPN cannot be appended to others. In these cases, the conciliation decision is only override or reject.
Identity sources such as ADQuery, Radius Accounting, Identity Collector, and Web-API can be appended to each other. In these cases, the conciliation decision is append."
Note in my Captive Portal, I am using RADIUS authentication, I do not have RADIUS accounting enabled. Yet in my logs, I see both identities (from Identity Collector and Captive Portal). AccessRoles from these identities are both applied to the user logged on to the same IP.