Here's one example, from a thread back in 2020 on this very issue:
"User A logs into his Windows desktop and has an Access Role assigned to him via AD group membership. Identity Collector is the method used for this Access Role. This Access Role gives him access to Systems A, B, and C.
User A is also an authorized user of System D, but this is a more critical/sensitive system. Before he can access this system, he needs a new Access Role assigned. This Access Role is granted via Captive Portal using RADIUS (MFA) as the authentication mechanism. We want this so that his access to System D is open only when needed, and we want the use of MFA for heightened security. His Active Directory account and RADIUS account are two different accounts. In R80.40, once he authenticates through Captive Portal, his access to Systems A, B, and C are cut off. This is not practical the user's work activity."
Hope that makes sense. Basically we want to use Identity Collector for "typical" access, and Captive Portal (and MFA with RADIUS) for "step up" access to more critical systems. However, the authentication to Captive Portal wipes out the Access Roles granted via Identity Collector, and this would cause too many issues for our users.