@relvy 

You can use Wireshark to learn about this.

Theoretically, before the VLAN assignment, they are assigned with the default VLAN where you assign them to be. If SSID is VLAN 10, it should be 10. 

  @Clive_A 

Thank you for your explanation.
That means, the clients are on their corresponding tagged VLAN, regardless of the radius Access-Accept information.

Theoretically the switch could do VLAN assignment with wired clients similar EAP does with wireless clients:

Say on port 2 there is an unmanaged switch with 8 ports.

Client A does MAC-based dot1x auth on port 2 (through the unmanaged switch). Radius server tells the switch Client A belongs to VLAN 10.

Client B does MAC-based dot1x auth on port 2 (through the unmanaged switch). Radius server tells the switch Client B belongs to VLAN 20.

The switch sends untagged frames from VLAN 10 to client A and untagged frames from VLAN 20 to client B. 

The switch tags frames from client A with VLAN 10 and tags frames from client B with VLAN 20.
 

That would be indeed a nice feature.