Please refer the NGAF V8.0.47 user manual in page 450:
About Bidirectional binding:
The user can only use a specified address for authentication, and this address can only be used by this user.
In this example, bidirectional binding and Bind the IP address on initial login are selected.
If you check Added as a guest account (not added to any local group), new users will not be added to the user list. Instead, they can only access the Internet with the permission of casual users.
Select a group in Use the group's Internet access permission.
The casual users can then access the Internet using the permission of the specified group.
If you check Do not allow the Internet access of new users, new users are not allowed to be added, and the users not on the user list are not allowed to access the Internet if the authentication fails.
They only have the permission allowed for users failing authentication, which is set in User Auth/Auth Options/Other Auth Options