They don't get access bits until they've been authenticated, so avoid doing any checks on clients in those early states.