We use NPS. I have the radius session timeout set for the policy. I have left the device disconnected from the phone for hours more than the timeout but when I connect a different PC, the switch ignores the request. This is the timeout I have used in the past to force periodic reauth. I have found a setting on the polycom phones that seems to resolve the issue but we use a UCaaS service and I cannot modify anything on their provisioning servers so I have no way to set it globally. I was hoping there is some other alternative. Cisco/Meraki's 802.1x options are a lot more limiting than with our old procurves. On them, we could have multiple authenticated clients per port and still support a guest vlan.

Session time out and idle time out are 2 different timers. I found a good description of the timers on this MR KB. Are you doing MAB auth or 802.1x for the devices down stream of the phones, because when the re-auth timer hits 802.1x auth should fail but MAB may still stick.

https://documentation.meraki.com/MR/Splash_Page/Configuring_RADIUS_Authentication_with_a_Sign-on_Spl...

I haven't been able to find a KB that lists supportes radius vars for the MS side. 

Hmm. The cisco page has a bit more info https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telepho...

They indicate that I need to use the idle timeout and not the session timeout but the Meraki page says idle timeout only works if radius accounting is used but we don't currently use accounting. I will try to mess with setting up radius accounting while I wait to see if our provider can update their polycom provisioning server.

Thanks

Seems it doesn't work. I set the NPS policy to have a 5 minute idle timeout. The client is authenticating to the policy and wireshark confirms that the timeout is specified in attribute 28. Well after 5 minutes of disconnecting the device from the phone, there is no deauth event in the meraki logs and I am not able to change devices.

At this point I would reach out to support. This is defiantly not working as intended.

Yeah already have one open. Was just hoping someone had already resolved these issues.

Just a FYI. I got a response from support saying that the MS switches do not support any radius timeouts.

I ended up getting our UCaaS provider to enable second port status reporting on the polycom phones but that exposed an even worse 802.1x bug in the 10.x firmware. Now we have a problem with windows PCs that either slow boot or come out of hibernate. Windows 10 and 7 both send icmpv6 router solicitation packets very early in the boot before 802.1x comes up. This causes the switch to send an eap challenge that fails since the supplicant has not yet started on windows. This causes the PC to be put on the guest vlan. Once the supplicant starts and sends eap starts, the switch is erroneously ignoring them thus my clients are getting stuck on the guest vlan. The only access policy method that works is multi-auth but that does not support guest and I have a requirement for guest vlan. There seems to be no programmatic way to disable ipv6 on the LAN adapter and MS does not recommend disabling it system wide. I tried firewalling some of the icmpv6 traffic with windows firewall but that didn't seem to work either. I have a scheduled task that cycles the LAN port from windows after a power event but it is not 100% reliable. I just had support roll back half my networks to 9.37 to see if that will restore my sanity. Not sure how 802.1x worked "decent" for several years but has gone so sideways in 10.x.