Just curious if anyone else has run into troubles with the 802.1x changes in 10.x and if so,how you have dealt with it. In 9.x and prior, we could change devices connected behind IP phones at will and the new device would authenticate to the switch and be allowed access. Now with 10.x, only the first device is allowed to authenticate. The switch ignores eap starts from any further clients until we cycle the port. It makes no difference if single host or multi domain is used. We have tried setting a radius timeout but the switch doesn't seem to acknowledge that. Multi host is not an option as it does not support guest vlan. It is frustrating because we have had no issues with 802.1x for 6+ years on our previous procurve switches and for 2+ years on our Meraki switches but now this new firmware is causing a lot of issues for us.
What radius server are you using?
I have seen similar behavior in traditional Cisco(Catalyst) with IP phones. The IP Phone keeps the session active even if the device is disconnected from the phone. We added an idle timeout to the session on the radius server. I'm not sure if the MS devices support that setting.
We use NPS. I have the radius session timeout set for the policy. I have left the device disconnected from the phone for hours more than the timeout but when I connect a different PC, the switch ignores the request. This is the timeout I have used in the past to force periodic reauth. I have found a setting on the polycom phones that seems to resolve the issue but we use a UCaaS service and I cannot modify anything on their provisioning servers so I have no way to set it globally. I was hoping there is some other alternative. Cisco/Meraki's 802.1x options are a lot more limiting than with our old procurves. On them, we could have multiple authenticated clients per port and still support a guest vlan.
Session time out and idle time out are 2 different timers. I found a good description of the timers on this MR KB. Are you doing MAB auth or 802.1x for the devices down stream of the phones, because when the re-auth timer hits 802.1x auth should fail but MAB may still stick.
I haven't been able to find a KB that lists supportes radius vars for the MS side.
Hmm. The cisco page has a bit more info https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/TrustSec_1-99/IP_Tele/IP_Telepho...
They indicate that I need to use the idle timeout and not the session timeout but the Meraki page says idle timeout only works if radius accounting is used but we don't currently use accounting. I will try to mess with setting up radius accounting while I wait to see if our provider can update their polycom provisioning server.
Seems it doesn't work. I set the NPS policy to have a 5 minute idle timeout. The client is authenticating to the policy and wireshark confirms that the timeout is specified in attribute 28. Well after 5 minutes of disconnecting the device from the phone, there is no deauth event in the meraki logs and I am not able to change devices.