radius server ( win 2012R2 NPS anyway) is behind a vpn, and answer correctly at first connection. 

In the firewall (FPR-1010 in asa mode), I can see tcp 1812 connection at first plug, but nothing in subsequent plug tries.

Also tried with a purposely wrong mac addresse (on a "new" port) : 

11-Feb-2022 10:06:35 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b1 was rejected on port gi2/0/11 due to wrong user name or password in Radius server

and then plug the rightful device : 

11-Feb-2022 10:09:29 %LINK-I-Up: Vlan 100
11-Feb-2022 10:09:29 %SEC-I-PORTAUTHORIZED: Port gi2/0/11 is Authorized
11-Feb-2022 10:09:29 %SEC-I-SUPPLICANTAUTHORIZED: MAC 24:5e:be:21:05:b0 is authorized on port gi2/0/11

(vlan 100 is assigned by radius)

Seems ok right ? then i unplug it, and plug it back... and it stays unauthorized :

11-Feb-2022 10:11:45 %LINK-W-Down: gi2/0/11
11-Feb-2022 10:11:45 %LINK-W-Down: Vlan 100
11-Feb-2022 10:11:45 %LINK-W-Down: Vlan 500
11-Feb-2022 10:11:53 %LINK-I-Up: gi2/0/11
11-Feb-2022 10:11:53 %LINK-I-Up: Vlan 500
11-Feb-2022 10:11:53 %SEC-W-PORTUNAUTHORIZED: Port gi2/0/11 is unAuthorized
11-Feb-2022 10:11:58 %STP-W-PORTSTATUS: gi2/0/11: STP status Forwarding

sh dot1x int gi 2/0/11

Authentication is enabled
Authenticator Global Configuration:
Authenticating Servers: Radius
MAC-Based Authentication:
Type: Radius
Username Groupsize: 12
Username Separator: -
Username case: Lowercase
Password: MD5 checksum *removed*
Unauthenticated VLANs:
Guest VLAN: VLAN 500, timeout 30 sec
Authentication failure traps are enabled for 802.1x, mac
Authentication success traps are enabled for 802.1x, mac
Authentication quiet traps are disabled
Supplicant Global Configuration:
Supplicant Authentication success traps are enabled
Supplicant Authentication failure traps are enabled

gi2/0/11
Authenticator is enabled
Supplicant is disabled
Authenticator Configuration:
Host mode: multi-host
Authentication methods: mac
Port Administrated Status: auto
Guest VLAN: enabled
VLAN Radius Attribute: enabled, static
Open access: disabled
Server timeout: 30 sec
Port Operational Status: unauthorized
Reauthentication is enabled
Reauthentication period: 300 sec
Silence period: 0 sec
Quiet period: 60 sec
Interfaces 802.1X-Based Parameters
Tx period: 30 sec
Supplicant timeout: 30 sec
Max req: 2
Authentication success: 1
Authentication fails: 3
Supplicant Configuration:
retry-max: 2
EAP time period: 30
Supplicant Held Period: 60

And no connexion attempt to the radius server... In case you ask, the 3 failed authentication were done when i purposely started with another device plugged in.

drives me mad, and i'm pretty sure there's an easy explanation...

If i try to plug the same "wrong" device back again (like I did in the first step) :

11-Feb-2022 10:28:06 %LINK-W-Down: gi2/0/11
11-Feb-2022 10:28:06 %LINK-W-Down: Vlan 500
11-Feb-2022 10:28:08 %LINK-I-Up: gi2/0/11
11-Feb-2022 10:28:08 %LINK-I-Up: Vlan 500
11-Feb-2022 10:28:13 %STP-W-PORTSTATUS: gi2/0/11: STP status Forwarding

And that's all, i don't have the reject message either... Like it won't talk again with the radius server...

                                 From device config :          

        >...encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x

 Have a try with : encrypted radius-server host 172.16.32.247 key *removed* usage all     dot1.x

 M.

Thanks for your answer.

Changed it, same behaviour.

Broke stack to make it single switch, idem.

Tried with another (brand new) switch with older firmware  (v3.0.0.69), idem.

Another test : 

I stopped NPS service. Plugged in 2/0/7 (never plugged anything on it before), there's a normal message for the offline radius. then plug back in 2/0/11 : no message at all. then gain on a new port 2/0/13 : message for offline radius !

11-Feb-2022 12:02:49 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b0 was rejected on port gi2/0/7 because Radius server does not respond
11-Feb-2022 12:02:58 %LINK-W-Down: gi2/0/7
11-Feb-2022 12:02:58 %LINK-W-Down: Vlan 500
11-Feb-2022 12:03:02 %LINK-I-Up: gi2/0/11
11-Feb-2022 12:03:02 %LINK-I-Up: Vlan 500
11-Feb-2022 12:03:06 %STP-W-PORTSTATUS: gi2/0/11: STP status Forwarding

11-Feb-2022 12:06:53 %LINK-W-Down: Vlan 500
11-Feb-2022 12:07:02 %LINK-I-Up: gi2/0/13
11-Feb-2022 12:07:02 %LINK-I-Up: Vlan 500
11-Feb-2022 12:07:02 %SEC-W-PORTUNAUTHORIZED: Port gi2/0/13 is unAuthorized
11-Feb-2022 12:07:07 %STP-W-PORTSTATUS: gi2/0/13: STP status Forwarding
11-Feb-2022 12:07:18 %SEC-W-SUPPLICANTUNAUTHORIZED: MAC 24:5e:be:21:05:b0 was rejected on port gi2/0/13 because Radius server does not respond

Then I suspect the wrong behaviour is  : authenticated once, then won't ask again. At least it won't stay authenticated after unplug but (definitely) stay unauthenticated, because it won't try to authenticate again.

 - It seems like your spanning-tree is flapping which could hamper stable communication with the radius server. what is connected to gi2/0/7 and gi2/0/13 ?

 M.

The very same device I use for testing. STP info seems normal after each plug (and link up).

                          - Did you also checkout this reply :

                            From device config :          

        >...encrypted radius-server host 172.16.32.247 key *removed* usage dot1.x

 Have a try with : encrypted radius-server host 172.16.32.247 key *removed* usage all     dot1.x

 M.

Yes, see my message up there :

Thanks for your answer.

Changed it, same behaviour.

Broke stack to make it single switch, idem.

Tried with another (brand new) switch with older firmware  (v3.0.0.69), idem.

 

 

---

 - Consider escalating this problem : https://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

 M.

I opened Case Number 693044104, hopefully I'll come back with an answer. nevetheless, any idea is welcome : )

OK, when the re-auth the host connect to 802.1x-SW?
1- link down <-this direct connect host
2- inactivity <- if the host connect to SW/hub not directly connect to 802.1x-SW OR host connect to IPhone.
3-CDP<- if the host connect to IPhone 

so which case you have from above?