Wired 802.1X + MAC authentication fails with ClearPass , user disconnected after successful authentication

Topo:

ClearPass acts as the RADIUS server. Users perform 802.1X EAP authentication and phones perform MAC authentication. The PC starts with 802.1X authentication but fails. Users are authenticated and have access, but after 110 seconds they are disconnected. ClearPass shows Lost-Carrier as the termination cause.

this is the switch port dot1x configuration:

[SW]interface GigabitEthernet1/0/4 

 port link-type trunk 

 port trunk permit vlan 1 21

 poe enable dot1x 

 dot1x mandatory-domain dot1x-auth

Info lost carrier could be a reason heartbeat handshake failure of client,device or radius server.

[SW]dis dot1x connection

Total connections: 1

Slot ID: 1

User MAC address: 901b-0eb8-34f9

Access interface: GigabitEthernet1/0/4

Username: host/XXX.XXX.local

User access state: Successful

Authentication domain: dot1x-auth

Authentication method: EAP

AAA authentication method: RADIUS

Initial VLAN: 1

Authorization untagged VLAN: 1

Authorization tagged VLAN list: N/A

Authorization ACL number/name: N/A

Authorization dynamic ACL name: N/A

Authorization user profile: N/A

Authorization CAR: N/A

Authorization URL: N/A

Termination action: Radius-request   //here info server request terminate dot1x session

Session timeout period: N/A

Online from: 2023/09/04 13:47:09

Online duration: 0h 0m 35s

From the debugging dot1x log, we have checked swictch send 2 times and time period is 15s

so maybe it"s a problem of client didn"t support dot1x timer heartbeat handshake.

Some 802.1X clients do not support the interaction of handshake messages with the device. Therefore, it is recommended that in this case, the device"s online user handshake function is turned off to prevent this type of online user from being forced offline due to failure to respond to the handshake message.

[H3C-GigabitEthernet1/0/1] undo dot1x handshake