Wired 802.1X + MAC authentication fails with ClearPass , PC fails mac authentication multiple times before dot1x authentication succeeds

Topo

ClearPass acts as the RADIUS server. Users perform 802.1X EAP authentication and phones perform MAC authentication.

After enabling mac-vlan b both devices are authenticated well, but the PC is trying to authenticate by mac authentication, in addition to dot1x authentication. Because the MAC of the PC is not in radius MAC host list the request is rejected. But having all the PCs authenticating by dot1x and mac authentication is getting full the ClearPass requests monitor. 

The port configuration is as follows:

 interface GigabitEthernet1/0/4
 port link-type hybrid

When both MAC address authentication and 802.1X authentication are enabled on a port, in some networking environments, the device is expected to perform 802.1X authentication on user packets first.

For example, some clients have sent other packets, such as DHCP packets, to the device before sending the 802.1X authentication request packet, thus triggering unexpected MAC address authentication. 

In this case, you can enable the MAC address authentication delay function of the port. After this function is enabled, the port will not trigger MAC address authentication immediately when receiving user packets, but will wait for a certain delay time. If the user has not performed 802.1X authentication or failed to pass 802.1X authentication during this period, , then after the delay time expires, the port will perform MAC address authentication on the previously received user packets.

The configuration commands are as follows:

[H3C-GigabitEthernet1/0/4] mac-authentication timer auth-delay 10