I've recently moved an ISE implementation into the low-impact authentication phase, and the client's security cameras are having a rough go of it. In monitor mode, they were able to stay connected as they should but in low-impact mode they are losing their IP addresses as evidenced in the auth session output below:

SWITCH-1#sh auth sess int g4/0/6
            Interface:  GigabitEthernet4/0/6
          MAC Address:  0040.8cc7.4822
           IP Address:  10.92.6.3
            User-Name:  00-40-8C-C7-48-22
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c
      Session timeout:  3600s (local), Remaining: 338s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0AFF320A000661C965742D42
      Acct Session ID:  0x00067E9F
               Handle:  0x72000982
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success
SWITCH-1#sh auth sess int g4/0/6
            Interface:  GigabitEthernet4/0/6
          MAC Address:  0040.8cc7.4822
           IP Address:  169.254.45.196
            User-Name:  00-40-8C-C7-48-22
               Status:  Authz Success
               Domain:  DATA
       Oper host mode:  multi-domain
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c
      Session timeout:  3600s (local), Remaining: 338s
       Timeout action:  Reauthenticate
         Idle timeout:  N/A
    Common Session ID:  0AFF320A000661C965742D42
      Acct Session ID:  0x00067E9F
               Handle:  0x72000982
Runnable methods list:
       Method   State
       dot1x    Failed over
       mab      Authc Success

This is happening approx. every 10 seconds which curiously is the timer value of my dot1x tx-period. As well, the host never has its reauthentication timer restarted but I can see the following in ISE approx. every 10-15 seconds:

Why is it going through Dynamic Authorization? Why am I losing my legitimate IP address every 10 seconds and getting an APIPA address in its place? The port configuration is as follows:

interface GigabitEthernet4/0/6
 description Security
 switchport access vlan 292
 switchport mode access
 ip access-group ACL-DEFAULT in
 power inline auto max 15400
 authentication event fail action next-method
 authentication host-mode multi-domain
 authentication open
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication violation restrict
 mab
 dot1x pae authenticator
 dot1x timeout tx-period 10
 storm-control broadcast level 2.00
 storm-control action shutdown
 spanning-tree portfast
 spanning-tree bpduguard enable
end

And my ACL-DEFAULT is...

Extended IP access list ACL-DEFAULT
    10 permit udp any eq bootpc any eq bootps
    20 permit udp any any eq domain
    30 permit icmp any any
    40 permit udp any any eq tftp
    50 deny ip any any log

Upon switch log review, I'd noticed that the ACL-DEFAULT is blocking the cameras from certain igmp and tcp/554 (RTSP) communications. To see if it would help, even though I shouldn't have to, I placed ACE's into my ACL-DEFAULT to permit this traffic and would still drop my IP address every 10 seconds. I shouldn't have to do this because the "xACSACLx-IP-PERMIT_ALL_TRAFFIC-5165e13c" is a simple "permit ip any any" ACL which should allow all of the traffic to flow.

Ideas?

Kind Regards,

Kevin