That is expected behavior as 802.1x sees additional mac addresses that are not authenticated on the port. You have several ways to allow these devices on the network:
1. Utilize MAB with static mac database and/or profiling
2. Configure the the supplicants on the VMs to perform 802.1x based authentication
3. Configure those network ports to authenticate the first mac address on the network and then allow any additional mac addresses. This is accomplished with the following command:
authentication host-mode multi-host
For more information on that command you can check out the following link:
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/dot1x.html
I hope this helps!
Thank you for rating helpful posts!