I need to set up Catalyst 9200CX Compact switches as a 802.1X Supplicants for upstream Catalyst 9300L authenticator switches:

I found out that the dot1x supplicant controlled transient command

• will keep the line protocol down (after physical link up) until 802.1x supplicant authentication towards the upstream switch either
  • succeeds or
  • fails or
  • times out
• will start STP on the interface when the line protocol comes up

I also found out that whenever I configure:

• the global "access-session monitor" on the supplicant siwtch
  • "dot1x supplicant controlled transient" breaks and immediately sends a STP BPDU towards the upstream port
• "no access-session monitor" on the supplicant switches upstream interface
  • the line protocol will not come up at all even after successful authentication
• I could not find any reference about this correlation in the documentation so far.

conf t
!
eap profile EAP-FAST
 method fast
!
dot1x credentials SWITCH
 username compact0001
 password secret
!
crypto pki trustpoint ROOT_CA
 ...
!
dot1x supplicant force-multicast
dot1x supplicant controlled transient
!
interface TenGigabitEthernet1/0/8
description UPLINK
switchport mode trunk
device-tracking attach-policy NO_IPDT
dot1x pae supplicant
dot1x credentials SWITCH
dot1x supplicant eap profile EAP-FAST
!
! IBNS2 config for all other switchports

I do not configure cisp enable:

• neither on the authenticator switch
• nor on the supplicant switch

Our authenticator switches are configured for IBNS2 (closed mode with multi-auth).
They also have an ASP Macro predefined that basically changes a dot1x port into a trunk port without authentication and disabling the global BPDU Guard for this switchport. (We use the global BPDU Guard, not the interface level STP BPDU Guard.)

The Anti Macro just reverts the change when the link goes down again.

ISE is configured to send a RADIUS Access Accept with an ASP Macro name SWITCH.
The NEAT checkbox in the AuthZ Rule is disabled because we want to control exactly what should happen when a compact switch is attached and therefore use our ASP Macro called SWITCH.

So far this works perfectly.

My problem is I also need to configure ASP Macros on the Catalyst 9200CX Supplicant Switches

When I configure

! ASP Macro
shell processing full
shell trigger AP AP
shell trigger SWITCH SWITCH
macro auto global processing 
no macro auto global control device
no macro auto global control trigger

 macro auto global processing enables device classifier automatically.

Whatever happens in the background as soon as I add macro auto global processing to the supplicants global configuration config,  transient starts behaving differently and immediately sends STP BPDUs on the upstream port when the link comes up.

When I disable ASP Macros on the upstream interface with

conf t
interface Ten1/0/8
 no macro auto processing
 no macro auto control device
 no macro auto control trigger
end

dot1x supplicant controlled transient still seems to be broken because it will send STP BPDUs immediately long before successful supplicant 802.1x authentication.

Does anyone have a solution?

I am not allowed to disable STP BPDU Guard for dot1x ports on the authenticator switches.
I am not allowed to filter STP BPDUs between Authenticator and Supplicant switch (to avoid bpdu-guard  error-disabling those ports)

To my current knowledge device classifier also triggers access-session monitor.

Robert