No sorry.  That's not an option.  Servers need to be statically assigned and use 802.1x.

Are you JUST doing 1x? Not doing any Posture or CoA stuff? If so, can you paste your switch Config please? If you've built it using something like the TrustSec Universal Switch Configuration as a guide, then most of it will be superfluous. Pure .1x doesn't take much in terms of Config and certainly shouldn't care about the Client IP Address being static.

Sent from Cisco Technical Support iPad App

Hi

We are doing 802.1x for clients using the Windows supplicant.  For clients not using supplicants we are using MAB.  So the print servers and printers use MAB.

Extract of config...

aaa new-model

!

!

aaa authentication login default local

aaa authentication dot1x default group radius

aaa authorization network default group radius

aaa authorization auth-proxy default group radius

aaa accounting update periodic 5

aaa accounting dot1x default start-stop group radius

aaa accounting system default start-stop group radius

!

!

!

!

aaa server radius dynamic-author

client x server-key 7 x

client x server-key 7 x

!

aaa session-id common

clock summer-time BST recurring last Sun Mar 23:00 last Sun Oct 23:00

system mtu routing 1500

vtp mode transparent

authentication mac-move permit

ip routing

no ip domain-lookup

!

ip device tracking

!

!

dot1x system-auth-control

dot1x critical eapol

!

!

!

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

!

!

interface FastEthernet1/0/1

description ### Dot1x with MAB fallback ###

switchport mode access

switchport voice vlan 2

ip access-group ACL-DEFAULT in

srr-queue bandwidth share 10 10 60 20

priority-queue out

authentication event fail action next-method

authentication event server dead action authorize vlan 1

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication open

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer restart 0

authentication timer reauthenticate server

authentication violation restrict

mab

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

dot1x pae authenticator

dot1x timeout tx-period 5

spanning-tree portfast

service-policy input AutoQoS-Police-CiscoPhone

!

ip http server

ip http secure-server

!

!

!

ip access-list extended ACL-DEFAULT

remark Deny access to new network

deny   ip any 172.x.x.x 0.0.0.255 log

remark Allow everything else to other networks

permit ip any any

!

ip radius source-interface Vlan2

logging esm config

logging host x transport udp port 20514

logging host x transport udp port 20514

!

radius-server attribute 6 on-for-login-auth

radius-server attribute 8 include-in-access-req

radius-server attribute 25 access-request include

radius-server dead-criteria time 30 tries 3

radius-server vsa send accounting

radius-server vsa send authentication

!

radius server ISE-1

address ipv4 x auth-port 1645 acct-port 1646

key 7 x

!

radius server ISE-2

address ipv4 x auth-port 1645 acct-port 1646

key 7 x

!

Ok, so your config looks pretty standard from what I can see.  What happens if you delete the following;

aaa server radius dynamic-author

client x server-key 7 x

client x server-key 7 x

>> Only needed if you're doing CoA, which you're not

ip device tracking

>> Not needed and is possibly what's causing the problem

ip http server

ip http secure-server

>> Only needed if you're doing URL re-directs or configuring the switch via a GUI, which you're not

What outputs do you get from a "Show Auth Session Interface Fa1/0/1" while all of this is going on?

Obviously also need to get rid of the "authentication open" statement when this is all up and running ok