I have a company-wide EAP-TLS 802.1X network. Sometimes some end users can't connect to this EAP ssid, and always go the "guest" one. Sometimes some end users can't get dynamic IP.
On the ACS server, I sniffered, and I even saw the "radius accept" packet, but no accounting packet followed. There are many "challenge -> accept -> challenge -> accept" circle.
I checked the syslog error "Deauthenticating Station xxxxxxx Reason: Sending station has left the BSS ", and tried to change the signal channel, and also I removed one helper IP from the L3 switch vlan interface.
These seem to do some work. But I still not very sure.