I do see the following in your debug, which makes me think it's actually working.
May 18 15:14:58.525193 Client moved to dynamic VLAN ROUTED_Registration
But if using mac-radius authentication and not specifying "restrict", I've had instances where it would take too long to switch over and the client would get the Microsoft APIPA address. Eventually it would work, but I've limited the scope of mixed radius and mac-radius authentication. Though, I may be facing the same issues when we change our phone systems to handsets that don't support 802.1X.
What do you see when you run the following commands?
> show dot1x interface ge-0/0/2.0
> show ethernet-switching table interface ge-0/0/2.0
Any messages in the system log?
> show log messages | match dot1x
I've done exactly what you are trying with NPS and the following config:
EX2200# show groups
G_DOT1X_DEFAULTS {
protocols {
dot1x {
authenticator {
interface {
<*> {
quiet-period 5;
reauthentication 300;
supplicant-timeout 5;
maximum-requests 2;
}
}
}
}
}
}
EX2200# show access
radius-server {
XX.XX.XX.XX {
port 1645;
secret "<IT'S A SECRET>"; ## SECRET-DATA
timeout 5;
retry 2;
source-address YY.YY.YY.YY;
}
}
profile auth-profile-clnps01 {
authentication-order radius;
radius {
authentication-server XX.XX.XX.XX;
}
}
EX2200# show protocols dot1x
authenticator {
authentication-profile-name auth-profile-clnps01;
interface {
ge-0/0/18.0 {
apply-groups G_DOT1X_DEFAULTS;
supplicant multiple;
guest-vlan V20;
server-reject-vlan V20;
server-fail vlan-name V20;
}
ge-0/0/21.0 {
apply-groups G_DOT1X_DEFAULTS;
supplicant multiple;
guest-vlan V20;
server-reject-vlan V20;
server-fail vlan-name V20;
}
}
}