An old thread, but there's a conclusion!
The problem I had is something to do with the way the mac-auth works. Here's my primitive interpretation of what I think is happening (probably incorrect): When a mac address is authenticated it's placed within the vlan returned by radius. When this moves to a different port, it's then attempting to authenticate from a different vlan and that isn't possible... so nothing happens.
This is one of the reasons why making all vlans available on a hybrid port would sort of make things work in some circumstances.
There's a new code version that we were given at the end of 2017, 3301P01, which has yet to appear on the download site....
This contains a feature that allows the mac-auth process to bypass the vlan check so no matter whether there's an existing auth session placing the mac in a vlan, it will do a new auth.
This does actually work, but it requires a config change. At the global level you need: port-security mac-move permit
Then at the port level: port-security mac-move bypass-vlan-check
I'm not sure when this firmware is going to hit the website, we were told it was good for production.