There are multiple ways you can deal with this problem:
Personally I would recommend point 2 and 3 from the following list:
1. Lower (S)NTP snyc time from the default 720s=20min to 120s=2min that time get synchronized quickly after a reboot. Otherwise you may have to wait 20min before DUR will work if the first SNTP request failed.
2. Set an approximate time which is used by the switch after a a power loss or reboot using job-scheduler command, e.g.:
job "set_time" at reboot "time 12/24/2018 00:00:00"
This is a least more accurate before the time is successfully updated via S(NTP) than the default date (01/01/90 00:00:00) which is used after a power loss .
3. Create a new user-role to be used as the initial role with a reauth-period defined. Otherwise failed authentications when the radius server is not reachable in time after a reboot cause clients to get stuck in the default initial role (denyall).
class ipv4 "denyall-ipv4"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv6 "denyall-ipv6"
10 match ipv6 ::/0 ::/0
exit
policy user "denyall"
10 class ipv4 "denyall-ipv4" action deny
20 class ipv6 "denyall-ipv6" action deny
exit
aaa authorization user-role name "denyall-reauth"
policy "denyall"
reauth-period 60
exit
aaa authorization user-role initial-role "denyall-reauth"