I have an answer back from TAC. They believe it's either due to the user idle timeout or the need for 2-way communication between the client and printer. The following workarounds were suggested:
- Increase the user idle time out to 1 hour.
- Set the port/vlan to trusted.
Increasing the user idle time out is the easiest solution, but I was concerned how this may affect the controller. The only thing I can think of is that it will increase memory utilization. Still, this would only improve the situation, not resolve it because I can't count on users printing every hour to keep the entry fresh in the user table.
Setting the port to trusted is not possible with the current configuration because the port is in bridged mode. So I would need to change the printer port to tunnel mode. However, that becomes a problem because than anyone can connect to the port and gain access to the corporate network. I suppose the solution to this would be to create an ACL where this traffic comes in at the corporate network.
A thought that I had was to tunnel the users' and printer traffic and let the printer authenticate via MAB. According to the user guide, the controller will probe the device after its idle period expires. If that's the case, the printer should respond to the probe and stay in the user table and solve my problem. Since the controller can't reach a bridged port, it has no way of keeping the printers in the user table given my current configuration.