Well, sorry to dig out old topic which I marked as solved, but I was wrong.
EAPOL-logoff is not send by Windows by design. It does not change the fact that re-authentication should change applied role from SDR to Machine default role.
Attached are two files containing output from ‘sh auth-tracebuf, sh log security authmgr/aaa, sh log user-debug, sh dot1x supplicant-into, sh user’
x-init = initial role AAA
x-comp = Machine Auth Default Machine role
x-user = Machine Auth Default User role
x-auth = Default 802.1X role
x-sdr = SDR from VSA Aruba-User-Role returned by NPS
Step1: PC boots up, no user logon: role=x-init -> x-comp
Step2: User logs into the system: role=x-comp && x-user -> SDR -> x-sdr
Step3: User logs out from the system: No new role, stays at SDR role ‘x-sdr’
Problem: At step 3, there is no role change back to default machine role. You can see that after user logs out, there is new EAP-Start message, station is identified by computer (not user) name, authentication method is 8021x-Machine but the role is still SDR. There is no EAP-logoff send by the station when user logs off from system, but it is intended Microsoft behavior by design (security vulnerability). But still, new EAP-Start message that begins new authentication process, should reset derived role and do clean machine auth with computer only completed authentication.
Why it sticks with SDR role?