ALCATEL RESPONSE :
When the PC runs a 802.1x supplicant, the phone can listen to EAP messages going out/coming into the PC and save 802.1x authenticated MAC addresses. When the PC port of the iptouch is unplugged, the phone is then able to forge EAP logoff packets using the previously saved mac addresses which makes the switch close the port for these devices.
As far as I understand, in MAB authentication, there is no EAP dialogue between the device (PC, printer, fax...) and the switch. The switch is simply waiting for eap authentication timout (if 802.1x is enabled on this port) and then for traffic coming out the non-802.1x device. Then, it sends the MAB request to the radius server and if the mac address is allowed, will open its port for this mac.
There is no way for the iptouch to tell the switch that the PC session must be closed, contrary to dot1x where a logoff message can be sent.
Of course, we advise you to use 802.x as much as possible, mac authentication being used as a fallback when the devices are not 802.1x capable.
ACSE OXE R9/R10 certified
Arkoon firewall ACSA certified
Omniswitch R6 for IP Telephony certified