For the record:
Global config:
eapol multihost eap-packet-mode unicast
Port config:
eapol multihost port 1/ALL,2/ALL,3/ALL,4/ALL enable eap-mac-max 2 allow-non-eap-enable radius-non-eap-enable non-eap-phone-enable use-radius-assigned-vlan non-eap-use-radius-assigned-vlan eap-packet-mode unicast mac-max 2
The above configuration changes the behavior of the switch in EAP/NEAP modes to no longer solicit for clients on the ports by sending an EAPOL Identity request. This solicitation has the negative effect of forcing any existing clients to re-authenticate. As clients/switches scale, this can become a problem with several dozens/hundreds of clients re-authenticating continuously subject to the supplicantTimeout = 30s default.