Hi Hobbit,
It's normal. The pre-connection is enabled by default. If the device is not configured to grant network access rights to users in pre-connection or authentication failure state, users who fail to be authenticated remain in the pre-connection state by default. Because the device allows DHCP packets from pre-connection users to pass through, the users can still obtain IP addresses although they do not have any network access rights.
You can run the undo authentication pre-authen-access enable command to disable the function of keeping users who fail to be authenticated and do not have any network access rights in the pre-connection state. This configuration ensures that the users cannot obtain IP addresses.