Hello All,

Cisco Switch: WS-C4510R+E
IOS: Version 03.06.03.E
ROM: 15.0(1r)SG5

I had been testing with a Dell Laptop today that was refusing to connect to the wired network and get an IP Address (*Now, the same issue occurs on 2 separate Dell laptops which are about 5 years apart in manufacturing age). The Laptops use Cisco AnyConnect with the NAM module and ISE Posture module.

When I plug the laptop into my wall-port (*Gi7/24), the NAM Module shows "Authenticating", and then "Acquiring IP Address"... It then sits on acquiring IP Address for about 30 seconds or so and then it displays Limited or No Connectivity. Ipconfig on the laptop shows its not getting an ip address from the switch. We use 802.1x Machine Authentication and the "show auth sess int Gi7/24" does not show that laptop as attempting to authenticate. I tried just about everything I could think of to get this working, but nothing I did seemed to make a difference.

So I ran "show auth sessions | inc <PC_Mac_Address>" and I found the mac address was still showing on a co-workers switchport. But, the laptop hadn't been turned on in a few months, which I thought was strange... So I ran "clear auth sess int Gix/xx" on that port and then replugged the laptop into my switchport and viola, it authenticated successfully and it was able to get an ip address and access the network.

Is there anyway to prevent the switch from caching these authentication sessions, like having the switch automatically remove the auth session whenever the device is disconnected from a switchport? This seems like it could be a big problem down the road. Especially considering how long that auth session was sitting on my co-workers port since that PC hadn't been turned on in months.

I was also having this problem with another laptop, same model as the one in my tests above. This laptop was one we were using for testing when we were setting up our ISE server. And we were working with a consultant at the time so we were in a conference room. That was back in July/August of this year and I was still able to find that auth session on that port on our 4510 for the conference room... This doesn't seem right to me, how can we prevent this from happening? I would just run "clear auth sessions" for everybody, but when you do that, computers currently connected when you run that command would get disconnected from the network and it would require them to reconnect/re-initiate the connection by unplugging and plugging back in. That scenario could be a nightmare when you get 50 people calling you at the same time telling you they don't have a network connection.

Any ideas how a I can fix this problem...? Any thoughts or suggestions would be greatly appreciated!

*UPDATE: I just came across this command on the switch... Does this have anything to do with this?

4510R-HQ(config)#authentication mac-move permit ?
  <cr>

Thanks in Advance,
Matt