Hello,

I observe undesirable behavior of my Cisco 3560 switches,  which keep authentication sessions for devices that are currently not  connected to the network.

To be precise, I mean the sessions relating to the devices that  haven't been successfully authenticated and as the result the switch is  trying to re-authenticate it. The problem shows up when the device is no  longer connected to the network, but switch is still keeping that  authentication session (ineffectively trying to authenticate the device  that is no longer connected).

For example - int fa0/37 - on that interface is connected 6 devices, while current authentication sessions are 36:

SW1#sh clock
16:54:10.793 CEST Fri Jun 7 2013
SW1#sh mac add int Fa0/37

Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----

82 0012.3fb9.5b3f STATIC Fa0/37

82 28d2.4408.0f31 DYNAMIC Fa0/37

82 28d2.4408.10d9 DYNAMIC Fa0/37

82 28d2.4408.1440 DYNAMIC Fa0/37

82 28d2.4408.39dc DYNAMIC Fa0/37

82 6cf0.4929.4aa8 DYNAMIC Fa0/37
Total Mac Addresses for this criterion: 6

SW1#sh auth sess | i 0/37
Fa0/37 f0de.f15f.3332 N/A DATA Authz Failed 0ACA022A000004751725F612
Fa0/37 28d2.4401.8591 N/A DATA Authz Failed 0ACA022A000005AE9C6AB46B
Fa0/37 0024.1dab.5943 N/A DATA Authz Failed 0ACA022A0000008B630B988D
Fa0/37 0024.1d0b.bd9d dot1x DATA Running 0ACA022A000005867DC8BA06
Fa0/37 28d2.4408.0f31 dot1x DATA Running 0ACA022A000005C2AC8D0728
Fa0/37 f0de.f152.2266 N/A DATA Authz Failed 0ACA022A000000DE8CD63254
Fa0/37 0021.86ff.b4f2 N/A DATA Authz Failed 0ACA022A000005495F07FBBD
Fa0/37 f04d.a251.6135 mab DATA Authz Failed 0ACA022A0000043D0D549EA9
Fa0/37 28d2.4408.1440 dot1x DATA Running 0ACA022A000005C1AC8CD8D3
Fa0/37 0021.ccd8.095c dot1x DATA Running 0ACA022A000004781740E560
Fa0/37 5cf9.dd41.6a35 mab DATA Authz Failed 0ACA022A0000044E11EA7A95
Fa0/37 0012.3fb9.5b3f dot1x DATA Authz Success 0ACA022A0000003924E5D007
Fa0/37 5cf9.dd41.6c06 mab DATA Authz Failed 0ACA022A0000044F11EF1A3B
Fa0/37 0021.cc6e.3db3 dot1x DATA Running 0ACA022A000004A921E704A2
Fa0/37 0021.ccd0.1487 N/A DATA Authz Failed 0ACA022A00000479175405FF
Fa0/37 0021.ccd7.e67f dot1x DATA Running 0ACA022A0000055E6012F3D3
Fa0/37 28d2.4407.209d N/A DATA Authz Failed 0ACA022A0000045012089F38
Fa0/37 0011.4302.d91b N/A DATA Authz Failed 0ACA022A000004A721363771
Fa0/37 28d2.4408.10d9 dot1x DATA Running 0ACA022A000005C0AC8CAB1D
Fa0/37 0013.72ca.549e N/A DATA Authz Failed 0ACA022A0000009F6D129B84
Fa0/37 28d2.4406.28e2 N/A DATA Authz Failed 0ACA022A00000376D9E4E000
Fa0/37 0024.7e10.ef3a N/A DATA Authz Failed 0ACA022A0000003B254891A7
Fa0/37 0026.1823.fa2f dot1x DATA Running 0ACA022A000000D3872D60E0
Fa0/37 3c97.0e83.f722 N/A DATA Authz Failed 0ACA022A000003DFE8AB9EB6
Fa0/37 70f3.9513.c315 dot1x DATA Running 0ACA022A0000050540434445
Fa0/37 6cf0.4929.4aa8 N/A DATA Authz Failed 0ACA022A0000003A24E64567
Fa0/37 001d.7284.4cae dot1x DATA Running 0ACA022A0000008C63D0E95F
Fa0/37 70f3.9513.c420 N/A DATA Authz Failed 0ACA022A00000103B00B97CC
Fa0/37 28d2.4408.39dc dot1x DATA Running 0ACA022A000005C3AC8D33D2
Fa0/37 0013.72b8.ec0b dot1x DATA Running 0ACA022A0000056D695D4C5D
Fa0/37 5cf9.dd41.6c80 mab DATA Authz Failed 0ACA022A000004360D108AA4
Fa0/37 000f.1fe4.6f9f N/A DATA Authz Failed 0ACA022A000000E39161ABC9
Fa0/37 001e.3736.9a6a N/A DATA Authz Failed 0ACA022A000004831C16033E
Fa0/37 0024.7eda.ab58 N/A DATA Authz Failed 0ACA022A0000030ED4955421
Fa0/37 28d2.4402.4bbf N/A DATA Authz Failed 0ACA022A0000005139D52E1E
Fa0/37 0018.8b0c.7882 N/A DATA Authz Failed 0ACA022A000004CC30DD0119

SW1#sh clock
16:54:21.891 CEST Fri Jun 7 2013
SW1#

Only the "clear authentication sess session-id …" executed for that "hanging" session causes its removal:

SW1#clear auth sess sess 0ACA022A000004CC30DD0119

SW1#clear auth sess sess 0ACA022A0000005139D52E1E

SW1#clear auth sess sess 0ACA022A0000030ED4955421

SW1#clear auth sess sess 0ACA022A000004831C16033E

SW1#clear auth sess sess 0ACA022A000000E39161ABC9

SW1#sh auth sess | i 0/37

Fa0/37 f0de.f15f.3332 N/A DATA Authz Failed 0ACA022A000004751725F612

Fa0/37 28d2.4401.8591 N/A DATA Authz Failed 0ACA022A000005AE9C6AB46B

Fa0/37 0024.1dab.5943 N/A DATA Authz Failed 0ACA022A0000008B630B988D

Fa0/37 0024.1d0b.bd9d N/A DATA Authz Failed 0ACA022A000005867DC8BA06

Fa0/37 28d2.4408.0f31 dot1x DATA Running 0ACA022A000005C2AC8D0728

Fa0/37 f0de.f152.2266 N/A DATA Authz Failed 0ACA022A000000DE8CD63254

Fa0/37 0021.86ff.b4f2 N/A DATA Authz Failed 0ACA022A000005495F07FBBD

Fa0/37 f04d.a251.6135 mab DATA Authz Failed 0ACA022A0000043D0D549EA9

Fa0/37 28d2.4408.1440 dot1x DATA Running 0ACA022A000005C1AC8CD8D3

Fa0/37 0021.ccd8.095c dot1x DATA Running 0ACA022A000004781740E560

Fa0/37 5cf9.dd41.6a35 mab DATA Authz Failed 0ACA022A0000044E11EA7A95

Fa0/37 0012.3fb9.5b3f dot1x DATA Authz Success 0ACA022A0000003924E5D007

Fa0/37 5cf9.dd41.6c06 mab DATA Authz Failed 0ACA022A0000044F11EF1A3B

Fa0/37 0021.cc6e.3db3 dot1x DATA Running 0ACA022A000004A921E704A2

Fa0/37 0021.ccd0.1487 dot1x DATA Running 0ACA022A00000479175405FF

Fa0/37 0021.ccd7.e67f dot1x DATA Running 0ACA022A0000055E6012F3D3

Fa0/37 28d2.4407.209d dot1x DATA Running 0ACA022A0000045012089F38

Fa0/37 0011.4302.d91b N/A DATA Authz Failed 0ACA022A000004A721363771

Fa0/37 28d2.4408.10d9 dot1x DATA Running 0ACA022A000005C0AC8CAB1D

Fa0/37 0013.72ca.549e N/A DATA Authz Failed 0ACA022A0000009F6D129B84

Fa0/37 28d2.4406.28e2 dot1x DATA Running 0ACA022A00000376D9E4E000

Fa0/37 0024.7e10.ef3a N/A DATA Authz Failed 0ACA022A0000003B254891A7

Fa0/37 0026.1823.fa2f dot1x DATA Running 0ACA022A000000D3872D60E0

Fa0/37 3c97.0e83.f722 N/A DATA Authz Failed 0ACA022A000003DFE8AB9EB6

Fa0/37 70f3.9513.c315 dot1x DATA Running 0ACA022A0000050540434445

Fa0/37 6cf0.4929.4aa8 N/A DATA Authz Failed 0ACA022A0000003A24E64567

Fa0/37 001d.7284.4cae dot1x DATA Running 0ACA022A0000008C63D0E95F

Fa0/37 70f3.9513.c420 N/A DATA Authz Failed 0ACA022A00000103B00B97CC

Fa0/37 28d2.4408.39dc dot1x DATA Running 0ACA022A000005C3AC8D33D2

Fa0/37 0013.72b8.ec0b dot1x DATA Running 0ACA022A0000056D695D4C5D

Fa0/37 5cf9.dd41.6c80 mab DATA Authz Failed 0ACA022A000004360D108AA4

SW1#sh clock

17:08:54.372 CEST Fri Jun 7 2013

SW1#

SW1#sh ver

Cisco IOS Software, C3560 Software (C3560-IPBASEK9-M), Version 12.2(55)SE7, RELEASE SOFTWARE (fc1)

Technical Support: http://www.cisco.com/techsupport

Copyright (c) 1986-2013 by Cisco Systems, Inc.

Compiled Mon 28-Jan-13 10:10 by prod_rel_team

Image text-base: 0x01000000, data-base: 0x02D00000

Could anyone tell me what is the reason of that switch behavior and what needs to be done to prevent that kind of situation?

I also use Identity Service Engine 1.1.1 and 802.1x authentication. "sh dot1x interface fa0/37 details" in attachment.

If you need anything, don’t hesitate to ask me, please.

I would sincerely appreciate your consideration of this matter.

Best regards!