I'm a little bit concerned/intrigued regarding the command "clear authentication sess"
Im using it a lot when testing 802.1x on ISE deployment and haven't noticed before one important thing. It doesn't triger EAPoL-START from the swtich when MAB was used as a fallback! Is it right? can someone confirm it?
when endpoint is authenticated using 8021.x then "clear auth" triggers EAPoL-START as supposed to.
when endpoint is authenticated by MAB - then nothing.
when for some reasons supplicant is not working right on the end client, and we are working on fixing it but it is seen as MAB (for example with CWA) then the only way to make it work is SHUT/NO SHUT the port
In my opinion after clearing the session the switch should send this frame nevertheless without any implacation whether it is going to authenticate by MAB or 802.1x
What do u think?