We have a customer using 802.1x with ISE from both Catalyst 9300  & Catalyst 2960 switches; on both platforms a failed authentication will occasionally persist on a port after the offending device has been removed, with repeated authentication failures showing in the ISE log.

On the switch we can see that the MAC address for the failed session is not in the MAC address-table

Manually clearing the authentication session on the switch removes the issue, but without intervention the symptom persists while the port is up; I would expect the failed session to time out, but this doe not happen.

Wondering if anyone has seen similar behaviour? At first I thought it was a bug, but as it's on different switch platforms & software versions this seems unlikely.

Sample port config below:

description **Port Configuration for 802.1x**
switchport access vlan 202
switchport mode access
switchport voice vlan 302
priority-queue out
authentication control-direction in
authentication event fail action next-method
authentication event server dead action authorize vlan 202
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication violation restrict
mab
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 1800
dot1x timeout tx-period 5
dot1x max-req 1
dot1x max-reauth-req 1
no mdix auto
spanning-tree portfast

tia

JonS