Hi cJoseph thanks for prompt reply,
Our client is using ClearPass Policy Manager Appliance 5K and 25K models.
See below switch configuration
!Global configuration
radius server Server1
address ipv4 x.x.x.x auth-port 1645 acct-port 1646
automate-tester username test
key ***********
!
aaa server radius dynamic-author
client x.x.x.x server-key *******
port 3799
auth-type any
!
radius-server deadtime 8
radius-server dead-criteria time 10 tries 3
!
radius-server vsa send authentication
ip device tracking
ip dhcp snooping
!
ip access-list extended default
permit ip any any
!
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
!
dot1x system-auth-control
dot1x critical eapol
!
!port config
interface range fa0/X-X
ip access-group default in
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication host multi-auth
mab
dot1x pae authenticator
dot1x timeout tx-period 10
dot1x timeout supp-timeout 3
dot1x max-req 1
!
The windows machine is configured win 802.1X : Authentication method PEAP and allow to access if policy match <Machine Authentication and User Authentication>.
Some blogs I read they say it is due to "ip device tracking"
Duplicate IP Address Cause
If the switch sends out an ARP Probe for the client while the Windows PC is in its duplicate-address detection phase, Windows detects the probe as a duplicate IP address and presents the user with a message that a duplicate IP address was found on the network for 0.0.0.0. The PC does not obtain an address, and the user must either manually release/renew the address, disconnect and reconnect to the network, or reboot the PC in order to gain network access."
Many thanks