Answer-
PMK cache exists on controller even after user deleted from user-table. Controller doesn’t send Class attribute in accounting packet if user reconnects after user idle time out when PMK cache exits
(host) (config) #aaa authentication dot1x test
(host) (802.1X Authentication Profile "test") #?
delete-keycache Delete key cache entry when user entry is deleted.
Default is disabled.
Delete pmk cache knob introduced in dot1x profile to clear pmk cache after user ages out. By Default delete pmkcache knob is in disable state.
To verify, enable Debugging on below modules.
logging level debugging security
and look for below message to make sure the key-cache is deleted.
•Oct 19 08:51:44 :524136: <DBUG> |authmgr| dot1x_gsm_delete_pmkcache(): MAC:12:cc:00:00:01:00 BSS:d8:c7:c8:8a:88:d0 GSM: Successfully deleted PMK-cache object.
•Oct 19 08:51:44 :524131: <DBUG> |authmgr| dot1x_gsm_delete_keycache(): MAC:12:cc:00:00:01:00 GSM: Successfully deleted Key-cache object.