Wired dot1x - clear unknown sessions on Cisco switch



We currently have dot1x enabled on our Cisco switches with IP device tracking enabled.

We have a lot of laptops with docks and unfortunately a lot of dumb switches. These types of setups seem to mess up the Cisco switches ability to clear authenticated sessions properly when a device is unplugged. I believe these devices trick the Cisco switch into thinking the client is actually still connected.


What ends up happening is that the ClearPass fills up with a ton of failed mac auth attempts.

If you go on the swith and run:

show authenticated session | include UNKNOWN

You will see a ton of unknown sessions. These can then be cleared and you stop seeing hits in the ClearPass. I currently have an ansible script to SSH into each switch and clear these unknown sessions. I was wondering though if there was a way to do this directly from ClearPass?


Can CLI Based Enforcement profiles be used to run commands on Cisco swithes? As an example:

clear authenticated session mac {%Radius:IETF:User-Name%}

I would only want to run this command if the username was a mac and had failed 5 times or something along those lines.


Not sure if this is possible directly from ClearPass or not.




Search Airheads
Showing results for 
Search instead for 
Did you mean: