I have a few dot1x clients stuck in initial roles (State SM_INITIAL) that wont authenticate.
They have initially authenticated but had a timeout on their last 802.1x login which generates a Deny Access Profile ( as per wired policy enforcement guide ).
However, once that profile is applied they get stuck in the initial role and no further authentication processing (either dot1x or mac-auth);
sw01# sh port-access clients 9 detailed
Port Access Client Status Detail
Client Base Details :
Port : 9 Authentication Type : 802.1x
Client Status : initial role Session Time : 480637 seconds
Client name : host/CLIENTX01 Session Timeout : 0 seconds
MAC Address : d067e5-1a3d82
IP : 10.11.10.44
Auth Order : Not Set
Auth Priority : Not Set
LMA Fallback : Disabled
Downloaded user roles are preceded by *
User Role Information
Name : denyall
Type : predefined
Reauthentication Period (seconds) : 0
Cached Reauth Period (seconds) : 0
Logoff Period (seconds) : 300
Untagged VLAN : 300
Tagged VLANs : 200
Captive Portal Profile :
Policy : denyall_104112101032097114117098097032098105108108
policy user "denyall_104112101032097114117098097032098105108108"
10 class ipv4 "classipv4_104112101032097114117098097032098105108108" action deny
20 class ipv6 "classipv6_104112101032097114117098097032098105108108" action deny
exit
class ipv4 "classipv4_104112101032097114117098097032098105108108"
10 match ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255
exit
class ipv6 "classipv6_104112101032097114117098097032098105108108"
10 match ip ::/0 ::/0
exit
Tunnelednode Server Redirect : Disabled
Secondary Role Name :
Device Attributes : Disabled
Interface configuration is fairly standard as per wired policy enforcement guide;
interface 23
name "dot1x"
tagged vlan 200
untagged vlan 300
aaa port-access authenticator
aaa port-access authenticator tx-period 10
aaa port-access authenticator supplicant-timeout 10
aaa port-access authenticator client-limit 3
aaa port-access supplicant
aaa port-access mac-based
aaa port-access mac-based addr-limit 2
The only solution is to bounce the port which then triggers authentication again.