Previously all our switches were running 12.2(42)SE.
When a client with no 802.1x configuration plugs into the switch port the port stays unauthorized.
Customer moves printer from sticky mac port (we don't use 802.1x for printers) to new building to a port setup for 802.1x.
We are able to find the mac address on the new switch by using the "no dot1x system-auth-control" global command. The mac we can then find by "sh mac add | i abcd" where abcd = the last 4 digits of the mac address.
We then find the port the printer moved to, configure sticky mac instead of 802.1x, enable dot1x sys-auth-control again and all is well.
All switches are now running 12.2(52)SE.
This time, the "no dot1x system-auth-control" command shuts down all communication on all 802.1x enabled ports so all clients, even if previously authorized by 802.1x, are unable to communicate on the network until we issue the "dot1x system-auth-control" command to enable 802.1x again.
Even while 802.1x is disabled globaly on the switch, we are unable to find the mac address of a client.
Either way, disabling all communication from all authorized clients on the switch is unacceptable.
We are lucky if the log will show the mac and port and can setup the port correctly. If not, we are locating the port on the switch physically which delays getting a printer or other non 802.1x client back on the network. The site consists of many buildings spread out over 100 acres of land so going to the switch and locating the port is not always a solution.
Any suggestions on how to locate the unauthorized clients on the switch would be greatly appreciated. I agree that there are ways around this by better documentation, labeling of the cable drops to correspond to port descriptions on the switch, etc. but we have taken over an existing environment and are unable to make massive changes right away.