topic ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved] in ICX Switches

ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

scottshotgg — Wed, 13 Nov 2024 00:00:25 GMT

Hi,

I have an ICX7250-48P (version SPR 8095m) that is exhibiting some strange behavior with RADIUS and I am unsure if it is my configuration or if this is how MAC Auth is expected to work on the ICX line. For reference, I have configured RADIUS before and am currently using another server for a few wireless access points we have. For testing purposes, I was going to point all clients to the default guest VLAN (50) using the DEFAULT in RADIUS. The ICX receives this and changes the port over but then immediately terminates the session which thrashes the clients back and forth between the blackhole VLAN (default: 666) and the default guest VLAN (50). This basically makes the switch unusable since no traffic can get through. I will post my auth config, logs, and RADIUS config below as well. It would be much appreciated if there was anyone out there that could provide any bit of help!

Thank you,

Scott

RADIUS config:

# Default to VLAN 50
DEFAULT Auth-Type := Accept
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "50",
Reply-Message = "Hello, %u"

show run auth

authentication
auth-order mac-auth dot1x
auth-default-vlan 666
max-sessions 1024
reauth-timeout 0
mac-authentication enable
mac-authentication enable ethe 1/1/12 ethe 1/1/48
mac-authentication password-format xx:xx:xx:xx:xx:xx
mac-authentication dot1x-disable
!

show logging:

Nov 12 20:36:10:N:FLEXAUTH: Port 1/1/12 is deleted from Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:10:N:FLEXAUTH: Port 1/1/12 is added into Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:10:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 50: authenticated Session is Cleared[Termination-Cause: Host-Moved]
Nov 12 20:36:09:N:MAC Authentication succeeded for [c8f7.50fb.0ec4 50] on port 1/1/12
Nov 12 20:36:09:N:FLEXAUTH: Port 1/1/12 is deleted from Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:09:N:FLEXAUTH: Port 1/1/12 is added into Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:09:N:MACAUTH: Port 1/1/12 Mac c8f7.50fb.0ec4 - received AAA-ACCEPT
Nov 12 20:36:09:C:MACAUTH: RADIUS server 10.32.0.1 Accepted for c8f7.50fb.0ec4 with (U:50 )
Nov 12 20:36:09:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 666: Session is created
Nov 12 20:36:08:N:FLEXAUTH: Port 1/1/12 is deleted from Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:08:N:FLEXAUTH: Port 1/1/12 is added into Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:08:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 50: authenticated Session is Cleared[Termination-Cause: Host-Moved]
Nov 12 20:36:07:N:MAC Authentication succeeded for [c8f7.50fb.0ec4 50] on port 1/1/12
Nov 12 20:36:07:N:FLEXAUTH: Port 1/1/12 is deleted from Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:07:N:FLEXAUTH: Port 1/1/12 is added into Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:07:N:MACAUTH: Port 1/1/12 Mac c8f7.50fb.0ec4 - received AAA-ACCEPT
Nov 12 20:36:07:C:MACAUTH: RADIUS server 10.32.0.1 Accepted for c8f7.50fb.0ec4 with (U:50 )
Nov 12 20:36:07:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 666: Session is created
Nov 12 20:36:05:N:FLEXAUTH: Port 1/1/12 is deleted from Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:05:N:FLEXAUTH: Port 1/1/12 is added into Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:05:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 50: authenticated Session is Cleared[Termination-Cause: Host-Moved]

Re: ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

scottshotgg — Wed, 13 Nov 2024 01:07:23 GMT

I have upgraded to SPS8095p and it is still exhibiting the same issues

Re: ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

scottshotgg — Wed, 13 Nov 2024 01:35:19 GMT

For some reason it is also adding tagged traffic to the VLAN instead of untagged like I had expected. If I manually set untagged on a VLAN everything works fine.

Re: ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

jdryan — Thu, 14 Nov 2024 11:11:55 GMT

Hi Scott,

Based on the issue, could you let us know if there are 2 clients connecting on the interface, as in IP phone and a PC after the Phone ?

And during the auth cycle, one of the devices get authenticated first but when the second one comes in the termination happens for connected peers ?

Do let us know.

Re: ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

scottshotgg — Thu, 14 Nov 2024 16:36:38 GMT

Hi @jdryan,

Thank you for responding.

To answer - no, that port runs straight through to an ethernet port connected to a linux PC. I have also tried various other auth modes such as multi-host, multi-untagged, etc just to see if those would solve it

Re: ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

jdryan — Fri, 15 Nov 2024 12:15:36 GMT

Multi-host works best when AP or Hub is connected.
Multi-untagged works best when IP phones are connected.

Here single-untagged/single-host [ default ] would be best mode to go on.

This may need to be investigated further as its also observed on code 8095p.
Please do have the below debugs collected over console :

skip
show log
show tech
ptrace aaa
debug ip aaa
<capture the issue state >
no debug all / undebug all

Once these are collected do reach us out on the support front so that we can investigate this further.
Please do raise a case via here : https://support.ruckuswireless.com/contact-us