This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Ruckus Wireless
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

FlexAuth on ICX7150

alexandr_potkin
New Contributor II

‎11-07-2025 09:16 AM

Hello!

We have many ICX7150 switches in our company and trying to enable flexauth. 

But have an issue with this function:

After 1 hour client cannot authenticate on RADIUS server. When we enable auth it works fine:

Nov 7 20:14:54:N:MAC Authentication succeeded for [44db.d291.2200 186] on port 1/1/35
Nov 7 20:14:54:N:MACAUTH: Port 1/1/35 Mac 44db.d291.2200 - received AAA-ACCEPT
Nov 7 20:14:54:C:MACAUTH: RADIUS server 10.1.18.100 Accepted for 44db.d291.2200 with (DE:0 )
Nov 7 20:14:54:N:MACAUTH: Port 1/1/35 Mac 44db.d291.2200 Vlan 186 - Periodic reauth is initiated
Nov 7 20:14:48:I:DOT1X: Port 1/1/35 - mac e8cf.8335.cb4f, AuthControlledPortStatus change: authorized
Nov 7 20:14:48:N:DOT1X: Port 1/1/35 Mac e8cf.8335.cb4f - received AAA-ACCEPT
Nov 7 20:14:48:C:DOT1X: RADIUS server 10.1.18.100 Accepted for e8cf.8335.cb4f with (DE:1 )
Nov 7 20:14:48:N:DOT1X: Port 1/1/35 Mac e8cf.8335.cb4f Vlan 186 - Periodic reauth is initiated

TCPdump from radius-server:

20:14:54.792371 IP 10.2.4.207.1058 > radius.radius: RADIUS, Access-Request (1), id: 0x2a length: 145
20:14:54.804458 IP radius.radius > 10.2.4.207.1058: RADIUS, Access-Accept (2), id: 0x2a length: 32

 

After some time client cannot auth on radius. We see this in logbuf:

Nov 7 20:30:59:N:MAC Authentication succeeded for [44db.d291.2200 186] on port 1/1/35
Nov 7 20:30:59:N:MAC Authentication RADIUS timeout for [44db.d291.2200 186] on port 1/1/35
Nov 7 20:30:59:N:MACAUTH: Port 1/1/35 Mac 44db.d291.2200 - received AAA-TIMEOUT
Nov 7 20:29:59:N:MACAUTH: Port 1/1/35 Mac 44db.d291.2200 Vlan 186 - Periodic reauth is initiated
Nov 7 20:29:53:N:DOT1X: Port 1/1/35 Mac e8cf.8335.cb4f Vlan 186 - Periodic reauth is initiated

TCPdump from Radius looks very strange (pay attention on source port):

20:48:47.037902 IP 10.2.4.207.5 > radius.radius: RADIUS, Access-Request (1), id: 0x5a length: 142
20:48:47.048681 IP radius.radius > 10.2.4.207.5: RADIUS, Access-Challenge (11), id: 0x5a length: 64
20:48:47.049733 IP 10.2.4.207 > radius.: ICMP 10.2.4.207 udp port 5 unreachable, length 36

 

What we can do to fix this issue? Such a problem on SW: Version 08.0.95sT211

0 Kudos
2 REPLIES 2

MariaC862
Moderator
Moderator

‎11-10-2025 04:44 AM

Hi!

Thank you for posting, could you please answer these questions:

Is this issue impacting multiple switches and/or multiple clients?

Could you please share the aaa config please.

Is the RADIUS server reachable when the issue is happening?

Is the RADIUS server in the same L2 domain or on another VLAN?

Please mention any troubleshooting steps you may have tried so far.

Thank you!

 

Best regards,

Maria Cordoba

Technical Support Engineer | L2 TAC Wired

COMMSCOPE

now meets next

6:00 AM to 3:00 PM CST | Sat & Sun – Off

Support : +1-855-782-5871

Have a question or need to escalate “Chat Now”

 

Maria Cordoba
Sr. TSE | RICXI
0 Kudos

alexandr_potkin
New Contributor II
In response to MariaC862

‎11-10-2025 08:19 AM

Hi!
Is this issue impacting multiple switches and/or multiple clients?
Yes!
- AAA config:
authentication
  auth-order mac-auth dot1x
  auth-default-vlan xxx
  restricted-vlan yyy
  max-sw-age 30
  max-hw-age 30
  re-authentication
  auth-fail-action restricted-vlan
  dot1x enable
  dot1x max-req 4
  dot1x max-reauth-req 10
  dot1x timeout tx-period 5
  dot1x timeout quiet-period 0
  mac-authentication enable
  mac-authentication password-override 1 zzz
  mac-authentication dot1x-override
aaa authentication dot1x default radius
aaa authentication login default local radius
aaa authentication login privilege-mode
aaa authorization exec default radius
aaa accounting dot1x default start-stop radius none
enable aaa console
radius-server host 10.1.18.100 auth-port 1812 acct-port 1813 default key 2 yyy dot1x port-only
radius-server host 10.1.18.104 ssl-auth-port 2083 authentication-only key 2 xxx
radius-server host 10.1.18.103 ssl-auth-port 2083 authentication-only key 2 xxx
radius-server host 10.1.18.102 ssl-auth-port 2083 authentication-only key 2 xxx
radius-server host 10.1.18.101 ssl-auth-port 2083 authentication-only key 2 xxx
radius-server timeout 4

Is the RADIUS server reachable when the issue is happening?

Yes, RADIUS server is reachable
Is the RADIUS server in the same L2 domain or on another VLAN?
RADIUS server in another VLAN

P.S. on SW version 09.0.10kT211 FlexAuth works fine with this config, but can't login using AD username (only local user).

0 Kudos
Copyright © 2025 Khoros, LLC