cancel
Showing results for 
Search instead for 
Did you mean: 

ICX7250 authenticated Session is Cleared[Termination-Cause: Host-Moved]

scottshotgg
New Contributor

Hi,

I have an ICX7250-48P (version SPR 8095m) that is exhibiting some strange behavior with RADIUS and I am unsure if it is my configuration or if this is how MAC Auth is expected to work on the ICX line. For reference, I have configured RADIUS before and am currently using another server for a few wireless access points we have. For testing purposes, I was going to point all clients to the default guest VLAN (50) using the DEFAULT in RADIUS. The ICX receives this and changes the port over but then immediately terminates the session which thrashes the clients back and forth between the blackhole VLAN (default: 666) and the default guest VLAN (50). This basically makes the switch unusable since no traffic can get through. I will post my auth config, logs, and RADIUS config below as well. It would be much appreciated if there was anyone out there that could provide any bit of help!

 

Thank you,

Scott

 

RADIUS config:

# Default to VLAN 50
DEFAULT Auth-Type := Accept
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = "50",
Reply-Message = "Hello, %u"

 

show run auth

authentication
auth-order mac-auth dot1x
auth-default-vlan 666
max-sessions 1024
reauth-timeout 0
mac-authentication enable
mac-authentication enable ethe 1/1/12 ethe 1/1/48
mac-authentication password-format xx:xx:xx:xx:xx:xx
mac-authentication dot1x-disable
!


show logging:

Nov 12 20:36:10:N:FLEXAUTH: Port 1/1/12 is deleted from Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:10:N:FLEXAUTH: Port 1/1/12 is added into Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:10:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 50: authenticated Session is Cleared[Termination-Cause: Host-Moved]
Nov 12 20:36:09:N:MAC Authentication succeeded for [c8f7.50fb.0ec4 50] on port 1/1/12
Nov 12 20:36:09:N:FLEXAUTH: Port 1/1/12 is deleted from Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:09:N:FLEXAUTH: Port 1/1/12 is added into Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:09:N:MACAUTH: Port 1/1/12 Mac c8f7.50fb.0ec4 - received AAA-ACCEPT
Nov 12 20:36:09:C:MACAUTH: RADIUS server 10.32.0.1 Accepted for c8f7.50fb.0ec4 with (U:50 )
Nov 12 20:36:09:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 666: Session is created
Nov 12 20:36:08:N:FLEXAUTH: Port 1/1/12 is deleted from Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:08:N:FLEXAUTH: Port 1/1/12 is added into Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:08:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 50: authenticated Session is Cleared[Termination-Cause: Host-Moved]
Nov 12 20:36:07:N:MAC Authentication succeeded for [c8f7.50fb.0ec4 50] on port 1/1/12
Nov 12 20:36:07:N:FLEXAUTH: Port 1/1/12 is deleted from Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:07:N:FLEXAUTH: Port 1/1/12 is added into Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:07:N:MACAUTH: Port 1/1/12 Mac c8f7.50fb.0ec4 - received AAA-ACCEPT
Nov 12 20:36:07:C:MACAUTH: RADIUS server 10.32.0.1 Accepted for c8f7.50fb.0ec4 with (U:50 )
Nov 12 20:36:07:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 666: Session is created
Nov 12 20:36:05:N:FLEXAUTH: Port 1/1/12 is deleted from Dynamic Vlan 50 as mac-vlan member
Nov 12 20:36:05:N:FLEXAUTH: Port 1/1/12 is added into Auth-Default Vlan 666 as mac-vlan member
Nov 12 20:36:05:N:MACAUTH: port 1/1/12 mac c8f7.50fb.0ec4 vlan 50: authenticated Session is Cleared[Termination-Cause: Host-Moved]

5 REPLIES 5

jdryan
Moderator
Moderator

Multi-host works best when AP or Hub is connected.
Multi-untagged works best when IP phones are connected.

Here single-untagged/single-host [ default ]  would be best mode to go on.

This may need to be investigated further as its also observed on code 8095p.
Please do have the below debugs collected over console :

  • skip
  • show log
  • show tech
  • ptrace aaa
  • debug ip aaa
  • <capture the issue state >
  • no debug all / undebug all

Once these are collected do reach us out on the support front so that we can investigate this further.
Please do raise a case via here : https://support.ruckuswireless.com/contact-us