dot1x Authentication on 3750

Unanswered Question
Oct 7th, 2009

I configured dot1x port-authentication on a 3750. The switch sends out a request to the radius server. The radius server sends a answer-packet to the switch udp port 21645 but it seems the switch discards the packet or something like that. The radius server gets the answer "Destination unreachable, Port Unreachable"

Thank you


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Wed, 10/07/2009 - 01:08

Did you define the radius source int on the switch?

something like this -

ip radius source-interface vlan1

the source ip address of the switch as seen by the radius packet should be same as the "radius agent ip address" configured on the radius server.

lhconsulting Wed, 10/07/2009 - 01:21

no i did not bevore but i tried right now with no difference.

The source ip address of the switch is configured correctly on the radius server.

When i use a sniffer on the radius i can see the "Access-Request" from the switch with a correct source ip.

The radius processes the request and sends a Access-Reject to the correct ip-address but the then gets a Destination unreachable (Port unreachable)

So the radius is working properly and the ip of the switch is correct but the switch has not open the udp-port for the answer-packet.

But i can ping the switch from radius server.

IAN WHITMORE Wed, 10/12/2011 - 07:05

Sorry to bump such an old post but I'm having exactly the same issueon my 6500.

Here's the TCP dump:

14:59:28.545965 IP > MGMT4: RADIUS, Access Request (1), id: 0x4d length: 90

14:59:28.548010 IP MGMT4 > RADIUS, Access Accept (2), id: 0x4d length: 45

14:59:28.548479 IP > MGMT4: ICMP udp port 21645 unreachable, length 36

14:59:39.511112 IP > MGMT4: RADIUS, Access Request (1), id: 0x4d length: 90

14:59:39.512950 IP MGMT4s > RADIUS, Access Accept (2), id: 0x4d length: 45

14:59:39.513435 IP > MGMT4: ICMP udp port 21645 unreachable, length 36

14:59:49.603144 IP > MGMT4: RADIUS, Access Request (1), id: 0x4d length: 90

14:59:49.604842 IP MGMT4 > RADIUS, Access Accept (2), id: 0x4d length: 45

14:59:49.605165 IP > MGMT4: ICMP udp port 21645 unreachable, length 36

Could it be a bug?

Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH6, RELEASE SOFTWARE (fc1)

IAN WHITMORE Thu, 10/13/2011 - 08:15

Well, whether or not it send access-accept or access-reject is not the problem. The problem is a communication error because it can't reach the switch. We both have the same problem of the port being unreachable. In lh consultings case it was also an access-reject. In my case it's an access-accept.

But if the switch can rach the radius server on the same LAN, with no ACLs and no firewall, why can't the server reply to the switch port? That is the question here.

I'm wondering if its a bug.

Matthew Needs Tue, 09/18/2012 - 00:46

Hi All. Im having a very similar problem on a 6500.

6509 Loop0 - (Radius Source)

Radius Server - (TekRadius)

6509 SVI Interface - (LAN Interface)

Using Wireshark I can see the radius communication to and from the correct IP addresses. But then I see port 21645 unreachable coming from the 6509's VLAN interface? Did you guys ever have any luck with this?

1001 132.049236000 RADIUS 130 Access-Request(1) (id=219, l=88)

1002 132.062993000 RADIUS 100 Access-Accept(2) (id=219, l=58)

1003 132.063590000 ICMP 70 Destination unreachable (Port unreachable)

Thanks very much


ayden_beeson86 Thu, 09/27/2012 - 00:16

Did any of you get anywhere with this problem?

I'm trying to test this with a 3750 running 122-25 SEE3, im upgrading it to 122-52 SE at the moment to see if that helps...

If it turns out its an IOS bug i have wasted a few days on....

EDIT: Matt, looking at yours, the return does not match the original.

Try setting the ip radius-server source to whatever the interface is its coming in on (vlan #) and see if that helps (it didnt fix mine, but its a start)

ayden_beeson86 Thu, 09/27/2012 - 01:08

hey guys,

I have upgraded my switch to 12.2.52 and its now working properly!

I did have to reconfigure it as its now "Flex auth", and dont forget to add the pae authenticator on the interface, its not added by default now in case you dont want dot1x via radius (mac based and webauth is available too)


This Discussion