Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS+ client side port range

The ACS appliance talks to the AAA client on the standard Tacacs port 49 destine for port 11xxx on the AAA client. The Client then replies to the ACS appliance on that same 11xxx port destine for port 49 on the ACS appliance. Anyone know the port range the AAA client uses to respond the the ACS appliance?

2 REPLIES
Silver

Re: TACACS+ client side port range

Isnt the other way around?

The T+ AAA server listens on port 49, and replies back to the AAA client (presumably an IOS device).

If is there no specific option in IOS to restrict local port ranges, then you'd have to assume that any local port could be used.

Darran

New Member

Re: TACACS+ client side port range

Actually you can see via Ethereal that the AAA client a Cisco 2950 initiates the traffic to the ACS on port 11098 destine to the ACS on port 49. The ACS then responds on port 49 destine for port 11098 on the Cisco 2950.

But you are completely right about the port range. The AAA client uses any local port it wants to start the AAA process between itself and the ACS.

Was just wondering if there was any way in IOS to hard set this port range to help limit the filters applied to a series of Gauntlet Firewalls.

334
Views
0
Helpful
2
Replies
CreatePlease to create content