Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Radius authentication

hello there,

someone could you tell me how it works?

aaa group server radius infrastructure

server auth-port 1645 acct-port 1646

server auth-port 1812 acct-port 1813 is my ACS is my AP root bridge

my dout is, why are they using differents ports and why I scanned, I don' t sse any port opened.

kind Regards


Re: Radius authentication

Ports 1645 & 1646 and ports 1812 and 1813 are all valid RADIUS ports.

1645 and 1812 are authentication / authorization ports

1646 and 1813 are accounting ports (who's on, how long, what did they do)

The two servers may be using the different port ranges to split the load, offer more authentication / accounting options ... no telling why, but it appears to be valid.

Scanning the AP/Root bridge would be the same effect as scanning a switch (or a chunk of wire) ... it's only infrastructure.

If anything, you'd scan (the ACS server) or one of the RADIUS boxes; they are platforms and would have the open ports).

An AP or bridge is a Layer two device (at best) and don't know anything about Layer 3 ports.

Good Luck


Cisco Employee

Re: Radius authentication


ACS default Auth/Acct ports for RADIUS are 1645/1646.

Aironet AP running IOS that supports "Local RADIUS" default Auth/Acct ports are 1812/1813.

My guess is that your AP was configured (at least partially) to support LEAP authentication of 'infrastructure' devices (e.g. AP's in a WDS infrastructure). Hence the server group named "infrastructure" and the configuration of the AP itself as a RADIUS Server.

The full configuration of the AP and details of your infrastructure might help.



Re: Radius authentication


The original RFC for radius issued ports 1645/1646 which conflicted with the datametrics service. Because of this RFC 2865 officially assigned port numbers 1812/1813 for RADIUS.

So, what you have here is simply two radius servers (probably for redundancy) listening on different ports.

The following tech note has more detail:



Community Member

Re: Radius authentication

radius works via udp. Most port scanners only handle TCP.

CreatePlease to create content