Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Radius authentication

hello there,

someone could you tell me how it works?

aaa group server radius infrastructure

server 10.236.0.163 auth-port 1645 acct-port 1646

server 10.238.2.8 auth-port 1812 acct-port 1813

10.236.0.163 is my ACS

10.238.2.8 is my AP root bridge

my dout is, why are they using differents ports and why I scanned 10.238.2.8, I don' t sse any port opened.

kind Regards

4 REPLIES
Green

Re: Radius authentication

Ports 1645 & 1646 and ports 1812 and 1813 are all valid RADIUS ports.

1645 and 1812 are authentication / authorization ports

1646 and 1813 are accounting ports (who's on, how long, what did they do)

The two servers may be using the different port ranges to split the load, offer more authentication / accounting options ... no telling why, but it appears to be valid.

Scanning the AP/Root bridge would be the same effect as scanning a switch (or a chunk of wire) ... it's only infrastructure.

If anything, you'd scan 10.238.2.8 (the ACS server) or one of the RADIUS boxes; they are platforms and would have the open ports).

An AP or bridge is a Layer two device (at best) and don't know anything about Layer 3 ports.

Good Luck

Scott

Cisco Employee

Re: Radius authentication

Hi,

ACS default Auth/Acct ports for RADIUS are 1645/1646.

Aironet AP running IOS that supports "Local RADIUS" default Auth/Acct ports are 1812/1813.

My guess is that your AP was configured (at least partially) to support LEAP authentication of 'infrastructure' devices (e.g. AP's in a WDS infrastructure). Hence the server group named "infrastructure" and the configuration of the AP itself as a RADIUS Server.

The full configuration of the AP and details of your infrastructure might help.

Thanks,

Ben

Re: Radius authentication

Hi,

The original RFC for radius issued ports 1645/1646 which conflicted with the datametrics service. Because of this RFC 2865 officially assigned port numbers 1812/1813 for RADIUS.

So, what you have here is simply two radius servers (probably for redundancy) listening on different ports.

The following tech note has more detail:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800945cc.shtml

HTH

Andrew.

Community Member

Re: Radius authentication

radius works via udp. Most port scanners only handle TCP.

326
Views
0
Helpful
4
Replies
CreatePlease to create content