[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 512
  • Last Modified:

Cisco Switches Radius Key

I removed certain radius server hosts from the cisco switches I have and added new hosts radius server hosts - I used this command as follows:

radius-server host "ipaddress" auth-port 1812 acct-port 1813 key /password/

My question is:

1. The auth-port 1812 and the acct-port 1813 - do I have to make sure these ports are open on the new servers or somewhere else? (firewall?).

2. Also, how can I make sure that the new radius server hosts I added are actually "working"? That they are actually authenticating with the radius server correctly?

Once I can verify that all is working and it is set up correctly then I can proceed to make the system wide changes. Basically all I did was a show running-config and copy and pasted the command and just changed the ip address to add the new radius hosts. So I dont know how the auth and acct ports play a role and if there is something I still need to manually configure on the 2008 server or firewall etc.

  • 2
2 Solutions
If there's a firewall in between, then yes, you will need to make sure it's being permitted through the firewall.  If the server is listening for RADIUS, then those ports should be open, but it's possible they're listing on 1645 and 1646.

You can test authentication from a Cisco router from the CLI using "test aaa group <group> <username> <password>
Craig BeckCommented:
You need to configure the Cisco switches as RADIUS clients on the RADIUS server.
As you're using Server 2008, the NPS service configured by default to use both ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

Also if there's a firewall between the switches you will need to open those ports.  To be safe allow both TCP and UDP.

Then, as jmeggers says, use the test aaa group <group> <username> <password> command to verify.
tolinromeAuthor Commented:
ok, for the "group username password" I'm looking in the NPS on Windows 2008 and I see on the Network Policies a Windows Group called "domainname\domain admins" where or how can I find the password?
tolinromeAuthor Commented:

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now