Cisco Switches Radius Key

Posted on 2011-05-11
Last Modified: 2012-05-11
I removed certain radius server hosts from the cisco switches I have and added new hosts radius server hosts - I used this command as follows:

radius-server host "ipaddress" auth-port 1812 acct-port 1813 key /password/

My question is:

1. The auth-port 1812 and the acct-port 1813 - do I have to make sure these ports are open on the new servers or somewhere else? (firewall?).

2. Also, how can I make sure that the new radius server hosts I added are actually "working"? That they are actually authenticating with the radius server correctly?

Once I can verify that all is working and it is set up correctly then I can proceed to make the system wide changes. Basically all I did was a show running-config and copy and pasted the command and just changed the ip address to add the new radius hosts. So I dont know how the auth and acct ports play a role and if there is something I still need to manually configure on the 2008 server or firewall etc.

Question by:tolinrome
    LVL 18

    Accepted Solution

    If there's a firewall in between, then yes, you will need to make sure it's being permitted through the firewall.  If the server is listening for RADIUS, then those ports should be open, but it's possible they're listing on 1645 and 1646.

    You can test authentication from a Cisco router from the CLI using "test aaa group <group> <username> <password>
    LVL 44

    Assisted Solution

    by:Craig Beck
    You need to configure the Cisco switches as RADIUS clients on the RADIUS server.
    As you're using Server 2008, the NPS service configured by default to use both ports 1812 and 1645 for authentication and ports 1813 and 1646 for accounting.

    Also if there's a firewall between the switches you will need to open those ports.  To be safe allow both TCP and UDP.

    Then, as jmeggers says, use the test aaa group <group> <username> <password> command to verify.
    LVL 7

    Author Comment

    ok, for the "group username password" I'm looking in the NPS on Windows 2008 and I see on the Network Policies a Windows Group called "domainname\domain admins" where or how can I find the password?
    LVL 7

    Author Closing Comment


    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
    This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now