Skip to content
PortsDB

Port reference

Port 1645 (UDP) – RADIUS Authentication (legacy)

Legacy RADIUS auth port — carries AAA authentication requests, superseded by the official port 1812.

udpRegisteredCommonly attacked

Default state

Open on older RADIUS servers and NAS devices kept for backward compatibility. Should be migrated to port 1812.

Common attacks

  • Blast-RADIUS MD5 collision forging Access-Accept responses (CVE-2024-3596)
  • Shared-secret cracking from captured RADIUS exchanges
  • Offline cracking of weak PAP/CHAP credentials
  • Man-in-the-middle and replay against unprotected UDP RADIUS

CVE-2024-3596

Hardening

  • Patch servers and clients against Blast-RADIUS (CVE-2024-3596)
  • Enable Message-Authenticator on all RADIUS packets
  • Migrate from legacy 1645 to the official port 1812
  • Use long, unique shared secrets and tunnel RADIUS over IPsec/TLS (RadSec)
  • Restrict RADIUS to trusted NAS devices and management networks

nmap snippet

nmap -sU -p1645 --script radius-test <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1645?

Port 1645 is the legacy RADIUS authentication port. RADIUS is the AAA protocol that network access servers — VPN gateways, Wi-Fi controllers, switches — use to authenticate users against a central server. Port 1645 was the original authentication port (paired with 1646 for accounting) before IANA standardised 1812 (and 1813). Many devices still listen on 1645 for backward compatibility, so the old port lingers in production.

Why it matters for security

RADIUS gates network and remote access, so weaknesses here translate directly into unauthorised entry. The protocol authenticates responses with an MD5-based construction over UDP, which is both crackable and, as Blast-RADIUS (CVE-2024-3596) showed, vulnerable to MD5 collision attacks that let an on-path adversary forge an Access-Accept. Weak shared secrets and legacy PAP/CHAP credentials compound the exposure.

How it's attacked

The Blast-RADIUS attack exploits the MD5 response authenticator to forge Access-Accept packets, turning a denied login into an approved one without knowing the password. Attackers also capture RADIUS exchanges to crack the shared secret or weak PAP/CHAP credentials offline, and replay or MITM unprotected UDP RADIUS traffic.

Hardening checklist

Patch RADIUS servers and clients against Blast-RADIUS (CVE-2024-3596) and require the Message-Authenticator attribute on every packet. Migrate off legacy 1645 to the official port 1812. Use long, unique shared secrets and, where possible, tunnel RADIUS over IPsec or TLS (RadSec). Restrict RADIUS to trusted NAS devices and management networks. The nmap script above probes RADIUS on hosts you are authorised to test. </content>

Related ports

Port 1812Port 1813Port 1646Port 49

Frequently asked questions

What is the difference between port 1645 and 1812?
Both carry RADIUS authentication. Port 1645 is the original, legacy port; 1812 is the IANA-assigned official port that replaced it. Many devices still support 1645 for compatibility.
Is RADIUS on port 1645 affected by Blast-RADIUS?
Yes. Blast-RADIUS (CVE-2024-3596) exploits a weakness in RADIUS's MD5 response authentication over UDP, allowing an on-path attacker to forge Access-Accept responses regardless of which UDP port is used.