Skip to content
PortsDB

Port reference

Port 1812 (UDP) – RADIUS Authentication

RADIUS authentication — centralized AAA for network access, VPNs, Wi-Fi, and admin logins.

udpRegisteredCommonly attacked

Default state

Open on RADIUS servers (NPS, FreeRADIUS, ISE) serving NAS clients such as switches, APs, and VPNs, often with reused shared secrets.

Common attacks

  • Blast-RADIUS MD5 protocol attack (CVE-2024-3596)
  • Offline cracking of weak shared secrets
  • Credential brute force and password spraying via NAS
  • Sniffing of cleartext attributes on UDP RADIUS

CVE-2024-3596

Hardening

  • Patch for Blast-RADIUS and enable Message-Authenticator everywhere
  • Use long, unique shared secrets per NAS client
  • Prefer RADSEC (RADIUS over TLS) or IPsec for transport
  • Restrict RADIUS to a management network and trusted NAS IPs
  • Use EAP methods with mutual TLS; enforce MFA

nmap snippet

nmap -sU -p1812 --script radius-test <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 1812?

Port 1812 is the modern RADIUS authentication port, the heart of centralized AAA (authentication, authorization, accounting). Network access servers — VPN concentrators, Wi-Fi access points, switches doing 802.1X, and admin logins — forward credentials to a RADIUS server (NPS, FreeRADIUS, Cisco ISE) which decides access. Accounting runs alongside on 1813, and legacy deployments still use 1645.

Why it matters for security

RADIUS is the gatekeeper for network access, so weaknesses here unlock the whole network. The protocol relies on a shared secret and MD5, both showing their age. Weak secrets can be cracked offline from captured traffic, and Blast-RADIUS (CVE-2024-3596) abuses the MD5-based Response Authenticator to forge authentication responses as an on-path attacker. Cleartext UDP attributes can also leak sensitive data.

How it's attacked

Attackers capture RADIUS exchanges and crack the shared secret offline, or exploit Blast-RADIUS to forge an Access-Accept and bypass authentication entirely. NAS clients are abused to brute force and spray credentials, and unencrypted attributes are sniffed where RADSEC or IPsec is not in use.

Hardening checklist

Patch for Blast-RADIUS and require the Message-Authenticator attribute on all packets. Use long, unique shared secrets per NAS client, and move transport to RADSEC (RADIUS over TLS) or IPsec. Confine RADIUS to a management network with trusted NAS IPs, retire 1645, and use strong EAP methods with mutual TLS plus MFA. Use the nmap snippet above to test RADIUS on servers you are authorized to assess.

Related ports

Port 1813Port 1645Port 389Port 88

Frequently asked questions

What is the difference between port 1812 and 1645?
1812 is the modern IANA-assigned RADIUS authentication port; 1645 is the legacy port still seen on older gear. Both carry RADIUS auth, but 1645 should be retired.
What is Blast-RADIUS (CVE-2024-3596)?
A 2024 protocol flaw abusing RADIUS's MD5-based Response Authenticator to forge responses via a chosen-prefix collision, allowing an on-path attacker to bypass authentication. Mitigated by Message-Authenticator and patches.