Posted inUS_1

Understanding and Configuring RADIUS Server Port for Network Authentication

No Comments

Firewalls are essential components of network security, controlling traffic flow to protect systems from unauthorized access. When utilizing RADIUS (Remote Authentication Dial-In User Service) for network authentication, properly configuring firewalls to allow RADIUS traffic is crucial. Incorrect settings can lead to authentication failures, preventing users from accessing necessary network resources. This article provides a comprehensive guide to understanding and configuring Radius Server Port settings in firewalls for optimal RADIUS communication.

By default, RADIUS communication relies on specific User Datagram Protocol (UDP) ports to send and receive authentication and accounting messages. These ports act as designated pathways, ensuring RADIUS clients, proxies, and servers can effectively exchange information. Understanding these ports and how to configure firewalls to permit traffic on them is vital for maintaining a secure and functional network environment.

RADIUS Server Ports: The Gateways to Authentication and Accounting

RADIUS utilizes UDP ports for its operations due to UDP’s efficiency and speed, which are important for timely authentication processes. The standard RADIUS ports are:

  • Port 1812: Primarily used for RADIUS authentication requests and responses. When a user attempts to access a network resource protected by RADIUS, authentication requests are sent to the RADIUS server on this port.
  • Port 1813: Dedicated to RADIUS accounting messages. Accounting is crucial for tracking network usage, session times, and data consumption. RADIUS servers listen on port 1813 to receive accounting requests and send accounting responses.
  • Ports 1645 and 1646 (Legacy): Older RADIUS implementations and some legacy systems may utilize ports 1645 for authentication and 1646 for accounting. While ports 1812 and 1813 are the current standards defined in RFCs 2865 and 2866, understanding these older ports can be necessary for compatibility with older equipment or configurations.

It’s important to note that while these are the default ports, they can be customized. However, any deviation from the standard ports requires consistent configuration across all RADIUS components and firewalls to ensure seamless communication.

Configuring Windows Firewall for RADIUS Server Port on NPS

For systems using Windows Server with Network Policy Server (NPS) acting as the RADIUS server, Windows Defender Firewall with Advanced Security is the built-in firewall solution. During the installation of NPS, the Windows Firewall is typically automatically configured to allow RADIUS traffic on the default UDP ports (1812, 1813, 1645, and 1646). This automatic configuration simplifies the setup process for standard deployments.

However, in certain Windows Server environments, particularly with Server 2019, a specific service account security identifier (SID) modification is necessary for the firewall exception to function correctly. Without this modification, the firewall might incorrectly drop RADIUS traffic even with the default exceptions in place. To address this, execute the command sc sidtype IAS unrestricted in an elevated command prompt. This command ensures the IAS (RADIUS) service uses a unique SID, preventing conflicts with other network services and ensuring proper firewall rule application.

If you choose to use non-default ports for RADIUS traffic, manual firewall configuration is required. This involves:

  1. Removing Existing Default Port Exceptions: Delete the automatically created firewall rules that allow RADIUS traffic on ports 1812, 1813, 1645, and 1646.
  2. Creating New Exceptions for Custom Ports: Define new inbound and outbound firewall rules that specifically allow UDP traffic on your chosen custom ports. Ensure these rules are configured to apply to the NPS server and the relevant network profiles (Domain, Private, Public).

For detailed instructions on modifying NPS UDP port settings within the NPS console, refer to the Microsoft documentation on “Configure NPS UDP Port Information“.

Configuring External Firewalls for RADIUS Traffic

In network architectures where the RADIUS server (NPS) resides within an intranet or perimeter network behind an external firewall (often connected to the Internet), additional firewall configuration is necessary. These external firewalls act as gatekeepers, controlling traffic between the internet-facing RADIUS clients or proxies and the internal RADIUS server.

Common scenarios involve the NPS having:

  • Dual Interfaces: One interface in the perimeter network and another in the intranet. IP routing is typically disabled in this configuration to enhance security.
  • Single Interface: A single interface in the perimeter network. In this setup, communication with domain controllers in the intranet happens through another internal firewall separating the perimeter network and the intranet.

Regardless of the specific network topology, configuring the external firewall involves defining input and output filters to permit RADIUS traffic flow.

Internet Firewall Configuration: Input and Output Filters

The firewall positioned at the internet boundary requires carefully configured filters on its internet-facing interface (and optionally, its perimeter network interface) to facilitate RADIUS message exchange.

Input Filters (Internet Interface): These filters govern traffic entering the network from the internet towards the NPS. Configure the following input packet filters:

  • RADIUS Authentication (Port 1812): Allow UDP traffic with the destination IP address set to the NPS’s perimeter network interface IP and the destination port as 1812. This enables RADIUS authentication requests from internet-based clients to reach the NPS.
  • RADIUS Accounting (Port 1813): Permit UDP traffic directed to the NPS’s perimeter network interface IP on destination port 1813. This allows RADIUS accounting messages from internet-based clients to be processed by the NPS.
  • (Optional) Legacy RADIUS Ports (1645 & 1646): If compatibility with older RADIUS clients is needed, optionally allow UDP traffic to the NPS’s perimeter network interface IP on destination ports 1645 and 1646 for authentication and accounting respectively.

Output Filters (Internet Interface): These filters control traffic leaving the network from the NPS towards the internet. Configure these output packet filters:

  • RADIUS Authentication Responses (Port 1812): Allow UDP traffic originating from the NPS’s perimeter network interface IP with the source port as 1812. This enables the NPS to send RADIUS authentication responses back to internet-based clients.
  • RADIUS Accounting Responses (Port 1813): Permit UDP traffic from the NPS’s perimeter network interface IP with the source port as 1813. This allows the NPS to send RADIUS accounting responses to internet-based clients.
  • (Optional) Legacy RADIUS Ports (1645 & 1646): If necessary for older client compatibility, optionally allow UDP traffic originating from the NPS’s perimeter network interface IP with source ports 1645 and 1646 for authentication and accounting responses.

Perimeter Network Firewall Configuration: Input and Output Filters

For firewalls situated at the perimeter network boundary (separating the perimeter network from the intranet), configure the following filters:

Input Filters (Perimeter Network Interface):

  • Traffic from NPS (All Ports): Allow traffic originating from the NPS’s perimeter network interface IP address. This generally allows all necessary communication from the NPS deeper into the network. For more granular security, you could specify source ports if needed, but allowing all traffic from the NPS IP is often sufficient and simpler to manage in this internal zone.

Output Filters (Perimeter Network Interface):

  • Traffic to NPS (All Ports): Allow traffic destined for the NPS’s perimeter network interface IP address. Similar to input filters, allowing all traffic to the NPS IP is often practical for internal network segments.

Intranet Firewall Configuration: Input and Output Filters

If an additional firewall exists between the perimeter network and the intranet, configure these filters on its intranet interface:

Input Filters (Intranet Interface):

  • Traffic to NPS (All Ports): Allow traffic destined for the NPS’s perimeter network interface IP address. This ensures internal systems can communicate with the NPS.

Output Filters (Intranet Interface):

  • Traffic from NPS (All Ports): Allow traffic originating from the NPS’s perimeter network interface IP address. This allows the NPS to communicate with internal resources like domain controllers for authentication and authorization processes.

For enhanced security, instead of broadly allowing traffic based on IP addresses, you can refine filters to specify both source and destination IP addresses and ports based on the specific RADIUS clients communicating through the firewall and the NPS server’s IP. This “least privilege” approach minimizes the attack surface by only permitting necessary traffic flows.

Conclusion

Properly configuring firewalls to accommodate RADIUS traffic, specifically understanding and correctly setting the radius server port, is paramount for successful network authentication and accounting. By understanding the default RADIUS ports (1812, 1813, and legacy 1645, 1646), the role of Windows Firewall on NPS, and the necessity of configuring external firewalls at different network boundaries, network administrators can ensure robust and secure RADIUS deployments. Always remember to document your firewall rules and configurations for easier management and troubleshooting in the future. For more in-depth information on managing NPS, consult the Microsoft documentation on “Manage Network Policy Server” and “Network Policy Server (NPS)“.

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *