000018376 - Radius authentication setup through the firewall

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000018376
Applies ToRSA ACE/Server
Steel-Belted Radius Enterprise Edition for NT v 2.25
Check Point Firewall-1
IssueRadius authentication through the firewall
CauseA firewall is between the ACE/Server and Radius server. Radius server has to pass the authentication request to ACE/Server through the firewall. In order to accomplish this, specific ports have to be opened on the firewall.
ResolutionIf the RSA ACE/Agent is installed on the Radius server, the following  ports should be opened for allowing test authentication. The same ports are used by a Radius server which has built-in SecurID support.

For test authentication and native SecurID authentication:

     Destination port: 5500/udp
     Source Port: 1024-65535

If the Radius server is configured as the Proxy server, the following ports should be opened (Radius server that does not support native SecurID authentication).

For Radius authentication:   

     Destination Port: 1645/udp
     Source Port: 1024-65535

NOTE: These port numbers are applicable to any third-party Radius server. This solution is applicable to all firewalls except Raptor.

If the Raptor firewall is between the Radius server and ACE/Server, see  RSA SecurID authentication throughSymantec Raptor Firewall.

In addition, destination port 1645/udp should be opened on Raptor for Radius authentication.
Legacy Article IDa208