RSA RADIUS is installed and configured with RSA Authentication Manager. All the RADIUS-related ports (1645, 1646, 1812, 1813, and 7082) on the Authentication Manager server are open by default.
Note: You must protect these ports by blocking the ones that are not used and restricting access to the ones that must be used only by Authentication Manager.
The RADIUS standard initially used UDP ports 1645 and 1646 for RADIUS authentication and accounting packets. The RADIUS standards group later changed the port assignments to 1812 and 1813. The Authentication Manager RADIUS server listens on all four ports for backward compatibility. If all the RADIUS clients are configured to talk to the RADIUS servers only on ports 1812 and 1813, you should block legacy ports 1645 and 1646 on the external firewall.
Whether or not you use RSA RADIUS, if you have replica instances in your deployment, you must allow connections between Authentication Manager instances on TCP ports 1812 and 1813. These ports are required for tasks such as replica attachment, replica promotion, and IP address and hostname changes. New replica instances must be allowed to connect on these ports.
You must restrict all connections to TCP ports 1812 and 1813 from other systems that are not Authentication Manager instances. For example, use your external firewall to block access or use additional layers of network protection to block unauthorized internal users and all other connections that are not Authentication Manager instances.
If you do not plan to use RADIUS, you can close the RADIUS authentication UDP ports 1645 and 1812.