Port 1646 is a legacy port for RADIUS accounting traffic. It shouldn't exist—but it does, and it's still in active use on thousands of networks.
What Runs on This Port
Port 1646 carries RADIUS accounting packets on UDP. RADIUS (Remote Authentication Dial-In User Service) is the protocol that tracks who logged into your network, when they logged in, and what they did while they were there. The accounting portion—running on this port—records session details: start time, stop time, data transferred, connection duration.1
If you've ever connected to enterprise Wi-Fi or a VPN and your session was logged, there's a good chance RADIUS accounting was involved. And if that network is more than a decade old, it might still be using port 1646.
The Historical Mistake
Here's what happened: Early RADIUS implementations needed two ports—one for authentication (asking "who are you?") and one for accounting (recording "what did you do?"). The early developers chose UDP ports 1645 and 1646.2
Problem: Those ports were already assigned. Port 1645 conflicted with a service called "datametrics." Port 1646 conflicted with "sa-msg-port."3
By the time anyone noticed, RADIUS was already deployed across thousands of networks. Equipment was configured. Firewalls had rules. Changing the ports would break everything.
So the IETF did what standards bodies do: they assigned new official ports—1812 for authentication, 1813 for accounting—and left the old ports in place for backward compatibility.4
Two Sets of Ports
Today, RADIUS exists in two versions:
- Legacy ports: 1645 (authentication) and 1646 (accounting)
- Official ports: 1812 (authentication) and 1813 (accounting)
Most RADIUS servers listen on all four ports. This means a server configured in 1998 can still talk to a client configured in 2026. The ports are different, but the protocol is the same.
Many Cisco devices default to the legacy ports. Many other vendors default to the official ports. The result is that both sets of ports remain active across the Internet, decades after the official ports were assigned.5
Why This Port Still Matters
Port 1646 is a registered port (in the range 1024-49151), meaning it was once officially assigned by IANA. The registration has since been deprecated in favor of port 1813, but the port itself hasn't disappeared.
If you're running a RADIUS server for network authentication, you need to decide: support only the official ports, or support both for backward compatibility. Most servers choose both. Most firewalls allow both. The legacy ports persist not because anyone prefers them, but because removing them would break something, somewhere.
Security Considerations
RADIUS accounting traffic on port 1646 is UDP-based and not encrypted by default. The packets contain a shared secret that's hashed but not fully protected. If someone is sniffing your network, they can see session details: usernames, session lengths, data volumes.
Modern RADIUS deployments use RADIUS over TLS (RadSec) on TCP port 2083, which encrypts everything. But port 1646 traffic is still plaintext UDP on most networks.
If your firewall shows traffic on port 1646, someone is using legacy RADIUS accounting. That's not inherently dangerous, but it's worth knowing that the traffic isn't encrypted unless you've specifically configured IPsec or another transport-layer protection.
How to Check What's Listening
On Linux or macOS:
On Windows:
If you see a process listening on this port, it's likely a RADIUS server configured for backward compatibility. If you see outbound traffic to this port, you're sending accounting packets to a legacy RADIUS server.
Related Ports
- Port 1645: Legacy RADIUS authentication (also deprecated, replaced by 1812)
- Port 1812: Official RADIUS authentication and authorization
- Port 1813: Official RADIUS accounting (the modern replacement for 1646)
- Port 2083: RADIUS over TLS (RadSec), the encrypted version
The Lesson
Port 1646 is a monument to a mistake that became permanent. It's a reminder that standards don't always win—sometimes deployment does. Once enough devices are configured to use the wrong port, "wrong" becomes "legacy," and legacy becomes something you support forever.
The official port is 1813. The port that actually gets used is whichever one your RADIUS server was configured with fifteen years ago.
Adakah halaman ini membantu?