Port 1700: RADIUS Change of Authorization — Cisco's pre-standard home for dynamic network access control

Port 1700 is a registered port with no official IANA service assignment, but it has a real job in enterprise networks: it's Cisco's legacy port for RADIUS Change of Authorization (CoA).

What Happens on This Port

Normally, RADIUS authentication is a one-time event. A user connects, the network checks their credentials, and grants access. Done.

But networks change. A user's session might need to be terminated mid-flight — because a security policy changed, a session timer expired, or a compliance check failed. RADIUS Change of Authorization solves this. It lets an authentication server send a message to a network device after authentication: "revoke that user's access" or "re-authenticate them with these new parameters."

Port 1700 (UDP) is where Cisco devices listen for these mid-session commands.

The Pre-Standard Problem

The IETF standardized RADIUS CoA in RFC 3576 (2003) and later RFC 5176 (2008), assigning it port 3799. But Cisco had already shipped devices using port 1700 before that standard landed.

The result: both ports now exist in the wild simultaneously. Cisco ISE (Identity Services Engine) and legacy Cisco gear default to 1700. RFC-compliant implementations use 3799. Network administrators running mixed environments often have to listen on both — same protocol, two doors.¹

This is common in networking history. A vendor ships something that works. A standard catches up. The vendor's installed base doesn't disappear. Both persist indefinitely.

IANA Registration

Port 1700 appears in IANA's registry as mps-raft — an entry with no meaningful documentation and no known active use. The Cisco CoA usage is the dominant real-world presence on this port, and it predates and operates independently of that IANA name.²

Security Considerations

RADIUS CoA messages can disconnect users or change their network privileges. An attacker sending forged CoA packets to port 1700 could deny service to legitimate users or, worse, change access policies.

RADIUS CoA has shared-secret authentication, but it's not cryptographically strong by modern standards. On any network where port 1700 is active, access should be restricted to known authentication servers at the firewall level.

Checking What's Listening on Port 1700

# Linux/macOS
sudo ss -ulnp | grep 1700
sudo netstat -ulnp | grep 1700

# Check for TCP as well
sudo ss -tlnp | grep 1700

# Windows
netstat -an | findstr 1700

If you see something listening on UDP 1700 on a Cisco switch, wireless controller, or network access device, it's almost certainly the RADIUS CoA listener.