Administration
|
|
Cisco ISE management is restricted to Gigabit Ethernet 0.
|
Clustering (Node Group)
|
Node Groups/JGroups: TCP/7800
|
—
|
SCEP
|
TCP/9090
|
—
|
IPSec/ISAKMP
|
UDP/500
|
—
|
Device Administration
|
TACACS+: TCP/49
Note
|
This port is configurable in Release 2.1 and later releases.
|
|
TrustSec
|
Use HTTP and Cisco ISE REST API to transfer TrustSec data to network devices over port 9063.
|
SXP
|
|
TC-NAC
|
TCP/443
|
Monitoring
|
Simple Network Management Protocol [SNMP]: UDP/161
Note
|
This port is route table dependent.
|
|
Logging (Outbound)
|
Note
|
Default ports are configurable for external logging.
|
|
Session
|
-
RADIUS Authentication: UDP/1645, 1812
-
RADIUS Accounting: UDP/1646, 1813
-
RADIUS DTLS Authentication/Accounting: UDP/2083.
-
RADIUS Change of Authorization (CoA) Send: UDP/1700
-
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799
Note
|
UDP port 3799 is not configurable.
|
|
External Identity Sources and Resources (Outbound)
|
Note
|
For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static
routes accordingly.
|
|
Passive ID (Inbound)
|
|
Web Portal Services:
- Guest/Web Authentication
- Guest Sponsor Portal
- My Devices Portal
- Client Provisioning
- Certificate Provisioning
- BlackList Portal
|
HTTPS (Interface must be enabled for service in Cisco ISE):
-
Blacklist Portal: TCP/8000-8999 (default port is TCP/8444)
-
Guest Portal and Client Provisioning: TCP/8000-8999 (default port is TCP/8443)
-
Certificate Provisioning Portal: TCP/8000-8999 (default port is TCP/8443)
-
My Devices Portal: TCP/8000-8999 (default port is TCP/8443)
-
Sponsor Portal: TCP/8000-8999 (default port is TCP/8445)
-
SMTP guest notifications from guest and sponsor portals: TCP/25
|
Posture
- Discovery
- Provisioning
- Assessment/ Heartbeat
|
-
Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)
Note
|
By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.
Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.
Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).
|
-
Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)
From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this port is configurable.
-
Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
-
Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See
Web Portal Services: Guest Portal and Client Provisioning.
-
Provisioning - NAC Agent Install: TCP/8443
-
Provisioning - NAC Agent Update Notification: UDP/8905
-
Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)
|
Bring Your Own Device (BYOD) / Network Service Protocol (NSP)
- Redirection
- Provisioning
- SCEP
|
-
Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning.
-
For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices.
-
Provisioning - Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal
and Client Provisioning
-
Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443
-
Provisioning - Wizard Install from Google Play (Android): TCP/443
-
Provisioning - Supplicant Provisioning Process: TCP/8905
-
SCEP Proxy to CA: TCP/80 or TCP/443 (Based on SCEP RA URL configuration)
|
Mobile Device Management (MDM) API Integration
|
|
Profiling
|
-
NetFlow: UDP/9996
Note
|
This port is configurable.
|
-
DHCP: UDP/67
Note
|
This port is configurable.
|
-
DHCP SPAN Probe: UDP/68
-
HTTP: TCP/80, 8080
-
DNS: UDP/53 (lookup)
Note
|
This port is route table dependent.
|
-
SNMP Query: UDP/161
Note
|
This port is route table dependent.
|
-
SNMP TRAP: UDP/162
Note
|
This port is configurable.
|
|