|
|
Ports on Gigabit Ethernet 0
|
Ports on Gigabit Ethernet 1
|
Ports on Gigabit Ethernet 2
|
Ports on Gigabit Ethernet 3
|
Administration node |
Administration |
- TCP: 22 (Secure Shell [SSH] server)
- TCP: 80 (HTTP)
- TCP: 443 1 (HTTPS)
- TCP: 9060 (External RESTful Services (ERS) REST API)
Note Port 80 is redirected to port 443 (not configurable). Note Ports 80 and 443 support Admin web applications and are enabled by default. |
Cisco ISE management is restricted to Gigabit Ethernet 0. |
Cisco ISE management is restricted to Gigabit Ethernet 0. |
Cisco ISE management is restricted to Gigabit Ethernet 0. |
Replication and Synchronization |
- TCP: 443 (HTTPS SOAP)
- TCP: 12001 Global (JGroups - Data synchronization / Data replication)
|
— |
— |
— |
Monitoring |
Note This port is route table dependent. |
— |
— |
— |
|
Logging (Outbound) |
- UDP: 20514, TCP: 1468 (Syslog)
- TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
|
External Identity Stores and Resources |
- TCP: 389, 3268, UDP: 389 (LDAP)
- TCP: 445 (SMB)
- TCP: 88, UDP: 88 (KDC)
- TCP: 464 (KPASS)
- UDP: 123 (NTP)
- TCP: 53, UDP: 53 (DNS)
(Admin user interface authentication) |
— |
— |
— |
Guest |
Guest account expiry email notification: SMTP: TCP/25 |
Monitoring node |
Administration |
- TCP: 22 (SSH server)
- TCP: 80 1 (HTTP)
- TCP: 443 1 (HTTPS)
|
— |
— |
— |
Replication and Synchronization |
- TCP: 443 (HTTPS SOAP)
- TCP: 1521 - Oracle DB Listener
- TCP: 12001 Global (JGroups - Data synchronization / Data replication)
|
- TCP: 1521 - Oracle DB Listener
|
- TCP: 1521 - Oracle DB Listener
|
- TCP: 1521 - Oracle DB Listener
|
Monitoring |
Note This port is route table dependent. |
|
|
|
Logging |
- UDP: 20514, TCP: 1468 (Syslog)
- TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
- TCP: 25 (SMTP)
- UDP: 162 (SNMP Traps)
|
External Resources |
- TCP: 389, 3268, UDP: 389 (LDAP)
- TCP: 445 (SMB)
- TCP: 88, UDP: 88 (KDC)
- TCP: 464 (KPASS)
- UDP: 123 (NTP)
- TCP: 53, UDP: 53 (DNS)
(Admin user interface authentication) |
— |
— |
— |
Policy Service node |
Administration |
- TCP: 22 (SSH server)
- TCP: 80 1 (HTTP)
- TCP: 443 1 (HTTPS)
|
— |
— |
— |
Replication and Synchronization |
- TCP: 443 (HTTPS SOAP)
- TCP: 12001 Global (JGroups - Data synchronization / Data replication)
|
— |
— |
— |
Clustering (Node Group) |
- UDP: 45588, 45590 (Local JGroup)
- TCP: 7802 (Local JGroup failure detection)
|
— |
— |
— |
Monitoring |
Note This port is route table dependent. |
— |
— |
— |
Logging (Outbound) |
- UDP: 20514, TCP: 1468 (Syslog)
- TCP: 6514 (Secure Syslog)
Note Default ports are configurable for external logging.
|
Session |
- UDP:1645, 1812 (RADIUS Authentication)
- UDP:1646, 1813 (RADIUS Accounting)
- UDP: 1700 (RADIUS change of authorization Send)
- UDP: 1700, 3799 (RADIUS change of authorization Listen/Relay)
Note UDP port 3799 is not configurable. |
Policy Service node (continued) |
External Identity Stores and Resources |
- TCP: 389, 3268, (LDAP)
- TCP: 445 (SMB)
- TCP: 88 (KDC)
- TCP: 464 (KPASS)
- UDP: 123 (NTP)
- UDP: 53 (DNS)
(Admin user interface authentication and endpoint authentication) |
— |
— |
— |
Web Portal Services: - Guest/Web Auth - Guest Sponsor portal - My Devices portal - Client Provisioning - BlackListing portal |
- HTTPS (Interface must be enabled for service in Cisco ISE.)
- TCP: 8000-8999 (Guest Portal and Client Provisioning. Default port is TCP: 8443.)
- TCP: 8000-8999 (Sponsor Portal. Default port is TCP: 8443.)
- TCP: 8000-8999 (My Devices Portal. Default port is TCP: 8443.)
- TCP: 8000-8999 (Blacklist Portal. Default port is TCP: 8444.)
- TCP: 25 (SMTP Notification)
|
Policy Service node (continued) |
Posture - Discovery - Provisioning - Assessment/ Heartbeat |
- TCP: 80 (HTTP) Discovery - Client side
- TCP: 8905 (HTTPS) Discovery - Client side
Note By default, TCP: 80 is redirected to TCP: 8443. See Web Portal Services: Guest Portal and Client Provisioning.
- TCP: 8443, 8905 (HTTPS) Discovery - Policy Service node side
- URL Redirection—Provisioning. See Web Portal Services: Guest Portal and Client Provisioning.
- Active-X and Java Applet Install including IP refresh, Web Agent install, and launch NAC Agent install—Provisioning: See Web Portal Services: Guest Portal and Client Provisioning
- TCP: 8443 Provisioning: NAC Agent Install
- UDP: 8905 (SWISS) Provisioning: NAC Agent update notification
- TCP: 8905 (HTTPS) Provisioning: NAC Agent and other package/module updates
- TCP: 8905 (HTTPS) Assessment: Posture Negotiation and Agent Reports
- UDP: 8905 (SWISS) Assessment: PRA/Keep-alive
|
Bring Your Own Device (BYOD) / Network Service Protocol - Redirection - Provisioning - SCEP |
|
Mobile Device Management (MDM) API Integration |
|
Policy Service node (continued) |
Profiling |
Note This port is configurable.
Note This port is configurable.
- UDP: 68 (DHCP SPAN)
- TCP: 80, 8080 (HTTP)
- NMAP uses ports 0-65535 (outbound).
- UDP: 53 (DNS lookup)
Note This port is route table dependent.
Note This port is route table dependent.
Note This port is configurable. |
Inline Posture node |
Administration |
- TCP: 22 (SSH server)
- TCP: 8443 (HTTPS)
Note TCP: 8443 is used by the Administration node. |
— |
— |
— |
Inline Posture |
- UDP: 1645, 1812 (RADIUS proxy for authentication)
- UDP: 1646, 1813 (RADIUS proxy for accounting)
- UDP: 1700, 3799 (RADIUS CoA)
Note UDP port 3799 is not configurable.
|
- UDP: 1645, 1812 (RADIUS proxy for authentication)
- UDP: 1646, 1813 (RADIUS proxy for accounting)
- RADIUS CoA: Not Applicable
- TCP: 9090 (Redirect)
|
— |
— |
Logging |
Note This port is configurable. |
Note This port is configurable. |
— |
— |
Note Inline Posture node High Availability does not apply to any other Cisco ISE node types. |
Inline Posture node (continued) |
High Availability |
— |
— |
UDP: 694 (Heartbeat) |
UDP: 694 (Heartbeat) |