Administration
|
-
HTTPS: TCP/443
-
SSH Server: TCP/22
-
OCSP: TCP/2560
|
Cisco ISE management is restricted to Gigabit Ethernet 0.
|
Clustering (Node Group)
|
Node Groups/JGroups: TCP/7800
|
—
|
SCEP
|
TCP/9090
|
—
|
IPsec/ISAKMP
|
UDP/500
|
—
|
Device Administration
|
TACACS+: TCP/49
Note
|
This port is configurable in Release 2.1 and later releases.
|
|
TrustSec
|
Use HTTP and Cisco ISE REST API to transfer TrustSec data to network devices over port 9063.
|
SXP
|
|
TC-NAC
|
TCP/443
|
Monitoring
|
Simple Network Management Protocol [SNMP]: UDP/161
Note
|
This port is route table dependent.
|
|
Logging (Outbound)
|
Note
|
Default ports are configurable for external logging.
|
|
Session
|
-
RADIUS Authentication: UDP/1645, 1812
-
RADIUS Accounting: UDP/1646, 1813
-
RADIUS DTLS Authentication/Accounting: UDP/2083.
-
RADIUS Change of Authorization (CoA) Send: UDP/1700
-
RADIUS Change of Authorization (CoA) Listen/Relay: UDP/1700, 3799
Note
|
UDP port 3799 is not configurable.
|
|
External Identity Sources and Resources (Outbound)
|
Note
|
For external identity sources and services reachable only through an interface other than Gigabit Ethernet 0, configure static
routes accordingly.
|
|
Passive ID (Inbound)
|
|
Web Portal Services:
- Guest/Web Authentication
- Guest Sponsor Portal
- My Devices Portal
- Client Provisioning
- Certificate Provisioning
- Blocked List Portal
|
HTTPS (Interface must be enabled for service in Cisco ISE):
-
Blocked List Portal: TCP/8000-8999 (default port is TCP/8444)
-
Guest Portal and Client Provisioning: TCP/8000-8999 (default port is TCP/8443)
-
Certificate Provisioning Portal: TCP/8000-8999 (default port is TCP/8443)
-
My Devices Portal: TCP/8000-8999 (default port is TCP/8443)
-
Sponsor Portal: TCP/8000-8999 (default port is TCP/8445)
-
SMTP guest notifications from guest and sponsor portals: TCP/25
|
Posture
- Discovery
- Provisioning
- Assessment/ Heartbeat
|
-
Discovery (Client side): TCP/8905 (HTTPS)
Note
|
Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.
Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).
From Cisco ISE 3.1 onwards, port 8905 is disabled by default on non-Policy Service nodes. To enable this port, check the Enable Port 8905 on non-Policy Service Nodes for Posture Services check box in the General Settings window (Administration > System > Settings > Posture > General Settings).
|
-
Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)
From Cisco ISE, Release 2.2 or later with AnyConnect, Release 4.4 or later, this port is configurable.
|
Bring Your Own Device (BYOD) / Network Service Protocol (NSP)
- Redirection
- Provisioning
- SCEP
|
-
Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning.
-
For Android devices with EST authentication: TCP/8084. Port 8084 must be added to the Redirect ACL for Android devices.
-
Provisioning - Active-X and Java Applet Install (includes the launch of Wizard Install): See Web Portal Services: Guest Portal
and Client Provisioning
-
Provisioning - Wizard Install from Cisco ISE (Windows and Mac OS): TCP/8443
-
Provisioning - Wizard Install from Google Play (Android): TCP/443
-
Provisioning - Supplicant Provisioning Process: TCP/8905
-
SCEP Proxy to CA: TCP/443 (Based on SCEP RA URL configuration)
|
Mobile Device Management (MDM) API Integration
|
|
Profiling
|
-
NetFlow: UDP/9996
Note
|
This port is configurable.
|
-
DHCP: UDP/67
Note
|
This port is configurable.
|
-
DHCP SPAN Probe: UDP/68
-
HTTP: 8080
-
DNS: UDP/53 (lookup)
Note
|
This port is route table dependent.
|
-
SNMP Query: UDP/161
Note
|
This port is route table dependent.
|
-
SNMP TRAP: UDP/162
Note
|
This port is configurable.
|
|