Overview

Lists the TCP and UDP ports required to support authentication, authorization, and accounting traffic on the Cisco ISE Policy Service Node (PSN).

The PSN acts as the primary engine for processing network access requests and enforcing security policies. To ensure consistent authentication, authorization, and accounting services, specific ports must be configured to allow communication with network access devices and endpoints.

Cisco ISE supports HTTP Strict Transport Security (HSTS) to enhance communication security. When enabled, Cisco ISE includes an HSTS header in its HTTPS responses, instructing browsers to interact with the server exclusively over HTTPS. If a user attempts to access Cisco ISE via HTTP, the browser automatically upgrades the connection to HTTPS before transmitting any data. This process prevents unencrypted communication and eliminates the need for server-side redirects.

This table provides a list of ports used by the PSNs.

Table 1. Ports used by the Policy Service nodes
Cisco ISE service	Ports on Gigabit Ethernet 0 or Bond 0	Ports on other Ethernet interfaces, or Bond 1, and Bond 2
Administration	HTTPS: TCP port 443 SSH server: TCP port 22 OCSP: TCP port 2560	You can manage the device only through Gigabit Ethernet 0.
Clustering (Node group)	Node groups or JGroups: TCP port 7800	Not applicable
SCEP	TCP port 9090	Not applicable
IPsec or ISAKMP	UDP port 500	Not applicable
Device Administration	TACACS+: TCP port 49
TrustSec	Use HTTP and Cisco ISE REST API to transfer TrustSec data to network devices over port 9063.
SXP	PSN (SXP node) to NADs: TCP port 64999 PSN to SXP (internal communication on the same Cisco ISE): TCP port 9644
TC-NAC	TCP port 443
Monitoring	Simple Network Management Protocol (SNMP): UDP port 161. This port is route table dependent.
Logging (Outbound)	Syslog: UDP port 20514, TCP port 1468 Secure Syslog: TCP port 6514 You can configure the default ports for external logging. SNMP traps: UDP port 162
Session	RADIUS authentication: UDP ports 1645, 1812 RADIUS accounting: UDP ports 1646, 1813 RADIUS DTLS authentication and accounting: UDP ports 2083. RADIUS Change of Authorization (CoA) send: UDP port 1700 RADIUS Change of Authorization (CoA) listen or relay: UDP ports 1700, 3799 You cannot configure UDP port 3799.
External identity sources and resources (Outbound)	Admin user interface and endpoint authentications: LDAP: TCP ports 389, 3268 SMB: TCP port 445 KDC: TCP port 88 KPASS: TCP port 464 WMI : TCP port 135 ODBC: The ODBC ports are configurable on the third-party database server. Microsoft SQL: TCP port 1433 Sybase: TCP port 2638 PostgreSQL: TCP port 5432 Oracle: TCP port 1521 NTP: UDP port 123 (localhost interfaces only) DNS: UDP port 53, TCP port 53 If an external identity source or service is accessible only through an interface other than Gigabit Ethernet 0, configure static routes for that interface.
Passive ID (Inbound)	TS agent: TCP port 9094 AD agent: TCP port 9095 Syslog: UDP port 40514, TCP port 11468
Web portal services: Guest and web authentication Guest sponsor portal My devices portal Client provisioning Certificate provisioning Blocked list portal	HTTPS (Interface must be enabled for service in Cisco ISE): Blocked list portal: TCP port 8000-8999 (default port is TCP port 8444) Guest portal and client provisioning: TCP port 8000-8999 (default port is TCP port 8443) Certificate provisioning portal: TCP port 8000-8999 (default port is TCP port 8443) My devices portal: TCP port 8000-8999 (default port is TCP port 8443) Sponsor portal: TCP portal 8000-8999 (default port is TCP portal 8445) SMTP guest notifications from guest and sponsor portals: TCP portal 25
Posture Discovery Provisioning Assessment or heartbeat	Discovery (Client side): TCP port 8905 (HTTPS) Cisco ISE presents the admin certificate for Posture and client provisioning on TCP port 8905. Cisco ISE presents the portal certificate on TCP port 8443 (or the port that you have configured for portal use). From Cisco ISE release 3.1, port 8905 is disabled by default on non-PSNs. To enable this port, check the Enable Port 8905 on non-Policy Service Nodes for Posture Services check box in the General Settings window (Administration > System > Settings > Posture > General Settings). Discovery (Policy Service Node side): TCP port 8443, 8905 (HTTPS) . This is configurable in the latest Cisco ISE release with Cisco Secure Client release 4.4 and later. Assessment - Posture negotiation and agent reports: TCP port 8905 (HTTPS) Bidirectional posture flow - TCP port 8000-8999 (default port is TCP port 8449)
Bring Your Own Device (BYOD) or Network Service Protocol (NSP) Redirection Provisioning SCEP	Provisioning - URL redirection: See web portal services: Guest portal and client provisioning For android devices with EST authentication: TCP port 8084. Port 8084 must be added to the redirect ACL for android devices. Provisioning - Active-X and Java applet install (includes the launch of wizard install): See web portal services: Guest portal and client provisioning Provisioning - Wizard install from Cisco ISE (Windows and Mac OS): TCP port 8443 Provisioning - Wizard install from Google Play (Android): TCP port 443 Provisioning - Supplicant provisioning process: TCP port 8905 SCEP proxy to CA: TCP port 443 (Based on SCEP RA URL configuration)
Mobile Device Management (MDM) API integration	Provisioning - URL redirection: See web portal services: Guest portal and client provisioning API: Vendor specific Agent install and device registration: Vendor specific
Profiling	NetFlow: UDP port 9996 can be configured DHCP: UDP port 67 can be configured DHCP SPAN Probe: UDP/68 HTTP: 8080 DNS: UDP port 53 (lookup). This port is route table dependent. SNMP query: UDP port 161. This port is route table dependent. SNMP trap: UDP port 162 can be configured.

Policy Service node ports

Overview

Need help?