https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461488#M536594 <HTML><HEAD></HEAD><BODY><P class="p1"><SPAN class="s1">We have a customer that is asking if port TCP 464 “KPASS” is required to be opened between the ISE and AD. If yes, what is the exact purpose of opening this port and is it required during the authentication phase ?</SPAN></P></BODY></HTML> Thu, 05 Jan 2017 07:57:26 GMT saghisha 2017-01-05T07:57:26Z https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461488#M536594 <HTML><HEAD></HEAD><BODY><P class="p1"><SPAN class="s1">We have a customer that is asking if port TCP 464 “KPASS” is required to be opened between the ISE and AD. If yes, what is the exact purpose of opening this port and is it required during the authentication phase ?</SPAN></P></BODY></HTML> Thu, 05 Jan 2017 07:57:26 GMT https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461488#M536594 saghisha 2017-01-05T07:57:26Z https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461489#M536595 <HTML><HEAD></HEAD><BODY><P>It is not specifically needed, but could alleviate some headaches.&nbsp; KPASS is used on TCP Port 464 for Kerberos based password changes.&nbsp; Starting in Vista, Microsoft used this as the default password change method.&nbsp; However, if KPASS is not accessible (as in the port is closed), it will default back to NTLM for password changes.</P><P></P><P>This article goes more in-depth:</P><P><A href="https://blogs.technet.microsoft.com/askds/2011/09/30/friday-mail-sack-super-slo-mo-edition/" title="https://blogs.technet.microsoft.com/askds/2011/09/30/friday-mail-sack-super-slo-mo-edition/">https://blogs.technet.microsoft.com/askds/2011/09/30/friday-mail-sack-super-slo-mo-edition/</A></P><P></P><P></P><P>Charles Moreton</P></BODY></HTML> Thu, 05 Jan 2017 13:10:12 GMT https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461489#M536595 Charlie Moreton 2017-01-05T13:10:12Z https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461490#M536596 <HTML><HEAD></HEAD><BODY><P>HI Samer,</P><P></P><P>Please see the ports that need to be open between ISE nodes. ISE PSN talks to AD using certain functionalities.</P><P>For ISE to work correctly the ports need to be open.</P><P><A href="http://www.cisco.com/c/dam/en/us/td/i/400001-500000/410001-420000/413001-414000/413702.jpg" title="http://www.cisco.com/c/dam/en/us/td/i/400001-500000/410001-420000/413001-414000/413702.jpg">http://www.cisco.com/c/dam/en/us/td/i/400001-500000/410001-420000/413001-414000/413702.jpg</A></P><P></P><P>Thanks</P><P>Krishnan</P></BODY></HTML> Fri, 06 Jan 2017 01:45:35 GMT https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461490#M536596 kthiruve 2017-01-06T01:45:35Z https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461491#M536597 <HTML><HEAD></HEAD><BODY><P>Thanks Charles. Much appreciated.</P></BODY></HTML> Fri, 06 Jan 2017 07:37:31 GMT https://community.cisco.com/t5/network-access-control/ise-ports-tcp-464-with-ad/m-p/3461491#M536597 saghisha 2017-01-06T07:37:31Z