topic Firewall Ports Between Supplicant and ISE in Network Access Control

Firewall Ports Between Supplicant and ISE

AhmedALJAWAD44875 — Tue, 18 Jul 2023 19:36:04 GMT

Do we need to allow any direct communication between ISE and the supplicant? On what port number?

I know its radius between the authenticator and ISE ports 1812 and 1813

but from the drawing below, there looks like traffic between the clients and ISE? what port number please?

Re: Firewall Ports Between Supplicant and ISE

MHM Cisco World — Tue, 18 Jul 2023 22:04:54 GMT

There is no any kind of connection between client and ISE'

The client send to SW or WLC EAPoL

The SW/WLC will encapsulate it with radius message and send to ISE.

So only 1813/1812 (use SE/wlc ip as source ) what you need.

Only case that client connect to ISE is CWA ISE portal.

Re: Firewall Ports Between Supplicant and ISE

Flavio Miranda — Tue, 18 Jul 2023 19:50:10 GMT

Hi @AhmedALJAWAD44875

You can check this guide for reference. There a few ports you may need to allow depending on the services you provide with ISE.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Web Portal Services:

- Guest/Web Authentication

- Guest Sponsor Portal

- My Devices Portal

- Client Provisioning

- Certificate Provisioning

- BlackListing Portal

HTTPS (Interface must be enabled for service in Cisco ISE):

Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.)
Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.)
Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.)
My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.)
Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.)
SMTP guest notifications from guest and sponsor portals: TCP/25

Posture

- Discovery

- Provisioning

- Assessment/ Heartbeat

Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)

Note

By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.

Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.

Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).

Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)

Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning.
Provisioning - NAC Agent Install: TCP/8443
Provisioning - NAC Agent Update Notification: UDP/8905
Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)

Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS)
Assessment - PRA/Keep-alive: UDP/8905

Re: Firewall Ports Between Supplicant and ISE

AhmedALJAWAD44875 — Tue, 18 Jul 2023 20:06:56 GMT

@Flavio Miranda I need only client authentication using either EAP-TLS or MSCHAPv2.

Is there any ports required from the client to ISE for that? I don't see that in the design so I'm assuming no. please confirm.

Re: Firewall Ports Between Supplicant and ISE

Ambuj M — Tue, 18 Jul 2023 20:34:04 GMT

No direct communication to ISE, supplicant talks to authentication over EAP and authenticate talks to authentication server (ISE) using radius.

Re: Firewall Ports Between Supplicant and ISE

Flavio Miranda — Tue, 18 Jul 2023 21:59:43 GMT

@AhmedALJAWAD44875

For radius only, no need to open port between ISE and client