topic Re: Enable Port 8905 on non-Policy Service nodes for Posture services in Network Access Control

Enable Port 8905 on non-Policy Service nodes for Posture services

rezaalikhani — Fri, 19 Jul 2024 07:12:17 GMT

Hi all;

One of the less obvious options in ISE Posture Assessment general settings is the "Enable Port 8905 on non-Policy Service nodes for Posture services" option. I know from ISE 3.1 onwards, port 8905 is disabled by default on non-PSNs and the PAN should not be listening on 8905 in a fully distributed deployment...

My question is, in which scenarios I must enable this option?

Thanks

Re: Enable Port 8905 on non-Policy Service nodes for Posture services

Marcelo Morais — Fri, 19 Jul 2024 17:08:39 GMT

Hi @rezaalikhani ,

prior to ISE 2.2 communication over port 8905 is a requirement for Posture ... ISE 2.2+ the communication is over port 8443 !!!

Take a look at: Compare ISE Posture Redirection Flow to ISE Posture Redirectionless Flow.

Hope this helps !!!

Re: Enable Port 8905 on non-Policy Service nodes for Posture services

rezaalikhani — Sat, 20 Jul 2024 06:40:13 GMT

Thanks for your reply. I know this but my question is why enabling this port on newer ISE versions?

Re: Enable Port 8905 on non-Policy Service nodes for Posture services

Marcelo Morais — Sat, 20 Jul 2024 06:55:40 GMT

Hi @rezaalikhani ,

in ISE 2.2+, the Posture process is divided into two stages.

The 1st stage contains a set of traditional Posture Discovery Probes to support backward compatibility with Deployments that rely on the url redirect.

The 2nd stage contains two Discovery Probes that allow the AC ISE Posture Module to establish a connection to the PSN where the session is authenticated in environments where redirection is not supported. During stage two, all Probes are sequential.

Note 1: prior to ISE 2.2, communication over Port 8905 is a requirement for Posture.

Note 2: if you are not using the 1st stage, then you are going to use only the 2nd stage.

Hope this helps !!!

Re: Enable Port 8905 on non-Policy Service nodes for Posture services

rezaalikhani — Mon, 22 Jul 2024 14:08:06 GMT

Thanks for your reply;

So, based on your statement, if we prefer to user URL Redirection for Posture operation and using ISE 2.1 for example, the use of TCP port 8905 is mandatory and this port must be in listening state in ISE PSNs. Right?

Now the point I do not understand is that:

Why opening this port on non-PSNs (in fully distributed deployments, actually)?

Thanks

Re: Enable Port 8905 on non-Policy Service nodes for Posture services

Marcelo Morais — Mon, 22 Jul 2024 14:24:07 GMT

Hi @rezaalikhani ,

yes, your understanding is correct about "... using ISE 2.1 for example, the use of TCP Port 8905 is mandatory ..." (more detail at: Compare ISE Posture Redirection Flow to ISE Posture Redirectionless Flow).

About your other question ... "Why opening this Port on non-PSNs ?" ...

If you take a look at Cisco ISE Port References - ISE 3.3:

"... From Cisco ISE 3.1 onwards, port 8905 is disabled by default on non-Policy Service Nodes ..."

Hope this helps !!!

Re: Enable Port 8905 on non-Policy Service nodes for Posture services

Marcelo Morais — Mon, 22 Jul 2024 14:49:42 GMT

Hi @rezaalikhani ,

just adding one more thing about your 2nd question and get ready to laugh : )

Please take a look at PAN should be listening on port 8905?

Note: take a look at ISE - Slow Replication and search for 8905.

Best regards