topic Re: Necessary Ports for Cisco 9800-CL in Wireless

Necessary Ports for Cisco 9800-CL

jmorton1 — Wed, 02 Jul 2025 00:56:24 GMT

We are looking to implement a zero trust through ThreatLocker and therefore we would like to find out which ports on the WLC need to be able to communicate with our domain controllers, our radius server, and with the APs. I have already looked at the reference guide for the Cisco Catalyst 9800 Wireless Controller for Cloud, and I am not seeing any reference concerning which ports need allowed. Thank you in advance.

Re: Necessary Ports for Cisco 9800-CL

MHM Cisco World — Wed, 02 Jul 2025 01:11:29 GMT

Capwap ports 5246/5247

CoA port 1700

Radius port 1812/1813

MHM

Re: Necessary Ports for Cisco 9800-CL

jmorton1 — Wed, 02 Jul 2025 01:22:21 GMT

Thanks. What ports are required for DNS? I saw what appeared to be a random selection of ports being used ranging from the 8000s all the way up to the 46000s.

Re: Necessary Ports for Cisco 9800-CL

Ambuj M — Wed, 02 Jul 2025 03:20:05 GMT

when you refer to something its best to include a URL where you saw that.

standard port is 53 typically UDP for standard query but can also be TCP for Zone transfers, large queries.

other than the one mentioned above like

UDP 5246 for AP-WLC control messages

UDP 5247 for AP-WLC data messages

UDP 1700 for change of authorization

UDP 1812 for authentication and authorization

UDP 1813 for accounting

you can use https,tftp,ntp, sftp, ldap(389), ldap secure (636).

Re: Necessary Ports for Cisco 9800-CL

jmorton1 — Wed, 02 Jul 2025 03:39:31 GMT

This was not something I read online. I pulled a report from ThreatLocker which showed DNS replies being sent to a whole bunch of different ports on the WLC. I know port 53 is the port that a DNS query is sent to on a DC, but the DNS replies went to a whole bunch of different ports on the WLC. I was not sure if there was a standard range of ports on the WLC that received DNS replies.

Re: Necessary Ports for Cisco 9800-CL

MHM Cisco World — Wed, 02 Jul 2025 16:32:15 GMT

I think dns use 53 port

Also you need many other ports like snmp abd ssh/telnet http/https ...etc.

So open port one by one depend on what you need to run

MHM

Re: Necessary Ports for Cisco 9800-CL

Rich R — Sun, 31 Aug 2025 12:59:19 GMT

@jmorton1 The WLC specific ports and protocols are listed in the release notes.
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-18/release-notes/rn-17-18-9800.html#Networkprotocolsandportmatrix

> I pulled a report from ThreatLocker which showed DNS replies being sent to a whole bunch of different ports on the WLC.
I think you might be misunderstanding how IP protocols work. UDP 53 is the DNS server port - the destination port for DNS query packets. The source port can be any high port (often used to be referred to as ephemeral ports) so the DNS reply from the server will have that high port as its destination (with source port being 53 in that case).

Example:
DNS query: UDP 49152 -> UDP 53
DNS reply: UDP 53 -> UDP 49152
Next DNS query: UDP 49153 -> UDP 53
with DNS reply: UDP 53 -> UDP 49153
Each DNS query will use a new source port, which has no specific meaning, so no point in even looking at that, it simply identifies that particular flow.

Re: Necessary Ports for Cisco 9800-CL

jmorton1 — Tue, 02 Sep 2025 13:10:09 GMT

I am aware that ports 49152-65535 are typically used to receive DNS replies on an endpoint, but I was seeing DNS traffic from the server hit the WLC on port numbers in the 8000s range, so that is why I originally posted this.

Re: Necessary Ports for Cisco 9800-CL

Rich R — Tue, 02 Sep 2025 15:17:54 GMT

Historically anything >1024 was used. Some OS or apps may still use the lower ports. Sometimes you can configure what should be used. The point is the server is just replying to the port the request was sent from. It's the client that determines the choice of source port. Some NAT routers may also PAT to lower ports. Unless you control the clients that traffic comes from, there's nothing you can do about it.

Re: Necessary Ports for Cisco 9800-CL

Stefan Mihajlov — Tue, 02 Sep 2025 16:52:49 GMT

@jmorton1

Here’s the short list you’ll need to allow for a 9800-CL to function properly with APs, RADIUS, and AD/PKI:

Between WLC and APs (CAPWAP):

UDP/5246 (Control)
UDP/5247 (Data)
Optional: UDP/16666 (AP console if enabled)

Between WLC and RADIUS / AAA:

UDP/1812 (Authentication)
UDP/1813 (Accounting)
(Legacy: 1645/1646 if your RADIUS server is old)

Between WLC and Domain Controllers (if using AD/LDAP directly):

TCP/389 (LDAP) or TCP/636 (LDAPS)
TCP/88, TCP/464, UDP/88 (Kerberos, if 802.1X with AD/Kerberos integration)
TCP/3268/3269 (Global Catalog, optional depending on your auth design)

Management / Other common services:

TCP/22 (SSH)
TCP/443 (HTTPS / GUI / APIs)
UDP/123 (NTP sync is highly recommended)
SNMP: UDP/161, UDP/162 (if you’re monitoring)
Syslog: UDP/514 (if you export logs)

That’s usually all you need to pin down in ThreatLocker or a firewall policy.

Re: Necessary Ports for Cisco 9800-CL

MHM Cisco World — Tue, 02 Sep 2025 16:58:27 GMT

NOW it so clear
this hit how you see it ?

MHM