cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2405
Views
5
Helpful
3
Replies

Can ISE guest portals use port 443?

Madura Malwatte
Level 4
Level 4

Is it possible to use tcp port 443 for the ISE guest portals (hotspot, self-register, etc)? Typically the port range for guest portals are TCP/8000-8999 (default port is TCP/8443). If not, is there a way to make it work, without say using a load-balancer to proxy port 443 on the frontend to 8443 on the backend?

 

1 Accepted Solution

Accepted Solutions

Greg Gibbs
Cisco Employee
Cisco Employee

No, the ISE nodes cannot be configured to listen for Portal traffic on TCP/443. Only the valid port range of 8000-8999 can be configured for the Portals as per the Admin Guide and UI.

You would have to use a proxy, LB, FW, etc. in front of the PSN to port forward TCP/443 to TCP/8443 (for example), but I'm not sure why that would need to be done.

View solution in original post

3 Replies 3

Greg Gibbs
Cisco Employee
Cisco Employee

No, the ISE nodes cannot be configured to listen for Portal traffic on TCP/443. Only the valid port range of 8000-8999 can be configured for the Portals as per the Admin Guide and UI.

You would have to use a proxy, LB, FW, etc. in front of the PSN to port forward TCP/443 to TCP/8443 (for example), but I'm not sure why that would need to be done.

Thanks for the confirmation. This is for a particular use case where guest traffic on port 443 is only allowed.

You might need to delve into the requirement a bit more to determine what the justification is. The connection still HTTPS, so it provides the same level of security.

Even with another device in front to port forward, this would be difficult to accomplish as the port is sent in the URL redirect from ISE to the NAD, which then presents it to the client. You would have to intercept the RADIUS session between ISE and the NAD and rewrite the redirect URL that the NAD would then push to the client.