Solved: Re: Firewall Ports Between Supplicant and ISE

AhmedALJAWAD44875 · ‎07-18-2023

Do we need to allow any direct communication between ISE and the supplicant? On what port number?

I know its radius between the authenticator and ISE ports 1812 and 1813

but from the drawing below, there looks like traffic between the clients and ISE? what port number please?

Flavio Miranda · ‎07-18-2023

You can check this guide for reference. There a few ports you may need to allow depending on the services you provide with ISE.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Web Portal Services:

- Guest/Web Authentication

- Guest Sponsor Portal

- My Devices Portal

- Client Provisioning

- Certificate Provisioning

- BlackListing Portal

HTTPS (Interface must be enabled for service in Cisco ISE):

Blacklist Portal: TCP/8000-8999 (Default port is TCP/8444.)
Guest Portal and Client Provisioning: TCP/8000-8999 (Default port is TCP/8443.)
Certificate Provisioning Portal: TCP/8000-8999 (Default port is TCP/8443.)
My Devices Portal: TCP/8000-8999 (Default port is TCP/8443.)
Sponsor Portal: TCP/8000-8999 (Default port is TCP/8443.)
SMTP guest notifications from guest and sponsor portals: TCP/25

Posture

- Discovery

- Provisioning

- Assessment/ Heartbeat

Discovery (Client side): TCP/80 (HTTP), TCP/8905 (HTTPS)

Note

By default, TCP/80 is redirected to TCP/8443. See Web Portal Services: Guest Portal and Client Provisioning.

Cisco ISE presents the Admin certificate for Posture and Client Provisioning on TCP port 8905.

Cisco ISE presents the Portal certificate on TCP port 8443 (or the port that you have configured for portal use).

Discovery (Policy Service Node side): TCP/8443, 8905 (HTTPS)

Provisioning - URL Redirection: See Web Portal Services: Guest Portal and Client Provisioning
Provisioning - Active-X and Java Applet Install including IP refresh, Web Agent Install, and launch NAC Agent Install: See Web Portal Services: Guest Portal and Client Provisioning.
Provisioning - NAC Agent Install: TCP/8443
Provisioning - NAC Agent Update Notification: UDP/8905
Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)

Assessment - Posture Negotiation and Agent Reports: TCP/8905 (HTTPS)
Assessment - PRA/Keep-alive: UDP/8905

View solution in original post

MHM Cisco World · ‎07-18-2023

There is no any kind of connection between client and ISE'

The client send to SW or WLC EAPoL

The SW/WLC will encapsulate it with radius message and send to ISE.

So only 1813/1812 (use SE/wlc ip as source ) what you need.

Only case that client connect to ISE is CWA ISE portal.

Flavio Miranda · ‎07-18-2023

Hi @AhmedALJAWAD44875