Solved: Re: ISE ports (TCP 464) with AD

saghisha · ‎01-04-2017

We have a customer that is asking if port TCP 464 “KPASS” is required to be opened between the ISE and AD. If yes, what is the exact purpose of opening this port and is it required during the authentication phase ?

Charlie Moreton · ‎01-05-2017

It is not specifically needed, but could alleviate some headaches. KPASS is used on TCP Port 464 for Kerberos based password changes. Starting in Vista, Microsoft used this as the default password change method. However, if KPASS is not accessible (as in the port is closed), it will default back to NTLM for password changes.

This article goes more in-depth:

https://blogs.technet.microsoft.com/askds/2011/09/30/friday-mail-sack-super-slo-mo-edition/

Charles Moreton

View solution in original post

Charlie Moreton · ‎01-05-2017

It is not specifically needed, but could alleviate some headaches. KPASS is used on TCP Port 464 for Kerberos based password changes. Starting in Vista, Microsoft used this as the default password change method. However, if KPASS is not accessible (as in the port is closed), it will default back to NTLM for password changes.

This article goes more in-depth:

https://blogs.technet.microsoft.com/askds/2011/09/30/friday-mail-sack-super-slo-mo-edition/

Charles Moreton

kthiruve · ‎01-05-2017

HI Samer,

Please see the ports that need to be open between ISE nodes. ISE PSN talks to AD using certain functionalities.

For ISE to work correctly the ports need to be open.

http://www.cisco.com/c/dam/en/us/td/i/400001-500000/410001-420000/413001-414000/413702.jpg

Thanks

Krishnan

saghisha · ‎01-05-2017

Thanks Charles. Much appreciated.