Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
5021
Views
2
Helpful
4
Replies

ISE ports

Go to solution
nikhilcherian
Level 5
Level 5

ā€Ž05-27-2017 01:28 AM

Hi All

I am little confused on the port number 8905 for ISE communication, can you help me

  1. The administration guide says the ISE node is discovered on port 80 first & then on port 8905. If the port 80 discovery goes fine, will the anyconnect still try for port 8443
  2. The ISE installation guide  says " Provisioning - NAC Agent Update Notification: UDP/8905 (SWISS) & Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)". If I have already installed the latest posture agent in the client PC, will I still use port 8905
  3. The ISE installation guide  also says " Assessment - Posture Negotiation and Agent Reports: TCP/8905 ". But this is mentioned as https traffic. If I sniff, can I see this traffic


Regards

Nikhil

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

ā€Ž05-28-2017 05:22 PM

Yes, if you setup a wired sniffer on the PC, you should be able to see the attempts to TCP/8905 encrypted by the ISE PSN admin certificates.

ISE 2.2 along with AC 4.4 and CM 4.2 have the option to use the "Call Home List" in the AnyConnect ISE posture module/agent profile and to specify the client provisioning portal port(s) instead of 8905.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

ā€Ž05-27-2017 08:49 AM

HTTPS over TCP/8905.   SWISS is no longer used in ISE since 1.3.   Port 80 is only used for the initial redirect to PSN at which time communication is redirected to 8443 and then to 8905.  If current guides reference SWISS, then please provide link and we will get updated.

Craig

Go to solution
nikhilcherian
Level 5
Level 5
In response to Craig Hyps

ā€Ž05-27-2017 09:41 AM

Hi Craig,

Thanks for the reply, I still see the SWISS ports in the below link

Cisco Identify Services Engine Hardware Installation Guide, Release 2.0 - Cisco ISE Ports Reference [Cisco Identity Seā€¦

If the communication on TCP/8905 in HTTPS if I sniff the packet in the PC, can I see the port 8905


Regards

Nikhil

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

ā€Ž05-28-2017 05:22 PM

Yes, if you setup a wired sniffer on the PC, you should be able to see the attempts to TCP/8905 encrypted by the ISE PSN admin certificates.

ISE 2.2 along with AC 4.4 and CM 4.2 have the option to use the "Call Home List" in the AnyConnect ISE posture module/agent profile and to specify the client provisioning portal port(s) instead of 8905.

0 Helpful

Go to solution
nikhilcherian
Level 5
Level 5
In response to hslai

ā€Ž05-31-2017 03:25 AM

Thanks for the replies.. In my setup I can see the ISE showing the posture status as a compliant & client gets the CoA, but I don't see any traffic on port 8905. All I can see is traffic on port 8443. I can also see the client getting my Posture conditions in the scan summary, client validating the posture conditions & moving to posture compliant state.

However no traffic on port 8905, how can I ensure the working is correct

Regards

Nikhil

0 Helpful
Customers Also Viewed These Support Documents