cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5112
Views
2
Helpful
4
Replies

ISE ports

nikhilcherian
Level 5
Level 5

Hi All

I am little confused on the port number 8905 for ISE communication, can you help me

  1. The administration guide says the ISE node is discovered on port 80 first & then on port 8905. If the port 80 discovery goes fine, will the anyconnect still try for port 8443
  2. The ISE installation guide  says " Provisioning - NAC Agent Update Notification: UDP/8905 (SWISS) & Provisioning - NAC Agent and Other Package/Module Updates: TCP/8905 (HTTPS)". If I have already installed the latest posture agent in the client PC, will I still use port 8905
  3. The ISE installation guide  also says " Assessment - Posture Negotiation and Agent Reports: TCP/8905 ". But this is mentioned as https traffic. If I sniff, can I see this traffic


Regards

Nikhil

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

Yes, if you setup a wired sniffer on the PC, you should be able to see the attempts to TCP/8905 encrypted by the ISE PSN admin certificates.

ISE 2.2 along with AC 4.4 and CM 4.2 have the option to use the "Call Home List" in the AnyConnect ISE posture module/agent profile and to specify the client provisioning portal port(s) instead of 8905.

View solution in original post

4 Replies 4

Craig Hyps
Level 10
Level 10

HTTPS over TCP/8905.   SWISS is no longer used in ISE since 1.3.   Port 80 is only used for the initial redirect to PSN at which time communication is redirected to 8443 and then to 8905.  If current guides reference SWISS, then please provide link and we will get updated.

Craig

Hi Craig,

Thanks for the reply, I still see the SWISS ports in the below link

Cisco Identify Services Engine Hardware Installation Guide, Release 2.0 - Cisco ISE Ports Reference [Cisco Identity Se…

If the communication on TCP/8905 in HTTPS if I sniff the packet in the PC, can I see the port 8905


Regards

Nikhil

hslai
Cisco Employee
Cisco Employee

Yes, if you setup a wired sniffer on the PC, you should be able to see the attempts to TCP/8905 encrypted by the ISE PSN admin certificates.

ISE 2.2 along with AC 4.4 and CM 4.2 have the option to use the "Call Home List" in the AnyConnect ISE posture module/agent profile and to specify the client provisioning portal port(s) instead of 8905.

Thanks for the replies.. In my setup I can see the ISE showing the posture status as a compliant & client gets the CoA, but I don't see any traffic on port 8905. All I can see is traffic on port 8443. I can also see the client getting my Posture conditions in the scan summary, client validating the posture conditions & moving to posture compliant state.

However no traffic on port 8905, how can I ensure the working is correct

Regards

Nikhil