AAA, NAC, Guest Access & BYOD

Ports needed by CPPM if a firewall is within wired infrastructure

Aruba Employee
Question   What ports do i need on my Firewall for CPPM?


Below are the details.

Between any two Mobility Controllers:

IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
IKE (UDP 500).
ESP (protocol 50).

 Between a Mobility Controller and an AP

PAPI (UDP port 8211). If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.
FTP (TCP port 21).
TFTP (UDP port 69) all APs, if there is no local image on the AP (for example, a new AP) the AP will use TFTP to retrieve the initial image.
NTP (UDP port 123).
SYSLOG (UDP port 514).
PAPI Message Heartbeats(UDP port 8211)(8209)
GRE Tunnel Heartbeats (protocol 47).

 Between a Mobility Controller and a Mobility Access Switch

UDP  port 5999 is required between CPPM and the controller if Airgroup CoA is being used
PAPI (UDP port 8211)
GRE (Protocol 47)
ICMP (Echo-Request/Echo-Reply) ICMP is used to verify reachability when "backup-controller-ip" is enabled.

 Clear Pass Policy Manager (CPPM)

Go to Configuration >> Identity >> Sources. Add a new source of type AD, go to primary tab. Look for connection security, this changes the port # listed on that screen automatically (typically 389 or 636).
You can also plug in a value for that port manually.

CPPM cluster (subscriber-publisher)

UDP Port 123 NTP (Subscriber to publisher)
TCP Port 443 HTTPS (Bi-directional)
TCP Port 5432 PostgreSQL for DB replication (Subscriber to publisher)
TCP Port 80 HTTP (Between Nodes)

 CPPM To ClearPass Guest


ClearPass Policy Manager/Guest Port Service

3799 For RFC 3576 to work.
1813 RADIUS Accounting Server

 ClearPass Internet Access requirements

Question: What internet access does ClearPass require for normal operation and why?
Answer: ClearPass requires access to the following URL for checking for updated plugins: (legacy
This uses TCP ports 80 and 443. If an access control list will be created on a firewall to allow this traffic, please note that the IP address that resolves to is subject to change. If you find that you are unable to get plugin updates with a valid subscription ID, then make sure this access is allowed.

CPPM to Active Directory

The following is the list of services and their ports used for Active Directory communication:
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM)
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM)
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

 CPPM to Onguard client

6658  TCP for Onguard client to communicate with CPPM. Otherwise client doesn't appear in Onguard Activity tab

Amigopod / ClearPass Guest

External Updates - HTTP(80) and HTTPS(443) to for plugin updates and network tests.
NTP - UDP port 123
Mail - generally TCP 25 or 465.
High Availability - SSH(22), HTTPS(443) and Multicast between the two servers. Multicast settings are within the HA configuration.
RADIUS - UDP 1812, 1813, 3799 between controller and Amigopod.

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 04:45 PM

The ports listed for CPPM to AD for file replication services appear to be necessary - In our design the firewall is blocking Samba / SMB traffic coming from the Clearpass severs with these rules omitted.


Clearpass 6.6.7 with SMBv2 / SMBv3 patch requires additional ports that need to be opened through the firewall due to changes in DCE/RPC within MSCHAPv2. This new implementation seems to supports NTLMv2 by default. 





If the high end RPC prots arn't permitted in firewall, you will see a common error in access tracker stating the following. 


* AD Status: Reading winbind reply failed! (0xc0000001)
* AD Status: {Device Timeout} The Specified I?O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.