See: ClearPass Hardening Guide v6
Clearpass 6.6.7 with SMBv2 / SMBv3 patch requires additional ports that need to be opened through the firewall due to changes in DCE/RPC within MSCHAPv2. This new implementation seems to supports NTLMv2 by default.
135/tcp
49152-65535/tcp
If the high end RPC prots arn't permitted in firewall, you will see a common error in access tracker stating the following.
* AD Status: Reading winbind reply failed! (0xc0000001)* AD Status: {Device Timeout} The Specified I?O operation on %hs was not completed before the time-out period expired. (0xc00000b5)
The ports listed for CPPM to AD for file replication services appear to be necessary - In our design the firewall is blocking Samba / SMB traffic coming from the Clearpass severs with these rules omitted.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.