What are the ports that need to be opened on the network firewall for ClearPass Policy Manager (CPPM) to function smoothly?

Aruba Employee
Aruba Employee

Environment : This article applies to all ClearPass OS versions.


ClearPass Policy Manager/Guest:- 

RFC 3576 - UDP port 3799 
RADIUS - UDP port 1812 
RADIUS Accounting Server - UDP port 1813 
HTTP : TCP port 80 
HTTPS: TCP port 443 

CPPM cluster (subscriber-publisher):- 

NTP - UDP Port 123 (Subscriber to publisher) 
HTTPS - TCP Port 443 (Bi-directional) 
Default ports for various databases supported by CPPM. 

CPPM To ClearPass Guest:- 

HTTPS - TCP 443 

CPPM to Active Directory:- 

UDP Port 88 for Kerberos authentication 
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations. 
TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM) 
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers. 
TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM) 
TCP and UDP Port 464 for Kerberos Password Change 
TCP Port 3268 and 3269 for Global Catalog from client to domain controller. 
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller. 

CPPM to Onguard client:- 

6658 TCP for Onguard client to communicate with CPPM. Otherwise client doesn't appear in Onguard Activity tab


This info is available in Arubapedia at  https://arubapedia.arubanetworks.com/arubapedia/index.php/Ports_needed_if_a_firewalls_within_wired_infrastructure

Version history
Revision #:
1 of 1
Last update:
‎06-28-2014 07:28 AM
Updated by:
Labels (1)


Clearpass 6.6.7 with SMBv2 / SMBv3 patch requires additional ports that need to be opened through the firewall due to changes in DCE/RPC within MSCHAPv2. This new implementation seems to supports NTLMv2 by default. 





If the high end RPC prots arn't permitted in firewall, you will see a common error in access tracker stating the following. 


* AD Status: Reading winbind reply failed! (0xc0000001)
* AD Status: {Device Timeout} The Specified I?O operation on %hs was not completed before the time-out period expired. (0xc00000b5)

Search Airheads
Showing results for 
Search instead for 
Did you mean: