What is the requirement of TCP 6658 port with OnGuard agent?

MVP Expert
MVP Expert

Why do I need to allow the TCP port 6658 between the OnGuard agent and ClearPass server, what is the use of it?


The OnGuard persistent agent uses the port 6658 to establish a control channel communication with the ClearPass server from the client, in order to update the client online status.

If the port 6658 is not allowed or blocked (via local firewall, etc), then the agent will repost the health status every 3 mins and try to establish the control channel.

Please ensure the port 6658 is allowed between the persistent agent and ClearPass server to prevent the client from re-authenticating very often, in any/all of the intermediary devices from the client upto clearpass.

Version history
Revision #:
2 of 2
Last update:
‎11-23-2015 02:31 PM
Updated by:
Labels (1)


On cisco wired side, do we need to on our access list deny or permit for that port?


Yes, if the device is quarantined and you are returning a restricted ACL.

This way if the posture changes , Onguard will be able to communicate CLearPass of the change

I also noticed that OnGuard need port 443 to the Clearpass server. I can see each connection session start with a brief 443 traffic and then the connection to port 6658 is established

Search Airheads
Showing results for 
Search instead for 
Did you mean: