Understanding Default Open Ports

By default, Aruba controllers and access points treat ports as untrusted. However, certain ports are open by default only on the trusted side of the network. These open ports are listed in Table 1.

 

Table 1: Default (Trusted) Open Ports

Port Number

Protocol

Where Used

Description

17

TCP

controller

This is use for certain types of VPN clients that accept a banner (QOTD). During normal operation, this port will only accept a connection and immediately close it.

21

TCP

controller

 

22

TCP

controller

SSH

23

TCP

AP and controller

Telnet is disabled by default but the port is still open.

53

UDP

controller

Internal domain.

67

UDP

AP (and controller if DHCP server is configured)

DHCP server.

68

UDP

AP (and controller if DHCP server is configured)

DHCP client.

69

UDP

controller

TFTP

80

TCP

AP and controller

HTTP Used for remote packet capture where the capture is saved on the Access Point. Provides access to the WebUI on the controller.

123

UDP

controller

NTP

161

UDP

AP and controller

SNMP. Disabled by default.

443

TCP

controller

Used internally for captive portal authentication (HTTPS) and is exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.

Required for VIA: During the initializing phase, VIA uses HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks

500

UDP

controller

ISAKMP

514

UDP

controller

Syslog

1701

UDP

controller

L2TP

1723

TCP

controller

PPTP

2300

TCP

controller

Internal terminal server opened by telnet soe command.

3306

TCP

controller

Remote wired MAC lookup.

4343, 443

TCP

controller

HTTPS.Both port 4343 and 443 are supported. If port 4343 is used it redirects to port 443. If port 443 is used it continues to connect using this port. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing

4500

UDP

controller

sae-urn

Required for VIA: During the initializing phase, VIA uses HTTPS connections to perform trusted network and captive portal checks against the controller. It is mandatory that you enable port 4500 on your network to allow VIA to perform these checks

8080

TCP

controller

Used internally for captive portal authentication (HTTP-proxy). This port is not exposed to wireless users.

8081

TCP

controller

Used internally for captive portal authentication (HTTPS). Not exposed to wireless users. A default self-signed certificate is installed in the controller. Users in a production environment are urged to install a certificate from a well known CA such as Verisign. Self-signed certs are open to man-in-the-middle attacks and should only be used for testing.

8082

TCP

controller

Used internally for single sign-on authentication (HTTP). Not exposed to wireless users.

8083

TCP

controller

Used internally for single sign-on authentication (HTTPS). Not exposed to wireless users.

8088

TCP

controller

For internal use.

8200

UDP

controller

The Aruba Discovery Protocol (ADP)

8211

UDP

controller

For internal use.

8888

TCP

controller

Used for HTTP access.