Data and Management Port Interfaces

ClearPass supports multiple physical EthernetEthernet is a network protocol for data transmission over LAN. Interfaces. including a data port interface and a management port interface. You must configure the management port, but the data port is optional. You cannot configure just a data port.

Route selection

When ClearPass is configured with a management interface but not the optional data interface, then all traffic goes through management interface.

When ClearPass is configured with both interfaces:

If the destination network/address is in the management subnetSubnet is the logical division of an IP network., then ClearPass uses the management interface.

If the destination network/address is in the data subnetSubnet is the logical division of an IP network., then ClearPass uses the data interface.

If the destination network is not in either management or data subnetsSubnet is the logical division of an IP network., ClearPass uses the data interface by default.

RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. Authentications can be sent to both interfaces. ClearPass will reply with the RADIUSRemote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources. response on the interface where the request was initially received.

OnGuard communicates with ClearPass through the data interface if both the management and data interfaces are configured.

Cluster traffic interfaces

The management IP address of the publisher in a cluster needs to be accessible to all subscribers. However, the subscribers must reach the publisher’s management IP only through the subscriber’s management interface, either through static route or other means. ClearPass cluster traffic uses the following TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. /UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. ports:

UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port 123 NTPNetwork Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. (Subscriber to Publisher)

TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. Port 443 HTTPSHypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. (Bi-directional)

6658 TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. for OnGuard client to communicate with ClearPass Policy Manager. As mentioned above, if both interfaces are configured, OnGuard traffic goes to the data interface. Therefore if you have configured both interfaces, this port must be opened on the data interface.

ClearPass to Active Directory Ports

The following list of services and ports are used for Active DirectoryMicrosoft Active Directory. The directory server that stores information about a variety of things, such as organizations, sites, systems, users, shares, and other network objects or components. It also provides authentication and authorization mechanisms, and a framework within which related services can be deployed. communication

UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. and TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. Port 135 for domain-controller‐to‐domain controller and client-to-domain-controller operations.

UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port 389 for LDAPLightweight Directory Access Protocol. LDAP is a communication protocol that provides the ability to access and maintain distributed directory information services over a network. to handle normal queries from client computers to the domain controller.

TCPTransmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. and UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. Port 464 for Kerberos password change