The following ports and protocols are required to be open as necessary for communication and management between the vWLAN and BSAPs, between primary and secondary vWLAN systems when using high availability, between the vWLAN and authentication servers when using various methods of authentication, between BSAPs when using Layer 3 mobility (tunneling), and between BSAPs and authentication when using external Remote Authentication Dial-In User Service (RADIUS) 802.1x authentication. Ensure that any firewalls or access control lists (ACLs) allow the ports and protocols outlined in in the table below as applicable.
NOTE: The ports and protocols described in the following table are a comprehensive list of ports and protocols that must be open as necessary. These ports and protocols are not limited to AP discovery, but cover all communications within the vWLAN network. Unused ports should be closed when not required to maintain system security.
IP Protocol and Port |
Application Protocol |
Purpose |
---|---|---|
User Datagram Protocol (UDP) port 53 |
Domain Name System (DNS) | AP discovery communication between vWLAN and BSAPs (1800 Series BSAPs only). |
Transmission Control Protocol (TCP) port 33333 | Transport Layer Security (TLS) | Secure control/management channel between vWLAN and BSAPs |
UDP port 69 | Trivial File Transfer Protocol (TFTP) | Used on the BSAP 1800 Series to transfer firmware between vWLAN and the BSAP or between BSAPs and a third-party TFTP server. Also used for AP traffic capture file transfer between vWLAN and the BSAP. |
TCP port 33334 | Secure Copy Protocol (SCP) | Used on the BSAP 1900 Series to transfer firmware between vWLAN and the BSAP or between BSAPs and a third-party SCP server. Also used for AP traffic capture file transfer between vWLAN and the BSAP. |
TCP port 28000 | TLS | Used to secure wireless Internet distribution systems (IDS) channels between vWLAN and BSAPs. |
TCP port 2335 | Secure Shell (SSH) | Used for communication between primary and secondary vWLAN systems for high availability. Also used for debug access. |
TCP port 3000 | Hypertext Transfer Protocol Secure (HTTPS) | Used for communication between primary and secondary vWLAN systems for high availability and access to the vWLAN web-based graphical user interface (GUI). |
TCP port 80 | Hypertext Transfer Protocol (HTTP) | Required for captive portals between vWLAN and the BSAPs in vWLAN releases prior to 2.2.1. |
TCP port 443 | HTTPS | Required for captive portals between vWLAN and the BSAPs in release 2.2.1 and later. |
UDP port 1812 or 1645 | RADIUS | Required for RADIUS web authentication and RADIUS administrative authentication between the BSAP and the authentication server. Also required for RADIUS external 802.1x authentication between the BSAP and the authentication server. |
UDP port 1813 or 1646 | RADIUS Accounting | Required when using RADIUS accounting between vWLAN and an accounting server. |
TCP port 389 | Lightweight Directory Access Protocol (LDAP) | Required for LDAP or Microsoft Active Directory (AD) authentication between vWLAN and an authentication server. |
UDP port 636 | LDAP over TLS (LDAPS) | Required for LDAP or AD authentication between vWLAN and an authentication server. |
TCP port 6001 | Standard Interchange Protocol (SIP2) | Required for SIP2 authentication between vWLAN and the library authentication server. |
IP protocol 97 | Required for Layer 3 roaming between BSAPs. |