Cisco Cisco Clean Access 3.5

8-22

Cisco Clean Access Manager Installation and Administration Guide

OL-7044-01

Chapter 8 User Management: Traffic Control, Bandwidth, Schedule

Example Traffic Policies

This section describes the following:

•

Allowing Authentication Server Traffic for Windows Domain Authentication, page 8-22

•

Allowing Gaming Ports, page 8-22

•

Adding Traffic Policies for Default Roles, page 8-25

Allowing Authentication Server Traffic for Windows Domain Authentication

If you desire your users on the network to be able to authenticate to a Windows domain prior to
authenticating to Cisco Clean Access, the following minimum policies allow users in the
Unauthenticated role access to login servers AD (NTLM):

Allow TCP *:* Server/255.255.255.255: 88

Allow UDP *:* Server/255.255.255.255: 88

Allow TCP *:* Server/255.255.255.255: 389

Allow UDP *:* Server/255.255.255.255: 389

Allow TCP *:* Server/255.255.255.255: 445

Allow UDP *:* Server/255.255.255.255: 445

Allow TCP *:* Server/255.255.255.255: 135

Allow UDP *:* Server/255.255.255.255: 135

Allow TCP *:* Server/255.255.255.255: 3268

Allow UDP *:* Server/255.255.255.255: 3268

Allow TCP *:* Server/255.255.255.255: 139

Allow TCP *:* Server/255.255.255.255: 1025

Allowing Gaming Ports

To allow gaming services, such as Microsoft Xbox Live, it is recommended to create a gaming user role
and to add a filter for the device MAC addresses (under Device Management > Filters > Devices >
New) to place the devices into that gaming role. You can then create traffic policies for the role to allow
traffic for gaming ports.

Microsoft Xbox

The following are suggested policies to allow access for Microsoft Xbox ports:

•

Kerberos-Sec (UDP); Port 88; UDP; Send Receive

•

DNS Query (UDP); Port 53; Send 3074 over UDP/tcp

•

Game Server Port (TCP): 22042

•

Voice Chat Port (TCP/UDP): 22043-22050

•

Peer Ping Port (UDP): 13139

•

Peer Query Port (UDP): 6500