topic ISE AD communication in Network Access Control

ISE AD communication

Hagen Winck — Mon, 11 Mar 2019 06:33:29 GMT

Hi,

need to understand the communication between ISE and AD for discussions with the AD guys.

From what I've learnt from documentation the following different users are:

ISE machine user

to join AD (permissions: search AD for ISE machine, create ISE machine, set password, SPN, dnsHostname)

to leave AD (permissions: search AD for ISE machine and remove ISE machine)

Test user

A virtual computer account with permissions just like a real existing machine to be used for troubleshooting the authentication process on ISE to easily test the communication ISE/AD.

Domain user with permanent access without need for a password change, permissions to read user and member accounts in root domain

Questions:

Am I right that ISE uses these above different users?

Where can I find deeper information about ISE / AD communication?

Thanks,

Hagen

This document should answer

Jatin Katyal — Wed, 09 Mar 2016 10:02:25 GMT

This document should answer all your questions around ISE & AD communication. Let me know if you have any questions.

~ Jatin

Hi Jatin,

Hagen Winck — Wed, 09 Mar 2016 10:22:33 GMT

Hi Jatin,

thanks for link posted, but that information is not sufficient.

To authenticate any client user/machine against AD an ordinary domain user with read access seems to be sufficient.

The documentation is speaking about join/leave/configuring ISE machine account (which could be done without AD administrator rights). It seems that the role of ISE is something like a member server of AD forest, but isn't described exactly.

To discuss this with AD administrators you need more precise information and that is what I'm looking for.

Thanks,

Hagen