topic Re: ISE AD Join - saving creds yes or no? in Network Access Control

ISE AD Join - saving creds yes or no?

Arne Bier — Sat, 13 Mar 2021 02:17:56 GMT

Hello

I have read/heard two completely different reasons/theories why ISE allows the AD user creds to be saved at the time of joining an Active Directory domain. I have to say I never save the creds and I have yet to see the point of it:

1) Saving creds allows the PAN to easily join any nodes that are registered in the future without needing to enter the creds again.

2) Saving creds is required to allow the AD profiler probe to work

I am comfortable with reason one and I don’t care if I have to enter the creds for each new ise node I register.
But point two concerns me. Does the AD profiler probe really need this ? I have not tested but I was fairly sure that my AD probes work without saving AD creds.

Does anyone know the real use case for saving AD creds? I can’t find an answer in the manuals.

Re: ISE AD Join - saving creds yes or no?

Damien Miller — Sat, 13 Mar 2021 02:26:04 GMT

Straight from the admin guide.

"The credentials that are used for the join or leave operation are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored, which enables the Endpoint probe to run."

The machine account is just an object in AD, the username/password you use to join isn't saved in any way. I can confirm this is the case, I have a customer that used temporary admin accounts for joining that were deleted/destroyed after 15 minutes. Everything worked as expected.

Re: ISE AD Join - saving creds yes or no?

Arne Bier — Sat, 13 Mar 2021 04:13:06 GMT

Thanks Damien. In your case, were you reliant on the AD probe and was it still working?
I don’t understand what the Admin guide means by “ [credentials] are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored”. Probably badly phrased but it seems to contradict itself.

I am still none the wiser why ISE has an option to store credentials if it’s apparently not required in any way.

Re: ISE AD Join - saving creds yes or no?

thomas — Sat, 13 Mar 2021 19:34:15 GMT

The Store Credentials checkbox appeared in ISE 2.2 based on Admin Guide diffs. I will say after reading it, it is still not terribly obvious but my interpretation is that it saves the credentials for subsequent joins of PSNs in a large deployment if you do not join them all at once:

Enter the Active Directory username and password from the Join Domain dialog box that opens.
It is strongly recommended that you choose Store credentials, in which case your administrator's user name and password will be saved in order to be used for all Domain Controllers (DC) that are configured for monitoring.

Re: ISE AD Join - saving creds yes or no?

Arne Bier — Sat, 13 Mar 2021 22:42:17 GMT

Thanks Thomas. So the Admin Guide reference about AD Probe is not correct?

I think this needs to be documented correctly once and for all.

I don’t have a lab to verify whether AD probe works when you do not save credentials. Knowing that would be awesome.

Re: ISE AD Join - saving creds yes or no?

thomas — Sat, 13 Mar 2021 23:03:48 GMT

OK, let me send this off for an authoritative answer and get the admin guide updated.