topic Re: Join ISE to AD domain in Network Access Control

Join ISE to AD domain

dgaikwad — Thu, 15 Dec 2022 10:41:07 GMT

Hi Experts,
We are in the process of joining a crashed back to AD.
Issue:
AD user has certain rights removed due to security concerns.
It was later determined that this user will need to have domain admin rights to be able to join AD.

AD team has a concern regarding this assignment of rights for the user.
The question is does this user utilise LSA (Local Security Authority) to perform read/write operations in AD?

Due to this concern we are stuck since 2 months and going in circles...!

Any suggestions?

Re: Join ISE to AD domain

Rob Ingram — Thu, 15 Dec 2022 10:34:37 GMT

@dgaikwad the user account does not need domain admin rights to join the ISE node to AD.

Once the ISE node is joined to the AD domain, a machine account is created - the link below lists the permissions required for that machine account, if you wish to restrict its permissions.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/217351-ad-integration-for-cisco-ise-gui-and-cli.html

Re: Join ISE to AD domain

dgaikwad — Fri, 16 Dec 2022 07:38:38 GMT

Thanks for the info.
I was going through the document, and the document does talk about mandatory domain rights:

Thus there is this concern if the LSA is being utilised to make changes to the AD domain.

Re: Join ISE to AD domain

dgaikwad — Wed, 18 Jan 2023 07:31:41 GMT

The issue has been resolved and confirmed that domain rights are needed to join AD.
The domain rights are only utilised during the creation of the machine account in AD, post that domain rights are not needed.