关于AD账号的权限,ISE 1.2的user guide是这样写的:
The Active Directory username that you provide when joining to an Active Directory domain should be predefined in Active Directory and must have one of the following permissions:
– Add the workstation to the domain to which you are trying to connect.
– On the computer where the Cisco ISE account was created, establish permissions for creating or deleting computer objects before joining Cisco ISE to the domain.
– Permissions for searching users and groups that are required for authentication.
After you join Cisco ISE to the Active Directory domain, you will still need these permissions to:
– Join any secondary Cisco ISE servers to this domain
– Back up or restore data
– Upgrade Cisco ISE to a higher version, if the upgrade process involves a backup and restore
user guide:
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_man_id_stores.html#pgfId-1317829