Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
2
Replies

Cisco ISE - AD & Group Managed Service accounts

Go to solution
dselfridge
Level 1
Level 1

‎04-08-2019 06:02 AM

We're about to deploy Cisco ISE to a customer site and they have asked the question...

"Will ISE work with a Group Managed Service Account?    These are service accounts that have their passwords changed periodically."

Now, I'm assuming that if the password changes and Cisco ISE supports gMSA, then it will 'learn' the new password and won't get cut off from AD?

TIA

Dan

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-08-2019 07:07 AM

The account is used for adding ISE as a computer. Once the computer account is added then it should be fine.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-08-2019 07:43 AM

Like Jason Kunst posted, ISE AD runtime is similar to any Windows PC so that it uses its own computer account in AD to authenticate AD users and retrieve their attributes for authorization.

The places where ISE needs an AD user password stored are:

  • LDAP -- use AD as a LDAPv3 ID store
  • AD providers in Passive ID -- retrieve Kerberos security events from AD DCs.

These two functions are not currently working with gMSA password change mechanism, so we would need update the passwords manually if such accounts are used.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎04-08-2019 07:07 AM

The account is used for adding ISE as a computer. Once the computer account is added then it should be fine.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D
0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎04-08-2019 07:43 AM

Like Jason Kunst posted, ISE AD runtime is similar to any Windows PC so that it uses its own computer account in AD to authenticate AD users and retrieve their attributes for authorization.

The places where ISE needs an AD user password stored are:

  • LDAP -- use AD as a LDAPv3 ID store
  • AD providers in Passive ID -- retrieve Kerberos security events from AD DCs.

These two functions are not currently working with gMSA password change mechanism, so we would need update the passwords manually if such accounts are used.

0 Helpful
Customers Also Viewed These Support Documents