cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Choose one of the topics below for resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.

865
Views
2
Helpful
3
Replies
Highlighted
Cisco Employee

ISE Active Directory Account Privileges

Is it possible to have ISE join the domain with a privileged account and then, once joined, switch to an account that is read-only?  It may be the same account that is changed to read-only access.  Customer would like to have the ISE AD account be read-only.

1 ACCEPTED SOLUTION

Accepted Solutions
Enthusiast

Re: ISE Active Directory Account Privileges

The AD Join for ISE is similar to joining a workstation to a domain.  When you do the join, it is a one-time join to the domain and not binding to a directory using a service account.  As long as you have permissions to make the join, that is all that is required.  Once the machine is part of the domain, that account is not used anymore...


With one caveat on use cases:

If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively.  For that you need to configure it properly and have the credentials presented via WMI or Agent.  For that, please review the permissions required on that account and then configure that separately.

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Users and External Identity Sources [Cisco Ide…

3 REPLIES
Enthusiast

Re: ISE Active Directory Account Privileges

The AD Join for ISE is similar to joining a workstation to a domain.  When you do the join, it is a one-time join to the domain and not binding to a directory using a service account.  As long as you have permissions to make the join, that is all that is required.  Once the machine is part of the domain, that account is not used anymore...


With one caveat on use cases:

If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively.  For that you need to configure it properly and have the credentials presented via WMI or Agent.  For that, please review the permissions required on that account and then configure that separately.

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Users and External Identity Sources [Cisco Ide…

Re: ISE Active Directory Account Privileges

When ISE is joined to the Active Drectory, it creates an object in the AD, the account should have the correct permissions to create that object, however, once created, the permissions that matter are the ones from the object, not the account.

In the scenario that you are posting, creating the object with a privileged account and then changing the permissions from that account should not affect as the object would be created with the privileged account.l

Alberto Lozada

CCIE #41132 Security

Cisco Employee

Re: ISE Active Directory Account Privileges

Both Jared and Alberto are correct. In the ISE admin guide, Active Directory Account Permissions Required for Performing Various Operations lists out the permissions.

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions