cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1048
Views
0
Helpful
4
Replies

ISE join windows domain

donnie
Level 1
Level 1

Hi all,

 

I have a cluster of 2x ISE running on VM that is joined to windows domain.

Is it mandatory that password of the domain account use to join ISE to windows domain be set to "not expire"?

Password of my domain accounts expire every 60 days and so far my ISE has been running for more than 60 days without issue. 

TIA!

3 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
No, the account you join ISE to AD with is only used once to create the ISE machine account. ISE will from then on leverage the machine account it creates in the directory to look up users/groups with.

So no worries, you will continue running, no need for a user service account.

View solution in original post

Hi,

When Cisco ISE is integrated with AD , the admin user account use is only for the purpose to orchestrate the AD and ISE together , that's a valid user account with admin privilege .

 

After this first stage , nothing more is use by ISE regarding such user account , though the account credential might have changed due to AD policy but this will never affect ISE / AD integration because already initial trust has been built when the user account was valid and service account created on AD.

 

Saying the above does not mean when you delete the AD and want to re-join the AD with ISE , you will have to use your new changed user credential not the previous one used before deletion.

 

But on the Admin access setting , if authentication is set to external source (AD) , this means once your password expire , you will not have access to ISE GUI until that's been rectify but completely independent of the AD/ ISE integration.

View solution in original post

Hi @Afolarin Omole 

 

Saving the credentials during AD join is used when you are using the AD Probe for Profiling.  That's according to the guy from labminutes.com - it needs those creds apparently.   I cannot say for sure because I have never used AD Probes before but I would believe him.

 

In all of my cases, I never save the AD creds during a join. And in many cases we don't even specify the OU.  When you look in the AD Browser on the Windows server, you can locate the ISE machine account and move it to wherever you like in the directory tree.  ISE is not impacted/affected by the machine account move.

 

regards

Arne

View solution in original post

4 Replies 4

Damien Miller
VIP Alumni
VIP Alumni
No, the account you join ISE to AD with is only used once to create the ISE machine account. ISE will from then on leverage the machine account it creates in the directory to look up users/groups with.

So no worries, you will continue running, no need for a user service account.

Hi,

When Cisco ISE is integrated with AD , the admin user account use is only for the purpose to orchestrate the AD and ISE together , that's a valid user account with admin privilege .

 

After this first stage , nothing more is use by ISE regarding such user account , though the account credential might have changed due to AD policy but this will never affect ISE / AD integration because already initial trust has been built when the user account was valid and service account created on AD.

 

Saying the above does not mean when you delete the AD and want to re-join the AD with ISE , you will have to use your new changed user credential not the previous one used before deletion.

 

But on the Admin access setting , if authentication is set to external source (AD) , this means once your password expire , you will not have access to ISE GUI until that's been rectify but completely independent of the AD/ ISE integration.

Hi @Afolarin Omole 

 

Saving the credentials during AD join is used when you are using the AD Probe for Profiling.  That's according to the guy from labminutes.com - it needs those creds apparently.   I cannot say for sure because I have never used AD Probes before but I would believe him.

 

In all of my cases, I never save the AD creds during a join. And in many cases we don't even specify the OU.  When you look in the AD Browser on the Windows server, you can locate the ISE machine account and move it to wherever you like in the directory tree.  ISE is not impacted/affected by the machine account move.

 

regards

Arne

@Arne Bier 

Yes no one does, but the AD credentials for Administration purpose changes as long as passwords expired but not affecting the AD join credentials that’s was used during AD integration ( that won't affect the AD integration), we only use the AD user credential once to integrate the AD and this is all , even if the password expires it doesn't affect the already integrated AD but if you delete AD from ISE and would want to re-join such AD when the previous user credential has expired and change then you will need to use your current AD user password credentials that we change to.

This means the user credentials used before deletion if that’s expired and changed then you have to use the new one you change to in this case described above.

 

User Admin credentials configuration Example using AD attached as image 1 , this is saying for access to ISE GUI , you need your AD credentials , once this expires from AD side , you won't get access until this expired password is reset / change , then you can now use the new password to access GUI for administration purposes

For AD / ISE Integration :

NOTE : once this has been integrated , that is all , even if the password expires doesn't matter until such time you delete the AD for any reason and want to re-join this to ISE ( may AD upgrades etc) and one have already change expired password to new one , then in this case you need to new User credentials to integrate ISE with AD.

 

Yes we don't use OU as such but I have in past role depending on customer requirement , and I will say I find it flexible and interesting / granular. with this you can NAC user down to AD and even restrict user base on that , lastly we can incorporate AD security into ISE as well in terms of blacklisted endpoints / users. what checking guys .....

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: