AD Password Change in ISE

d_p_grant · ‎05-12-2012

We're running ISE 1.1 for guest services. We use Active Directory for Sponsor Portal login, as well as for administration of the ISE itself. Our corporate policy requires a password change for service accounts, and the service account password we use for ISE to connect into AD expires in a few days. So I changed the password on the account, but how do I tell this to ISE? I don't see anything in the documentation, only some references to only use non-expiring accounts to connect to AD. This made me laugh. If our corporate policy was that lax, we'd never have purchased ISE.

1) Is there a way to communicate this to ISE? Or is leave and then join the only way? Will that even work?

2) I see that after the password change, ISE continues to work fine. Does it only synch with AD periodically? On reboot, or every X hours? Right now things are working, but I'm afraid as soon as I turn my back it will stop.

jrabinow · ‎05-12-2012

the password is only used on a leave and join operation to maintain connection to the domain and ISE does not store the password information itself in it the ISE database. Join and leave operations are only performed at explicit operator request and none will be performed under the covers.

So a join and leave would be required to ensure ISE is now connected with the new password. But as long as the password change itself does not cause the account to be disiconnected (and it does not look like it does and I don't think it should) then this is not strictly required although may be a good practice

Eduardo Aliaga · ‎05-12-2012

As far as I know it will try to join the domain every time it reboots.

Also notice that if you have a distributed ISE deployment, each ISE appliance joins the domain independently.