cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1221
Views
5
Helpful
1
Replies
laurathaqi
Participant

Cisco ISE 3.0 Agentless - local admin privileges' for ISE agentless posture

Dear community, 

 

I have come to a point I want to setup Agentless Posture on my ISE 3.0 deployment project. Based on the documentation, I have read following: "Client credentials for shell login must have local admin privileges". My client does not want to give local admin privilege's to end users domain accounts.

There is a proposal on the table as following: "To create a user account for all the branches/domain computers, this user account to have local admin privilege's, that will be able to open/run PowerShell as an Administrator". The user will be thrown to the endpoints via Microsoft GPO. 

 

However, my questions are as following: Does ISE credentials need to have local admin privileges' to only run PowerShell as an administrator, or is there some other reason that these privileges needs to be allowed to all the Domain User Accounts? 

If its only to open PowerShell as an administrator, then I believe we can do so with the noted option of creating a user account specifically for that task of "Run as Administrator" in PowerShell, and nothing else!. But giving domain users local admin privileges' sounds ambiguous and not accepted as a solution!? 

 

So far in the Cisco ISE 3.0 documentation, I could only find information about this feature that this needs to be enabled, but not specific reasons of why and how the end to end flow/use case works. And/or any other workarounds.

 

Any suggestion or information would be highly appreciated. 

 

Thank you,

Laura 

 

 

1 REPLY 1
hslai
Cisco Employee

The credentials used by ISE need to be able to copy files from ISE to the target client devices, to install the ISE certificate chain, and then to run the script to run the "agentless" binary for the assessment.

Our teams only vetted this feature with local admin users. You may always try and see if it would work with a user with more limited privileges.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube