Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2140
Views
5
Helpful
1
Replies

Cisco ISE 3.0 Agentless - local admin privileges' for ISE agentless posture

laurathaqi
Participant
Participant

‎02-03-2021 06:17 AM

Dear community, 

 

I have come to a point I want to setup Agentless Posture on my ISE 3.0 deployment project. Based on the documentation, I have read following: "Client credentials for shell login must have local admin privileges". My client does not want to give local admin privilege's to end users domain accounts.

There is a proposal on the table as following: "To create a user account for all the branches/domain computers, this user account to have local admin privilege's, that will be able to open/run PowerShell as an Administrator". The user will be thrown to the endpoints via Microsoft GPO. 

 

However, my questions are as following: Does ISE credentials need to have local admin privileges' to only run PowerShell as an administrator, or is there some other reason that these privileges needs to be allowed to all the Domain User Accounts? 

If its only to open PowerShell as an administrator, then I believe we can do so with the noted option of creating a user account specifically for that task of "Run as Administrator" in PowerShell, and nothing else!. But giving domain users local admin privileges' sounds ambiguous and not accepted as a solution!? 

 

So far in the Cisco ISE 3.0 documentation, I could only find information about this feature that this needs to be enabled, but not specific reasons of why and how the end to end flow/use case works. And/or any other workarounds.

 

Any suggestion or information would be highly appreciated. 

 

Thank you,

Laura 

 

 

0 Helpful
1 Reply 1

hslai
Cisco Employee
Cisco Employee

‎02-04-2021 09:02 PM

The credentials used by ISE need to be able to copy files from ISE to the target client devices, to install the ISE certificate chain, and then to run the script to run the "agentless" binary for the assessment.

Our teams only vetted this feature with local admin users. You may always try and see if it would work with a user with more limited privileges.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents