Cisco ISE 3.0 Agentless - local admin privileges' for ISE agentless posture

laurathaqi · ‎02-03-2021

Dear community,

I have come to a point I want to setup Agentless Posture on my ISE 3.0 deployment project. Based on the documentation, I have read following: "Client credentials for shell login must have local admin privileges". My client does not want to give local admin privilege's to end users domain accounts.

There is a proposal on the table as following: "To create a user account for all the branches/domain computers, this user account to have local admin privilege's, that will be able to open/run PowerShell as an Administrator". The user will be thrown to the endpoints via Microsoft GPO.

However, my questions are as following: Does ISE credentials need to have local admin privileges' to only run PowerShell as an administrator, or is there some other reason that these privileges needs to be allowed to all the Domain User Accounts?

If its only to open PowerShell as an administrator, then I believe we can do so with the noted option of creating a user account specifically for that task of "Run as Administrator" in PowerShell, and nothing else!. But giving domain users local admin privileges' sounds ambiguous and not accepted as a solution!?

So far in the Cisco ISE 3.0 documentation, I could only find information about this feature that this needs to be enabled, but not specific reasons of why and how the end to end flow/use case works. And/or any other workarounds.

Any suggestion or information would be highly appreciated.

Thank you,

Laura

hslai · ‎02-04-2021

The credentials used by ISE need to be able to copy files from ISE to the target client devices, to install the ISE certificate chain, and then to run the script to run the "agentless" binary for the assessment.

Our teams only vetted this feature with local admin users. You may always try and see if it would work with a user with more limited privileges.