Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
445
Views
3
Helpful
4
Replies

Cisco ISE and Active directory

Go to solution
iran
Level 1
Level 1

‎01-17-2024 09:28 AM

Hello,

I would like to clarify a quick doubt regarding the integration between Cisco ISE and Active Directory.

What privileges do the AD user that we use to integrate Cisco ISE with the active directory need to have?
Should it have admin privileges or it is enough to be a normal AD user?

iran_2-1705512183595.png
I was checking this documentation (link) however it is not very clear to me.

iran_0-1705512367056.png

Thank you in advance.

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎01-17-2024 12:35 PM

Often we cheat and use an Administrator account, but this is overkill. The user must be able to either Create or Update a machine account in AD.

In larger customer environments, I find it useful to request that the AD Team create an account just for this purpose with limited access. And then hand over the credentials to the ISE team. Because if at any time in the future, an ISE node must be re-joined to the AD (e.g. after a node rebuild) then you can easily do this without having to beg the AD team to do this for you.  Put the creds in a secure password vault and let the ISE admins know about it.

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to iran

‎01-17-2024 04:59 PM

It's a bit subtle.  If you create the most basic user in AD, with a username of say, svc-ise and a valid password, then that user account is only a member of Domain Users (at least on my Windows Server 2019).  That user can join ISE nodes to the AD Domain. 

But. If the ISE computer object already exists in AD, then that basic user cannot re-join the same ISE node if it's not the owner of that object (or the one that created the object). It needs elevated permissions to Edit Computer objects created by another user. I am no MS whiz kid - but this is what I learned by testing this in the lab. MS Server folks will know how to translate that into a safe privilege setting for the svc-ise user account.

View solution in original post

4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎01-17-2024 09:35 AM

  1. Verify that you have the privileges of a Super Admin or System Admin in ISE.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215233-identity-service-engine-ise-and-active.html

MHM

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎01-17-2024 12:35 PM

Often we cheat and use an Administrator account, but this is overkill. The user must be able to either Create or Update a machine account in AD.

In larger customer environments, I find it useful to request that the AD Team create an account just for this purpose with limited access. And then hand over the credentials to the ISE team. Because if at any time in the future, an ISE node must be re-joined to the AD (e.g. after a node rebuild) then you can easily do this without having to beg the AD team to do this for you.  Put the creds in a secure password vault and let the ISE admins know about it.

Go to solution
iran
Level 1
Level 1
In response to Arne Bier

‎01-17-2024 04:12 PM

Thank you so much for the quick reply.
According to your explanation, any AD user account will be enough (for example, a personal AD account), correct?



0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to iran

‎01-17-2024 04:59 PM

It's a bit subtle.  If you create the most basic user in AD, with a username of say, svc-ise and a valid password, then that user account is only a member of Domain Users (at least on my Windows Server 2019).  That user can join ISE nodes to the AD Domain. 

But. If the ISE computer object already exists in AD, then that basic user cannot re-join the same ISE node if it's not the owner of that object (or the one that created the object). It needs elevated permissions to Edit Computer objects created by another user. I am no MS whiz kid - but this is what I learned by testing this in the lab. MS Server folks will know how to translate that into a safe privilege setting for the svc-ise user account.

Customers Also Viewed These Support Documents