10-06-2017 10:22 AM
Is it possible to have ISE join the domain with a privileged account and then, once joined, switch to an account that is read-only? It may be the same account that is changed to read-only access. Customer would like to have the ISE AD account be read-only.
Solved! Go to Solution.
10-06-2017 11:14 AM
The AD Join for ISE is similar to joining a workstation to a domain. When you do the join, it is a one-time join to the domain and not binding to a directory using a service account. As long as you have permissions to make the join, that is all that is required. Once the machine is part of the domain, that account is not used anymore...
With one caveat on use cases:
If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively. For that you need to configure it properly and have the credentials presented via WMI or Agent. For that, please review the permissions required on that account and then configure that separately.
10-06-2017 11:14 AM
The AD Join for ISE is similar to joining a workstation to a domain. When you do the join, it is a one-time join to the domain and not binding to a directory using a service account. As long as you have permissions to make the join, that is all that is required. Once the machine is part of the domain, that account is not used anymore...
With one caveat on use cases:
If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively. For that you need to configure it properly and have the credentials presented via WMI or Agent. For that, please review the permissions required on that account and then configure that separately.
10-06-2017 02:13 PM
When ISE is joined to the Active Drectory, it creates an object in the AD, the account should have the correct permissions to create that object, however, once created, the permissions that matter are the ones from the object, not the account.
In the scenario that you are posting, creating the object with a privileged account and then changing the permissions from that account should not affect as the object would be created with the privileged account.l
Alberto Lozada
CCIE #41132 Security
10-06-2017 09:10 PM
Both Jared and Alberto are correct. In the ISE admin guide, Active Directory Account Permissions Required for Performing Various Operations lists out the permissions.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide