03-09-2016 12:48 AM - edited 03-10-2019 11:33 PM
Hi,
need to understand the communication between ISE and AD for discussions with the AD guys.
From what I've learnt from documentation the following different users are:
ISE machine user
to join AD (permissions: search AD for ISE machine, create ISE machine, set password, SPN, dnsHostname)
to leave AD (permissions: search AD for ISE machine and remove ISE machine)
Test user
A virtual computer account with permissions just like a real existing machine to be used for troubleshooting the authentication process on ISE to easily test the communication ISE/AD.
Domain user with permanent access without need for a password change, permissions to read user and member accounts in root domain
Questions:
Am I right that ISE uses these above different users?
Where can I find deeper information about ISE / AD communication?
Thanks,
Hagen
03-09-2016 02:02 AM
This document should answer all your questions around ISE & AD communication. Let me know if you have any questions.
~ Jatin
03-09-2016 02:22 AM
Hi Jatin,
thanks for link posted, but that information is not sufficient.
To authenticate any client user/machine against AD an ordinary domain user with read access seems to be sufficient.
The documentation is speaking about join/leave/configuring ISE machine account (which could be done without AD administrator rights). It seems that the role of ISE is something like a member server of AD forest, but isn't described exactly.
To discuss this with AD administrators you need more precise information and that is what I'm looking for.
Thanks,
Hagen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide