Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
648
Views
15
Helpful
4
Replies

ISE AD integration

Tong Zhang
Level 1
Level 1

‎12-10-2014 12:12 PM - edited ‎03-10-2019 10:15 PM

Hi,

 

Very often, when we integrate ISE with customer AD and try to join ISE into domains, customer will ask what kind of service account they'll create for us to use to join the domain.  Based on Cisco documentation, the service account should allow ISE to read the AD user/machine records, and should also "has sufficient privileges to create and remove machine accounts in the domain, or alter the passwords for previously created machine accounts".  Often, the latter part alerts the customer, and we've been pushed back and asked why.  Based on the normal use cases, seems ISE only need to read the record rather than create account, what is the reason we need the capability to create the machine account?  If the credential not support creating machine account, what's the impact?

 

Many thanks in advance!

Tina

Labels:
0 Helpful
4 Replies 4

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-10-2014 04:42 PM

When you integrate ISE with AD, one of the things done by the service account (or other account used) is to join the ISE servers themselves to AD.

Once that is done, you could probably remove that particular privilege from the defined account if it's inconsistent with organizational security policy.

(Note that a 1.3 upgrade requires rejoining the ISE nodes so the privilege would need to be reinstated during the post-upgrade rejoin.)

Tong Zhang
Level 1
Level 1
In response to Marvin Rhoads

‎12-11-2014 06:38 AM

Marvin, Neno,

 

Many thanks for you guys response!

 

Tina

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Tong Zhang

‎12-11-2014 06:59 AM

Tina,

You're welcome.

Please take a moment to rate helpful posts.

nspasov
Cisco Employee
Cisco Employee

‎12-10-2014 10:49 PM

Hello Tina, Marvin makes a very good point that ISE does not require a "Service Account" like ACS does. With ISE, once the deployment is joined to the domain, the AD account is no longer used so it can be disabled or even deleted. In addition, many of my customers don't even use a "service" account to join ISE. Instead, they use their own account or some other network related account. 

I hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
Customers Also Viewed These Support Documents