cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

709
Views
25
Helpful
5
Replies
Arne Bier
VIP Advisor

ISE AD Join - saving creds yes or no?

Hello

 

I have read/heard two completely different reasons/theories why ISE allows the AD user creds to be saved at the time of joining an Active Directory domain. I have to say I never save the creds and I have yet to see the point of it:

1) Saving creds allows the PAN to easily join any nodes that are registered in the future without needing to enter the creds again. 

2) Saving creds is required to allow the AD profiler probe to work

 

I am comfortable with reason one and I don’t care if I have to enter the creds for each new ise node I register. 
But point two concerns me. Does the AD profiler probe really need this ? I have not tested but I was fairly sure that my AD probes work without saving AD creds. 

Does anyone know the real use case for saving AD creds? I can’t find an answer in the manuals. 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

Straight from the admin guide.

"The credentials that are used for the join or leave operation are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored, which enables the Endpoint probe to run."

 

The machine account is just an object in AD, the username/password you use to join isn't saved in any way. I can confirm this is the case, I have a customer that used temporary admin accounts for joining that were deleted/destroyed after 15 minutes. Everything worked as expected. 

View solution in original post

5 REPLIES 5
Damien Miller
VIP Advisor

Straight from the admin guide.

"The credentials that are used for the join or leave operation are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored, which enables the Endpoint probe to run."

 

The machine account is just an object in AD, the username/password you use to join isn't saved in any way. I can confirm this is the case, I have a customer that used temporary admin accounts for joining that were deleted/destroyed after 15 minutes. Everything worked as expected. 

View solution in original post

Thanks Damien. In your case, were you reliant on the AD probe and was it still working? 
I don’t understand what the Admin guide means by “ [credentials] are not stored in Cisco ISE. Only the newly created Cisco ISE machine account credentials are stored”. Probably badly phrased but it seems to contradict itself. 

I am still none the wiser why ISE has an option to store credentials if it’s apparently not required in any way. 

The Store Credentials checkbox appeared in ISE 2.2 based on Admin Guide diffs. I will say after reading it, it is still not terribly obvious but my interpretation is that it saves the credentials for subsequent joins of PSNs in a large deployment if you do not join them all at once:

Enter the Active Directory username and password from the Join Domain dialog box that opens.
It is strongly recommended that you choose Store credentials, in which case your administrator's user name and password will be saved in order to be used for all Domain Controllers (DC) that are configured for monitoring.

 

image.png

Thanks Thomas. So the Admin Guide reference about AD Probe is not correct?

 

I think this needs to be documented correctly once and for all. 

I don’t have a lab to verify whether AD probe works when you do not save credentials. Knowing that would be awesome. 

thomas
Cisco Employee

OK, let me send this off for an authoritative answer and get the admin guide updated.

Content for Community-Ad