cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1560
Views
5
Helpful
3
Replies

ISE AD service account password expiry

firestartest
Level 1
Level 1

An AD account with privileges is required to join ISE to a domain as per the documentation, that is easy to sort out. But what happens if the account has a password policy set to renew every 30 days? Is the AD account no longer used after the join operation because machine accounts have been created, so therefore expiring AD accounts wouldn't be an issue? Is it the machine accounts that allow for the domain lookups during authentication or is it still the AD user account that is used?

 

1 Accepted Solution

Accepted Solutions

anthonylofreso
Level 4
Level 4

The AD account is only used during the join process. Just as if you were joining a windows workstation to the domain.

View solution in original post

3 Replies 3

anthonylofreso
Level 4
Level 4

The AD account is only used during the join process. Just as if you were joining a windows workstation to the domain.

yes that's the general rule and that is why the password is not stored when you join the AD.  But that is just one scenario.  The reason that there is an option to store the password is because this is needed in the case where Profiling is enabled for AD Probing.  In that case you need to store the password. 

It's generally best practice to create service accounts in AD that are restricted to a specific purpose - and most importantly, nort subjected to password expiration :-)

Thanks. That's the problem I have, the customer has strict password expiry policies for all AD accounts which mean passwords need changing every 30 days!