10-09-2017 03:46 PM
We are using ISE version 2.2. We are planning to install ISE PIC. In doing so, we have stumbled with Agent or service account privilege. Both are required domain admin account or account with full right WMI. Is it correct? Is it possible with less restricted privilege instead? If we could, what are they? Thanks.
Solved! Go to Solution.
10-09-2017 06:41 PM
If using WMI provider, it's possible to use a non-domain-admin user. See Configure Active Directory for Passive Identity service
For PIC agents, we tested only with domain admin users but might also be possible with non-domain admins.
10-09-2017 04:18 PM
This has been asked many times :). Here’s a recent thread:
https://communities.cisco.com/thread/86178
You will find your answer here:
Active Directory Account Permissions Required for Performing Various Operations<https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01110.html#reference_F19556CAD5C949B58DF89334E2C6255D>
George
10-09-2017 06:41 PM
If using WMI provider, it's possible to use a non-domain-admin user. See Configure Active Directory for Passive Identity service
For PIC agents, we tested only with domain admin users but might also be possible with non-domain admins.
03-19-2019 02:43 PM
any updates here? One of my customers can not provide us with DC admin rights for the ISE-PIC agent user. Trying to figure out what rights we need to apply against the service account. Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide