Solved: Re: ISE-PIC user agent service account rights and operation

timroth · ‎03-19-2019

Hello, I am working to deploy ISE-PIC agent. I installed thes ISE agent on a server 2012 box (non DC) and pointed the agent to a 2012 DC box. When I add the ISE PIC service account to the DC admin group I am able to send ID from DC--->AGENT BOX---->ISE.However, when I pull DC admin rights from user I am unable to pull context.

I have a few questions...

1.What operation takes place between the DC agent and the member DCs?

Are the events shared via API, WMI, etc. From DC---->AGENT?

2.What rights do we need to provide the a non domain admin user?

I am pretty sure, I applied all the non dc admin rules highlighted in this document.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_01000.html#task_784A7F6991594B11B1BAD206FDCD249B

Error logs from ISEPIC agent

2019-03-19 14:57:34,421 ERROR - Domain Controller 192.168.100.15, Error qureing events, Waiting one minute before trying again : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:58:34,438 ERROR - Domain Controller 192.168.100.15, Error occurred while reading events : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:58:34,438 ERROR - Domain Controller 192.168.100.15, Error qureing events, Waiting one minute before trying again : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:59:34,455 ERROR - Domain Controller 192.168.100.15, Error occurred while reading events : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
2019-03-19 14:59:34,455 ERROR - Domain Controller 192.168.100.15, Error qureing events, Waiting one minute before trying again : Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

paul · ‎03-19-2019

When I have asked Cisco this in the past they said they really only have tested with Domain Admin level privileges. There is really no difference installing the DC agent on a member server or just doing WMI queries from ISE. They both need highly elevated privileges to do their job. if you want to avoid having to use a service account all together manually install the DC agent on the domain controllers and then point them at the ISE nodes.

View solution in original post

paul · ‎03-19-2019

When I have asked Cisco this in the past they said they really only have tested with Domain Admin level privileges. There is really no difference installing the DC agent on a member server or just doing WMI queries from ISE. They both need highly elevated privileges to do their job. if you want to avoid having to use a service account all together manually install the DC agent on the domain controllers and then point them at the ISE nodes.

timroth · ‎03-20-2019

Thanks Paul, so it appears its WMI communication between the member server (agent) and DCs?

thanks,

Tim

paul · ‎03-20-2019

It is supposed to use some Windows API calls I believe instead of WMI, but it still needs to authenticate to the DCs. So in my mind I am not really sure what running the DC agent on a member server buys you. I usually tell customers either do WMI calls from ISE PSNs or install DC agent on the DCs.