ISE Service Account Criteria for AD Enviroment

Nicholas Copeland · ‎10-02-2012

Does anyone have the actual permissions needed for the service account ISE uses to validate user information. I know it needs to be able to query AD to verify valid username/password and whether the account is disabled. But does anyone actually have the specific rigths that need to be granted through AD for those accounts without making the account a Domain Admin.

Tarik Admani · ‎10-02-2012

Hope this helps:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011

The Active Directory username that you provide while joining to an Active Directory domain should be predefined in Active Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.

Note If your Active Directory domain has subdomains and the user belongs to one of the subdomains, then, the username should also include the subdomain name. For example, for a domain abc.com, if there are two subdomains sub1 and sub2, and the user belongs to sub1, then the username should be sub1\user1.

Tarik Admani
*Please rate helpful posts*

Nicholas Copeland · ‎10-02-2012

I saw that in the user guide. Was wondering if anyone had more specific instructions for creating the account in AD without giving Domain Admin privelages to to the user account.

bikespace · ‎10-10-2012

Just a standard domain user account will do the job, as long as the user has permission to add a machine to the domain. Sometimes accounts are allowed 10 grace machine additions, but regularly now admins disable this option.

That's all it needs.