10-02-2012 08:36 AM - edited 03-10-2019 07:37 PM
Does anyone have the actual permissions needed for the service account ISE uses to validate user information. I know it needs to be able to query AD to verify valid username/password and whether the account is disabled. But does anyone actually have the specific rigths that need to be granted through AD for those accounts without making the account a Domain Admin.
10-02-2012 08:49 AM
Hope this helps:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_id_stores.html#wp1059011
The Active Directory username that you provide while joining to an Active Directory domain should be predefined in Active Directory and should have the permission to create and update for computer account objects and change password in the domain you are joining.
Note If your Active Directory domain has subdomains and the user belongs to one of the subdomains, then, the username should also include the subdomain name. For example, for a domain abc.com, if there are two subdomains sub1 and sub2, and the user belongs to sub1, then the username should be sub1\user1.
Tarik Admani
*Please rate helpful posts*
10-02-2012 11:50 AM
I saw that in the user guide. Was wondering if anyone had more specific instructions for creating the account in AD without giving Domain Admin privelages to to the user account.
10-10-2012 03:05 AM
Just a standard domain user account will do the job, as long as the user has permission to add a machine to the domain. Sometimes accounts are allowed 10 grace machine additions, but regularly now admins disable this option.
That's all it needs.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide