Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2135
Views
0
Helpful
5
Replies

[ISE] What is the permission for AD user to use webagent provision?

Natthapong Kitjunlajarit
Level 1
Level 1

‎03-12-2014 12:44 AM - edited ‎03-10-2019 09:31 PM

I plan to implement ISE to force user to provision and enroll certificate,

But for the windows user whose join domain they don't have an admin right permission

they cannot download and run the network setup assistant(winspwizard).

 

What is the least permission that i have to allow for the user to pass the provision process?

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Ravi Singh
Level 7
Level 7

‎03-12-2014 02:59 PM

Can you explain your query in more detail. As per my knowledge in case of ISE NSP is automatically pushed by ISE to client after successful authentication.

0 Helpful

Natthapong Kitjunlajarit
Level 1
Level 1
In response to Ravi Singh

‎03-13-2014 03:55 AM

Client browser have to request to download winspwizard from ISE so for the default domain user which do not have permission to download,install or run any program that perform change on their computer they cannot pass the process without knowing the admin user/pwd. Thankyou.
 

0 Helpful

Matteo Abrile
Level 1
Level 1
In response to Natthapong Kitjunlajarit

‎02-09-2017 01:47 PM

Hello,

I have same problem, have you found solution ? thanks

M.

0 Helpful

Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎03-18-2014 10:12 AM

https://supportforums.cisco.com/discussion/11851011/ise-and-ad-integration 

 

The Active Directory username that you provide when joining to an Active Directory domain should be predefined in Active Directory and must have one of the following permissions:

–    Add the workstation to the domain to which you are trying to connect.

–    On the computer where the Cisco ISE account was created, establish permissions for creating or deleting computer objects before joining Cisco ISE to the domain.

–    Permissions for searching users and groups that are required for authentication.

After you join Cisco ISE to the Active Directory domain, you will still need these permissions to:

–    Join any secondary Cisco ISE servers to this domain

–    Back up or restore data

–    Upgrade Cisco ISE to a higher version, if the upgrade process involves a backup and restore

0 Helpful

stephan
Level 1
Level 1

‎10-14-2016 02:28 PM

I'm having the same issue with ISE 2.1, domain joined computers who doesn't have admin rights unable to run Cisco network assistant. Did you find any solution or workaround  about this issue?  

Thanks

0 Helpful
Customers Also Viewed These Support Documents