Join ISE on Active Directory

borgeseliezer1 · ‎08-28-2024

Hey guys,

I needed to create the ISE secondary node again, however I am unable to insert it into our domain.
The ISE log reports the message below and the ISE TCP DUMP capture.
ISE version: 3.3.0.181
Do you have any suggestions for testing or troubleshooting?

Arne Bier · ‎08-28-2024

Not sure of the exact mechanism ISE uses to join the Domain, but you could try to delete the existing AD machine account for the domain (if it was previously joined?) and then try the join again. I have never had an issue with joining ISE nodes to an AD domain as the Domain Admin. That user might be total overkill, but in the absence of Cisco documenting this in more detail (that a non-Windows admin like myself can understand), I just take the big hammer to solve this problem.

Greg Gibbs · ‎08-28-2024

See the following document for permissions required for the various Join/Leave functions. If the computer account is being created ahead of time, ensure it has the necessary permissions. If the computer account is being created at the time of the Join operation, ensure the admin account doing the join has the necessary permissions.

Active Directory Integration with Cisco ISE 2.x

Arne Bier · ‎08-28-2024

@Greg Gibbs thanks for that link - one of these days I plan to have a look at Windows Server Users and Computers to see what this looks like for a user account - the tables in the Cisco document are very wordy and I wasn't 100% confident I would know what to look for in the Windows user interface to comply with those rules.