Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1343
Views
0
Helpful
5
Replies

Minimum AD requirements

Go to solution
kerai08
Cisco Employee
Cisco Employee

‎05-22-2019 07:24 AM

Hi team,

 

Customer is asking about the minimum requirements necessary to integrate ISE with AD.

 

They've sent the attached picture and need to know which ones to tick. 

 

They're confused about the 'ISE machine accounts' table here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html#reference_8DC463597A644A5C9CF5D582B77BB24F

 

Your thoughts?

 

Thanks,

Arron

Preview file
20 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to kerai08

‎05-23-2019 07:34 AM

A domain admin account is typically used to join ISE to AD.  Those credentials are used to create the required permissions ISE needs to communicate with AD and nothing more. Also, the domain admin credentials used to create the machine account and other required permission are not store inside of ISE.  Only the newly created machine account credentials. If the customer wants to create the machine account in advance, I suggest they reference Microsoft documentation on how to do that. Our documentation doesn't cover that process but only outlines the necessary permissions.

 

Regards,

-Tim

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎05-22-2019 08:35 AM

Arron,

 

The document you referenced outlines what is necessary for ISE to communicate with AD.  We would need more information on what the customer is confused about.

 

Regards,

-Tim

0 Helpful

Go to solution
kerai08
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎05-23-2019 03:56 AM

Hi Tim,

 

The customers Windows AD teams wants the account to be as restrictive as possible so are looking at what specific tick boxes would need to be enabled for ISE/AD joining. I've attached a picture of what they need clarity on.  

 

They are not clear on what to enable because they are getting errors with joining e.g. 

“Please Make Sure That User Svc_Cisco_ISE Has Sufficient Permissions”

 

Does the ask make sense?

 

Thank you,

Arron

Preview file
20 KB
0 Helpful

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee
In response to kerai08

‎05-23-2019 07:34 AM

A domain admin account is typically used to join ISE to AD.  Those credentials are used to create the required permissions ISE needs to communicate with AD and nothing more. Also, the domain admin credentials used to create the machine account and other required permission are not store inside of ISE.  Only the newly created machine account credentials. If the customer wants to create the machine account in advance, I suggest they reference Microsoft documentation on how to do that. Our documentation doesn't cover that process but only outlines the necessary permissions.

 

Regards,

-Tim

0 Helpful

Go to solution
kerai08
Cisco Employee
Cisco Employee
In response to Timothy Abbott

‎05-29-2019 02:33 AM

Hi Tim,

 

Thanks for this.

 

Would you happen to have 15 mins to highlight this on a call with the customer? 

 

Is that ok and is your calendar open?

 

Thanks,

Arron

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to kerai08

‎05-29-2019 07:05 AM

Please discuss directly. ITs best to have the technical ISE person on that account as well and any partner for education
0 Helpful
Customers Also Viewed These Support Documents