cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1344
Views
0
Helpful
5
Replies

Minimum AD requirements

kerai08
Cisco Employee
Cisco Employee

Hi team,

 

Customer is asking about the minimum requirements necessary to integrate ISE with AD.

 

They've sent the attached picture and need to know which ones to tick. 

 

They're confused about the 'ISE machine accounts' table here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.html#reference_8DC463597A644A5C9CF5D582B77BB24F

 

Your thoughts?

 

Thanks,

Arron

1 Accepted Solution

Accepted Solutions

A domain admin account is typically used to join ISE to AD.  Those credentials are used to create the required permissions ISE needs to communicate with AD and nothing more. Also, the domain admin credentials used to create the machine account and other required permission are not store inside of ISE.  Only the newly created machine account credentials. If the customer wants to create the machine account in advance, I suggest they reference Microsoft documentation on how to do that. Our documentation doesn't cover that process but only outlines the necessary permissions.

 

Regards,

-Tim

View solution in original post

5 Replies 5

Timothy Abbott
Cisco Employee
Cisco Employee

Arron,

 

The document you referenced outlines what is necessary for ISE to communicate with AD.  We would need more information on what the customer is confused about.

 

Regards,

-Tim

Hi Tim,

 

The customers Windows AD teams wants the account to be as restrictive as possible so are looking at what specific tick boxes would need to be enabled for ISE/AD joining. I've attached a picture of what they need clarity on.  

 

They are not clear on what to enable because they are getting errors with joining e.g. 

“Please Make Sure That User Svc_Cisco_ISE Has Sufficient Permissions”

 

Does the ask make sense?

 

Thank you,

Arron

A domain admin account is typically used to join ISE to AD.  Those credentials are used to create the required permissions ISE needs to communicate with AD and nothing more. Also, the domain admin credentials used to create the machine account and other required permission are not store inside of ISE.  Only the newly created machine account credentials. If the customer wants to create the machine account in advance, I suggest they reference Microsoft documentation on how to do that. Our documentation doesn't cover that process but only outlines the necessary permissions.

 

Regards,

-Tim

Hi Tim,

 

Thanks for this.

 

Would you happen to have 15 mins to highlight this on a call with the customer? 

 

Is that ok and is your calendar open?

 

Thanks,

Arron

Please discuss directly. ITs best to have the technical ISE person on that account as well and any partner for education