Solved: Store credentials requirement for AD Probe

masyamad · ‎09-13-2017

ISE-PIC guide shows "Store credentials" is must item for endpoint probe.

Identity Services Engine Passive Identity Connector (ISE-PIC) Installation and Administrator Guide - Active Directory a…

Does it apply only to ISE-PIC? I'm proposing Active Directory profiling on PSN and now need to clarify about the point.

Craig Hyps · ‎09-13-2017

This applies to passive ID functions, whether in ISE-PIC or identical functionality delivered in ISE. Today these stored credentials are only used if wish to perform probing of endpoints for current login status. This helps keep AD login status current without waiting for AD cache timer to expire. AD Connector operations for authentication and lookup does not require AD credentials to be stored since machine account created at join time and used for trusted communications thereafter.

Craig

View solution in original post

Craig Hyps · ‎09-13-2017

This applies to passive ID functions, whether in ISE-PIC or identical functionality delivered in ISE. Today these stored credentials are only used if wish to perform probing of endpoints for current login status. This helps keep AD login status current without waiting for AD cache timer to expire. AD Connector operations for authentication and lookup does not require AD credentials to be stored since machine account created at join time and used for trusted communications thereafter.

Craig

masyamad · ‎09-13-2017

Thanks. Now i'm in configuration design phase, so please let me ask more detail.

Currently ISE2.2 guide (not ISE-PIC) shows enabling the feature is strongly recommeded.

-----------

It is strongly recommended that you choose Store credentials, in which case your administrator's user name and password will be saved in order to be used for all Domain Controllers (DC) that are configured for monitoring

-----------

But it seems to be applied only to monitoring node with AD configuration. Can I think the feature isn't useful for policy node?

And I may need to explain how the feature works for monitoring (and doesnt work for PSN) in next meeting. Could you tell me about the summary?

Craig Hyps · ‎09-13-2017

Masyamad,

The AD storage credential has nothing to do with Monitoring node. It is as I have stated, for endpoint (PC) probing for login status.

The depth of your questions on multiple posts are beyond the scope of a basic Q&A forum. May I suggest you engage your Cisco partner SE or Cisco account team for more advanced guidance. If you are a Cisco partner, then you may want to leverage the training and partner resources from Cisco. If you are a customer, you may wish to leverage the resources on CiscoLive.com. BRKSEC-3697 includes information on Passive Identity. You have other posts that cover other topics so suggest engaging Cisco resource for direct support on design and configuration support.

Regards,

Craig

masyamad · ‎09-13-2017

OK. I'll but could you confirm about 1 thing? Is the "Store credentials" not required for AD probe on PSN?

hslai · ‎09-13-2017

When using either remote WMI or agent to monitor an AD domain controller, this needs an AD credentials with proper permissions and other changes. We have the following options:

store credentials of an AD domain admin user, add a DC, and invoke "Config WMI"
not store credentials. Add a DC, edit the DC, and then provide the credentials there before "Config WMI".

Agents work similarly.

On the other hand, the "Active Directory" profiling probe is not using WMI currently. Instead, it's using ISE's computer credentials in AD to perform the attribute lookups. This part is not using the store user credentials.

masyamad · ‎09-14-2017

Thanks hslai. I understand how the "store credentials" function effectively works for passive ID and it's not needed for AD profiling. I removed the configuration from my project.