Re: The ISE machine account does not have the required privileges to f

henry.astorga · ‎01-28-2025

Hello, I am currently running ISE 3.2 Patch 7 and for several versions now I am seeing alarms for "The ISE machine account does not have the required privileges to fetch groups". I have performed the steps as advised by TAC to resolve the issue, but I am still seeing these alarms and curious if there are others who are seeing the same alarms and maybe its a cosmetic thing. I have not actually had any complaints of problems and I can run the tests to Check AD groups which appears to be working as expected yet I continue to see these alarms. Anyone else?

Regards,

Henry

Scott Fella · ‎01-28-2025

Wow.... I just opened a TAC case on Monday because of this. I'm on ISE v3.0 and just patched it to patch 8 last week. TAC is reviewing the support bundle they requested. The only complaints I have recieved is with TACACS and folks not able to run commands and then it starts working, but that might be a separate issue. Hopefully today they will respond back with something.

-Scott
*** Please rate helpful posts ***

henry.astorga · ‎01-28-2025

Hello Scott, I was hearing complaints about TACACS wouldn't work for brief period and then would start working again but that went away after a patch back in the v2.7 period.

Regards,
Henry

Scott Fella · ‎01-28-2025

That is what I'm hearing right now. I patched last week but only some engineers have reached out to me.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-28-2025

TAC told me to review the account being used with the AD team. Thats what I'm going to do today, but here is what they provided:

ISE machine account that communicates to the Active Directory connection requires the following permissions:

-Change password

-Read the user and machine objects corresponding to users and machines that are authenticated

-Query Active Directory to get information (for example, trusted domains, alternative UPN suffixes, and so on)

-Read the tokenGroups attribute

You can pre-create the machine account in Active Directory. If the SAM name matches the Cisco ISE appliance hostname, it is located during the join operation and re-used.

The following link provides additional information: https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/ise_active_directory_integration/b_ISE_AD_integration_2x.html

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-28-2025

@henry.astorga check the account that you are using to join the domain. For me its failing stating password has expired. I used the AD test and put in the account I used to join ISE to AD and the output was password failed.

-Scott
*** Please rate helpful posts ***

henry.astorga · ‎01-28-2025

Hello Scott, the account used has all the domain rights required. I had my AD team on a call with TAC and we went over all that so it definitely not a permissions issue with the account used to join he machines or an issue with password.
Regards,
Henry

Scott Fella · ‎01-28-2025

Well my issue was the account password expired so I had to have them reset it for me. Just fixed it a few minutes ago but hopefully I will not see any of these alerts.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎01-31-2025

@henry.astorga any update. I started to see this alert again but not as much as I did before. TAC is still investigating but can't seem to identify which node is sending the alert.

-Scott
*** Please rate helpful posts ***