Showing results for 
Search instead for 
Did you mean: 

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Use AD account rather than internal for ISE

Hello Team ,


Any one can share cisco document which states that "it is best pratice to create user account in AD rather than using internal user account for device administration" ??


Thanks in advanced.

Colby LeMaire
VIP Collaborator

I don't think you will find a document that states using AD over an internal account is a best practice.  It really depends on your environment.  The benefit of using AD over internal is that you only have one identity store where all accounts are stored and one place for their passwords.  You can also use the existing groups within AD for RBAC instead of having to create that within ISE.  When users have accounts/passwords in multiple systems, it becomes more difficult to remember all of the passwords, especially when there is a requirement to change the passwords regularly (i.e. every 90 days).  So you end up in a situation where users will write passwords down, or just get frustrated having to reset forgotten passwords all of the time.  You can still use local accounts in ISE as a backup, in case AD is down or the connection between ISE and AD is not working.  Hope that helps.

Recognize Your Peers
Content for Community-Ad

ISE Webinars

Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube