cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

395
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

windows AD user privilege level for integrating ISE with AD

Dear Expert, i want to ask regarding integrating ISE with Active directory.

 

  1. when we configure ise to join active directory, is it mandatory to use administrator level user from active directory ?
  2. if we can do it without administrator user, what kind of user privilege level we need to  use ?
  3. is there any official reference to  integrating ISE with AD without AD administrator user ?

 

Thank You.

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Here you go

Active Directory Account Permissions Required for Performing Various
Operations


Join OperationsLeave OperationsCisco ISE Machine Accounts

For the account that is used to perform the join operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Create Cisco ISE machine account to domain (if the machine account does
not already exist)
-

Set attributes on the new machine account (for example, Cisco ISE
machine account password, SPN, dnsHostname)

It is not mandatory to be a domain administrator to perform a join
operation.

For the account that is used to perform the leave operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Remove Cisco ISE machine account from domain

If you perform a force leave (leave without the password), it will not
remove the machine account from the domain.

For the newly created Cisco ISE machine account that is used to communicate
to the Active Directory connection, the following permissions are required:

-

Ability to change own password
-

Read the user/machine objects corresponding to users/machines being
authenticated
-

Query some parts of the Active Directory to learn about required
information (for example, trusted domains, alternative UPN suffixes and so
on.)
-

Ability to read tokenGroups attribute

You can precreate the machine account in Active Directory, and if the SAM
name matches the Cisco ISE appliance hostname, it should be located during
the join operation and re-used.

If multiple join operations are performed, multiple machine accounts are
maintained inside Cisco ISE, one for each join.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

**** please remember to rate useful posts

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

Here you go

Active Directory Account Permissions Required for Performing Various
Operations


Join OperationsLeave OperationsCisco ISE Machine Accounts

For the account that is used to perform the join operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Create Cisco ISE machine account to domain (if the machine account does
not already exist)
-

Set attributes on the new machine account (for example, Cisco ISE
machine account password, SPN, dnsHostname)

It is not mandatory to be a domain administrator to perform a join
operation.

For the account that is used to perform the leave operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Remove Cisco ISE machine account from domain

If you perform a force leave (leave without the password), it will not
remove the machine account from the domain.

For the newly created Cisco ISE machine account that is used to communicate
to the Active Directory connection, the following permissions are required:

-

Ability to change own password
-

Read the user/machine objects corresponding to users/machines being
authenticated
-

Query some parts of the Active Directory to learn about required
information (for example, trusted domains, alternative UPN suffixes and so
on.)
-

Ability to read tokenGroups attribute

You can precreate the machine account in Active Directory, and if the SAM
name matches the Cisco ISE appliance hostname, it should be located during
the join operation and re-used.

If multiple join operations are performed, multiple machine accounts are
maintained inside Cisco ISE, one for each join.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

**** please remember to rate useful posts

View solution in original post

Highlighted
VIP Advocate

Mohammed gave a great detailed answer.  The simple answer is joined ISE to AD is identical to joining a Windows server/computer to AD.  The ID used to join ISE to AD needs to have join permissions.  Once ISE is joined to AD it has its own computer account to interact with AD.  The ID used to join ISE to AD is not saved unless you check the box to save it. 

Highlighted

Hi @mfirdaus 

 

Just to add what @paul mentioned about the saved AD credentials - I have never found a Cisco document that explained why this would be needed/beneficial. It seems obvious at first that you would NOT want to save the admin's credentials in ISE (esp if password changes over time, or just because of plain paranoia).

However, after watching the labminutes.com series he quite causally mentions that the Save credentials is REQUIRED if you are using the ISE AD Probe (Profiling).  I have never seen this confirmed anywhere. I have not tested to see if AD probing breaks if I joined AD without saving creds.

 

It would be nice to have the official statement from Cisco about WHY this option even exists.