Solved: windows AD user privilege level for integrating ISE with AD

mfirdaus · ‎08-26-2020

Dear Expert, i want to ask regarding integrating ISE with Active directory.

when we configure ise to join active directory, is it mandatory to use administrator level user from active directory ?
if we can do it without administrator user, what kind of user privilege level we need to use ?
is there any official reference to integrating ISE with AD without AD administrator user ?

Thank You.

Mohammed al Baqari · ‎08-26-2020

Here you go

Active Directory Account Permissions Required for Performing Various
Operations

Join OperationsLeave OperationsCisco ISE Machine Accounts

For the account that is used to perform the join operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Create Cisco ISE machine account to domain (if the machine account does
not already exist)
-

Set attributes on the new machine account (for example, Cisco ISE
machine account password, SPN, dnsHostname)

It is not mandatory to be a domain administrator to perform a join
operation.

For the account that is used to perform the leave operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Remove Cisco ISE machine account from domain

If you perform a force leave (leave without the password), it will not
remove the machine account from the domain.

For the newly created Cisco ISE machine account that is used to communicate
to the Active Directory connection, the following permissions are required:

-

Ability to change own password
-

Read the user/machine objects corresponding to users/machines being
authenticated
-

Query some parts of the Active Directory to learn about required
information (for example, trusted domains, alternative UPN suffixes and so
on.)
-

Ability to read tokenGroups attribute

You can precreate the machine account in Active Directory, and if the SAM
name matches the Cisco ISE appliance hostname, it should be located during
the join operation and re-used.

If multiple join operations are performed, multiple machine accounts are
maintained inside Cisco ISE, one for each join.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

**** please remember to rate useful posts

View solution in original post

Mohammed al Baqari · ‎08-26-2020

Here you go

Active Directory Account Permissions Required for Performing Various
Operations

Join OperationsLeave OperationsCisco ISE Machine Accounts

For the account that is used to perform the join operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Create Cisco ISE machine account to domain (if the machine account does
not already exist)
-

Set attributes on the new machine account (for example, Cisco ISE
machine account password, SPN, dnsHostname)

It is not mandatory to be a domain administrator to perform a join
operation.

For the account that is used to perform the leave operation, the following
permissions are required:

-

Search Active Directory (to see if a Cisco ISE machine account already
exists)
-

Remove Cisco ISE machine account from domain

If you perform a force leave (leave without the password), it will not
remove the machine account from the domain.

For the newly created Cisco ISE machine account that is used to communicate
to the Active Directory connection, the following permissions are required:

-

Ability to change own password
-

Read the user/machine objects corresponding to users/machines being
authenticated
-

Query some parts of the Active Directory to learn about required
information (for example, trusted domains, alternative UPN suffixes and so
on.)
-

Ability to read tokenGroups attribute

You can precreate the machine account in Active Directory, and if the SAM
name matches the Cisco ISE appliance hostname, it should be located during
the join operation and re-used.

If multiple join operations are performed, multiple machine accounts are
maintained inside Cisco ISE, one for each join.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_2x.html#reference_F19556CAD5C949B58DF89334E2C6255D

**** please remember to rate useful posts

paul · ‎08-26-2020

Mohammed gave a great detailed answer. The simple answer is joined ISE to AD is identical to joining a Windows server/computer to AD. The ID used to join ISE to AD needs to have join permissions. Once ISE is joined to AD it has its own computer account to interact with AD. The ID used to join ISE to AD is not saved unless you check the box to save it.

Arne Bier · ‎08-30-2020

Hi @mfirdaus

Just to add what @paul mentioned about the saved AD credentials - I have never found a Cisco document that explained why this would be needed/beneficial. It seems obvious at first that you would NOT want to save the admin's credentials in ISE (esp if password changes over time, or just because of plain paranoia).

However, after watching the labminutes.com series he quite causally mentions that the Save credentials is REQUIRED if you are using the ISE AD Probe (Profiling). I have never seen this confirmed anywhere. I have not tested to see if AD probing breaks if I joined AD without saving creds.

It would be nice to have the official statement from Cisco about WHY this option even exists.