cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3830
Views
11
Helpful
3
Replies

ISE - Permissions Domain User to conect Active Directory

JRGC
Level 1
Level 1

Perform Cisco ISE integration with Active Directory, which is trusting relationship with another AD.
The user that used to established the connection has full permissions only on a domain controller and the other read-only.
The authentication of wireless users on the domain controller where you have full permissions works fine, the authentication of users who are on another domain controller has problems.

It is necessary that the domain user that connects to the AD ISE has full permissions on both domain controllers?

3 Replies 3

nspasov
Cisco Employee
Cisco Employee

Hmm, what you have there should work. My AD skills are close to none existent so I can't provide much help there but it sounds like the issue is somewhere with AD/permissions. Once joined to the domain and the computer accounts for ISE are created, all ISE is doing is querying the domain for users and their group membership. Here are the requirements from ISE:

For JoiningFor LeavingCisco ISE Machine Accounts
For the account that is used to
perform the join operation, the
following permissions are required:
• Search Active Directory (to
see if a Cisco ISE machine
account already exists)
• Create Cisco ISE machine
account to domain (if the
machine account does not
already exist)
• Set attributes on the new
machine account (for
example, Cisco ISE machine
account password, SPN,
dnsHostname)
It is not mandatory to be a domain
administrator to
For the account that is used to
perform the leave operation, the
following permissions are required:
• Search Active Directory (to
see if a Cisco ISE machine
account already exists)
• Remove Cisco ISE machine
account from domain
If you perform a force leave (leave
without the password), it will not
remove the machine account from
the domain.
For the newly created Cisco ISE
machine account that is used to
communicate to the Active
Directory connection, the following
permissions are required:
• Ability to change own
password
• Read the user/machine
objects corresponding to
users/machines being
authenticated
• Query some parts of the
Active Directory to learn
about required information
(for example, trusted
domains, alternative UPN
suffixes and so on.)
• Ability to read tokenGroups
attribute
You can precreate the machine
account in Active Directory, and if
the SAM name matches the Cisco
ISE appliance hostname, it should
be located during the join operation
and re-used.
If multiple join operations are
performed, multiple machine
accounts are maintained inside
Cisco ISE, one for each join.

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!

thanks for your comments, is very  important,

 

I think the same thing is related to AD permissions

 

 

nspasov
Cisco Employee
Cisco Employee

No problem! Keep us posted on the final resolution of the problem!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
Review Cisco Networking for a $25 gift card