Hmm, what you have there should work. My AD skills are close to none existent so I can't provide much help there but it sounds like the issue is somewhere with AD/permissions. Once joined to the domain and the computer accounts for ISE are created, all ISE is doing is querying the domain for users and their group membership. Here are the requirements from ISE:
| For Joining | For Leaving | Cisco ISE Machine Accounts |
For the account that is used to
perform the join operation, the
following permissions are required:
• Search Active Directory (to
see if a Cisco ISE machine
account already exists)
• Create Cisco ISE machine
account to domain (if the
machine account does not
already exist)
• Set attributes on the new
machine account (for
example, Cisco ISE machine
account password, SPN,
dnsHostname)
It is not mandatory to be a domain
administrator to | For the account that is used to
perform the leave operation, the
following permissions are required:
• Search Active Directory (to
see if a Cisco ISE machine
account already exists)
• Remove Cisco ISE machine
account from domain
If you perform a force leave (leave
without the password), it will not
remove the machine account from
the domain. | For the newly created Cisco ISE
machine account that is used to
communicate to the Active
Directory connection, the following
permissions are required:
• Ability to change own
password
• Read the user/machine
objects corresponding to
users/machines being
authenticated
• Query some parts of the
Active Directory to learn
about required information
(for example, trusted
domains, alternative UPN
suffixes and so on.)
• Ability to read tokenGroups
attribute
You can precreate the machine
account in Active Directory, and if
the SAM name matches the Cisco
ISE appliance hostname, it should
be located during the join operation
and re-used.
If multiple join operations are
performed, multiple machine
accounts are maintained inside
Cisco ISE, one for each join. |
Thank you for rating helpful posts!
Thank you for rating helpful posts!
