11-07-2014 09:32 AM - edited 02-21-2020 05:19 AM
Perform Cisco ISE integration with Active Directory, which is trusting relationship with another AD.
The user that used to established the connection has full permissions only on a domain controller and the other read-only.
The authentication of wireless users on the domain controller where you have full permissions works fine, the authentication of users who are on another domain controller has problems.
It is necessary that the domain user that connects to the AD ISE has full permissions on both domain controllers?
11-08-2014 10:47 PM
Hmm, what you have there should work. My AD skills are close to none existent so I can't provide much help there but it sounds like the issue is somewhere with AD/permissions. Once joined to the domain and the computer accounts for ISE are created, all ISE is doing is querying the domain for users and their group membership. Here are the requirements from ISE:
For Joining | For Leaving | Cisco ISE Machine Accounts |
For the account that is used to perform the join operation, the following permissions are required: • Search Active Directory (to see if a Cisco ISE machine account already exists) • Create Cisco ISE machine account to domain (if the machine account does not already exist) • Set attributes on the new machine account (for example, Cisco ISE machine account password, SPN, dnsHostname) It is not mandatory to be a domain administrator to | For the account that is used to perform the leave operation, the following permissions are required: • Search Active Directory (to see if a Cisco ISE machine account already exists) • Remove Cisco ISE machine account from domain If you perform a force leave (leave without the password), it will not remove the machine account from the domain. | For the newly created Cisco ISE machine account that is used to communicate to the Active Directory connection, the following permissions are required: • Ability to change own password • Read the user/machine objects corresponding to users/machines being authenticated • Query some parts of the Active Directory to learn about required information (for example, trusted domains, alternative UPN suffixes and so on.) • Ability to read tokenGroups attribute You can precreate the machine account in Active Directory, and if the SAM name matches the Cisco ISE appliance hostname, it should be located during the join operation and re-used. If multiple join operations are performed, multiple machine accounts are maintained inside Cisco ISE, one for each join. |
Thank you for rating helpful posts!
11-09-2014 08:20 PM
thanks for your comments, is very important,
I think the same thing is related to AD permissions
11-09-2014 08:23 PM
No problem! Keep us posted on the final resolution of the problem!
Thank you for rating helpful posts!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide