cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11597
Views
4
Helpful
3
Replies

ISE Active Directory Account Privileges

scamarda
Cisco Employee
Cisco Employee

Is it possible to have ISE join the domain with a privileged account and then, once joined, switch to an account that is read-only?  It may be the same account that is changed to read-only access.  Customer would like to have the ISE AD account be read-only.

1 Accepted Solution

Accepted Solutions

bravojared
Level 4
Level 4

The AD Join for ISE is similar to joining a workstation to a domain.  When you do the join, it is a one-time join to the domain and not binding to a directory using a service account.  As long as you have permissions to make the join, that is all that is required.  Once the machine is part of the domain, that account is not used anymore...


With one caveat on use cases:

If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively.  For that you need to configure it properly and have the credentials presented via WMI or Agent.  For that, please review the permissions required on that account and then configure that separately.

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Users and External Identity Sources [Cisco Ide…

View solution in original post

3 Replies 3

bravojared
Level 4
Level 4

The AD Join for ISE is similar to joining a workstation to a domain.  When you do the join, it is a one-time join to the domain and not binding to a directory using a service account.  As long as you have permissions to make the join, that is all that is required.  Once the machine is part of the domain, that account is not used anymore...


With one caveat on use cases:

If you have the desire to use Passive Identity in your deployment, then ISE can query domain controllers for events to determine the identity passively.  For that you need to configure it properly and have the credentials presented via WMI or Agent.  For that, please review the permissions required on that account and then configure that separately.

Cisco Identity Services Engine Administrator Guide, Release 2.3 - Manage Users and External Identity Sources [Cisco Ide…

When ISE is joined to the Active Drectory, it creates an object in the AD, the account should have the correct permissions to create that object, however, once created, the permissions that matter are the ones from the object, not the account.

In the scenario that you are posting, creating the object with a privileged account and then changing the permissions from that account should not affect as the object would be created with the privileged account.l

Alberto Lozada

CCIE #41132 Security

hslai
Cisco Employee
Cisco Employee

Both Jared and Alberto are correct. In the ISE admin guide, Active Directory Account Permissions Required for Performing Various Operations lists out the permissions.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: