topic Re: Identity and passcode cache for External Radius Token Identity Source in ISE in Network Access Control

Identity and passcode cache for External Radius Token Identity Source in ISE

SzantaiNorbert — Mon, 13 Jan 2020 10:16:12 GMT

Hello All,

We successfully integrated an External Radius Token Identity Source to our ISE, but we would like to use the passcode and identity cache function, so the users could re-use their OTP for a short period of time.

Even if i click the checkboxes to use them, i can see in the captures that ISE is sending a Access-Request to the RADIUS server every time, and - of course - the RADIUS server answer is an Access-Reject, because the OTP is invalid.

Do i misunderstood the password cache function? How should it work? Shouldnt ISE store the password somehow, and re-use it for a second or third time?

If thats not how it works, do you have any recommandation have to accomplish that?

Currently we are using ISE 2.4 with patch 8.

Regards,

Norbert

Re: Identity and passcode cache for External Radius Token Identity Source in ISE

hslai — Tue, 14 Jan 2020 02:05:36 GMT

Configure Authentication Control Options for RSA Identity Source --> OTP Token Caching

Enable Identity Caching is added in ISE 2.4 Patch 6. See New Features in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6

Please clarify how you are setting them to and how application/device is using the OTP. If the OTP server is configured for RADIUS challenges, I do not think it would work with OTP token caching.

Also, the authentications need stay on the same PSN as the cache is not replicated to another.

Re: Identity and passcode cache for External Radius Token Identity Source in ISE

SzantaiNorbert — Tue, 14 Jan 2020 10:02:29 GMT

Hello,

The document you linked is using RSA Identity Source. We are using a RADIUS Token Server.

And in the RADIUS Token Server settings i just clicked on the "Enable passcode caching for 30 sec" and "Enable Identity cachhing for 120 min". These are the default settings.

We want to use the OTP for TACACS+. In the Device Admin Policy we changed the external identity source to use the OTP server. In the captures i can see that every time when we log in, ISE send a RADIUS Access-Request to the OTP Server, and it repsonds only with an Access-Accept. But if we want to re-use the same OTP, ISE send another Access-Request to the OTP server which answer with an Access-Reject.

And we have only 1 PSN in this scenario, because it is just a test deployment.

Regards,

Norbert

Re: Identity and passcode cache for External Radius Token Identity Source in ISE

SzantaiNorbert — Thu, 16 Jan 2020 14:27:53 GMT

Hello,

It was my bad, it is working now. Somehow my terminal client messed up everything. With Putty, it is working totally fine.

Thanks for your help!
Regards,

Norbert