Solved: Does ISE use a cache for AD authentication?

REJR77 · ‎11-23-2022

Hello,

I would like to know if ISE is able to cache authentications when a user is authenticated with AD?

For example, a user connects to the network , then disconnects and reconnect few minutes later.

Does ISE use a cache or does it search each time in the AD?

Of course where is the setting?

Kind regards

thomas · ‎12-12-2022

ISE performs an authentication direct to AD (or any identity store) every single time because you may have just fired someone or changed their authorized groups, etc.

The cache setting that Balaji showed is for Machine Access Restrictions (MAR) cache which is for machine authentication requirements before a user logs in. This is totally separate scenario than a basic authentication.

View solution in original post

balaji.bandi · ‎11-23-2022

for the Device authentication it will not cache.

for 802 1x machine acess it keep 5 hours default as per i know...you can change this in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

REJR77 · ‎11-23-2022

Hi

So if I understand you well when ISE authenticate a user with AD it keeps it in cache for 5h? Not searching for this user in AD for 5h.

thomas · ‎12-12-2022

ISE performs an authentication direct to AD (or any identity store) every single time because you may have just fired someone or changed their authorized groups, etc.

The cache setting that Balaji showed is for Machine Access Restrictions (MAR) cache which is for machine authentication requirements before a user logs in. This is totally separate scenario than a basic authentication.

ahollifield · ‎12-13-2022

By default no but you can enable PEAP session resume which will use the cached information in ISE to authenticate a user without performing the full auth against AD. However, I'm not sure if ISE still actively searches/applied authz conditions (like AD group) or if those are cached too.