Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3173
Views
5
Helpful
3
Replies

Identity and passcode cache for External Radius Token Identity Source in ISE

Go to solution
SzantaiNorbert
Level 1
Level 1

‎01-10-2020 06:55 AM - edited ‎01-13-2020 02:16 AM

Hello All,

 

We successfully integrated an External Radius Token Identity Source to our ISE, but we would like to use the passcode and identity cache function, so the users could re-use their OTP for a short period of time. 

Even if i click the checkboxes to use them, i can see in the captures that ISE is sending a Access-Request to the RADIUS server every time, and - of course - the RADIUS server answer is an Access-Reject, because the OTP is invalid.

Do i misunderstood the password cache function? How should it work? Shouldnt ISE store the password somehow, and re-use it for a second or third time?

If thats not how it works, do you have any recommandation have to accomplish that?

Currently we are using ISE 2.4 with patch 8.

Regards,

Norbert 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-13-2020 06:03 PM - edited ‎01-13-2020 06:05 PM

Configure Authentication Control Options for RSA Identity Source --> OTP Token Caching

Enable Identity Caching is added in ISE 2.4 Patch 6. See New Features in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6

Please clarify how you are setting them to and how application/device is using the OTP. If the OTP server is configured for RADIUS challenges, I do not think it would work with OTP token caching.

Also, the authentications need stay on the same PSN as the cache is not replicated to another.

View solution in original post

3 Replies 3

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-13-2020 06:03 PM - edited ‎01-13-2020 06:05 PM

Configure Authentication Control Options for RSA Identity Source --> OTP Token Caching

Enable Identity Caching is added in ISE 2.4 Patch 6. See New Features in Cisco ISE Release 2.4.0.357 - Cumulative Patch 6

Please clarify how you are setting them to and how application/device is using the OTP. If the OTP server is configured for RADIUS challenges, I do not think it would work with OTP token caching.

Also, the authentications need stay on the same PSN as the cache is not replicated to another.

Go to solution
SzantaiNorbert
Level 1
Level 1
In response to hslai

‎01-14-2020 02:02 AM

Hello,

The document you linked is using RSA Identity Source. We are using a RADIUS Token Server.

And in the RADIUS Token Server settings i just clicked on the "Enable passcode caching for 30 sec" and "Enable Identity cachhing for 120 min".  These are the default settings. 

We want to use the OTP for TACACS+. In the Device Admin Policy we changed the external identity source to use the OTP server. In the captures i can see that every time when we log in, ISE send a RADIUS Access-Request to the OTP Server, and it repsonds only with an Access-Accept. But if we want to re-use the same OTP, ISE send another Access-Request to the OTP server which answer with an Access-Reject. 

And we have only 1 PSN in this scenario, because it is just a test deployment.

Regards,

Norbert

 

0 Helpful

Go to solution
SzantaiNorbert
Level 1
Level 1
In response to hslai

‎01-16-2020 06:27 AM

Hello,

It was my bad, it is working now. Somehow my terminal client messed up everything. With Putty, it is working totally fine.

Thanks for your help!
Regards,

Norbert

0 Helpful
Customers Also Viewed These Support Documents