Solved: Increase Aging Time for Passcode Caching

oalfarda · ‎04-09-2018

Hi,

i have a customer who wants to increase the aging time for Passcode Caching over the maximum 300 seconds as they don't want to have the user to use the OTP in that short period from their stand point.

the question is, is it allowed to increase over the 300 seconds and if not what would be the workaround?

Craig Hyps · ‎04-10-2018

This relatively new feature changes behavior from requiring new OTP each auth event to allowing same password/token to be reused for the specified interval. Note that ISE is locally caching the code and not sending to OTP server as that would break the entire concept of OTP. The feature allows the same cached code to be used for auth. The max interval is 300 sec or 5 minutes. There is no option to change this max value today.

Realize that the OTP is specific to auth event. Once authenticated, the password does not need to be re-entered until the next auth event (for example, user disconnects from network and returns later). If the goal is to reuse same OTP for extended period of time, then sounds like OTP is not the type of auth customer actually needs. If wish to reuse same password for extended periods, then why not use regular username/password with periodic aging on user account?

There are other cases where initial login event can be effectively be reused, such as device registration with option to periodically purge registration status, or caching from NAD side (for example, AnyConnect Always On VPN).

If still feel there is a specific requirement to support Passcode caching beyond 300 sec, please work with Cisco account team to submit an enhancement request along with use case.

/Craig

View solution in original post

Craig Hyps · ‎04-10-2018

This relatively new feature changes behavior from requiring new OTP each auth event to allowing same password/token to be reused for the specified interval. Note that ISE is locally caching the code and not sending to OTP server as that would break the entire concept of OTP. The feature allows the same cached code to be used for auth. The max interval is 300 sec or 5 minutes. There is no option to change this max value today.

Realize that the OTP is specific to auth event. Once authenticated, the password does not need to be re-entered until the next auth event (for example, user disconnects from network and returns later). If the goal is to reuse same OTP for extended period of time, then sounds like OTP is not the type of auth customer actually needs. If wish to reuse same password for extended periods, then why not use regular username/password with periodic aging on user account?

There are other cases where initial login event can be effectively be reused, such as device registration with option to periodically purge registration status, or caching from NAD side (for example, AnyConnect Always On VPN).

If still feel there is a specific requirement to support Passcode caching beyond 300 sec, please work with Cisco account team to submit an enhancement request along with use case.

/Craig