Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
2
Replies

ISE RSA Identity Caching replication between PSNs?

Go to solution
scott.stapleton
Level 1
Level 1

‎07-17-2019 08:16 AM

According to BRKSEC-3697 and a previous forum post, RSA passcode caching is NOT replicated between PSNs.

 

My question is NOT regarding passcode caching however but RSA Identity Caching.

 

Is Identity Caching replicated between PSNs? I presume not but want to clarify.

 

Associated question, was there any change in Identity Caching behaviour when the ability to modify the aging time was introduced in 2.4 patch 6 (and I believe 2.2 and 2.3 via CSCvk74190; though the BugID only mentions Radius Token Identity Caching, I assume it applies to RSA also). It's disabled by default and I assume was enabled (but unconfigurable) pre-patch. But otherwise, any changes?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-18-2019 04:03 PM

Is Identity Caching replicated between PSNs? I presume not but want to clarify.

Correct. This is not currently replicated.

Associated question, was there any change in Identity Caching behaviour when the ability to modify the aging time was introduced in 2.4 patch 6 (and I believe 2.2 and 2.3 via CSCvk74190; though the BugID only mentions Radius Token Identity Caching, I assume it applies to RSA also). It's disabled by default and I assume was enabled (but unconfigurable) pre-patch. But otherwise, any changes?

Before CSCvk74190 addressed, this is always enabled with the aging timeout hard-coded to 120 seconds (or 2 minutes). Afterwards, the default behavior is no caching (or disabled) but can be enabled and configured with an aging timeout between 1 and 1440 seconds.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
hslai
Cisco Employee
Cisco Employee

‎07-18-2019 04:03 PM

Is Identity Caching replicated between PSNs? I presume not but want to clarify.

Correct. This is not currently replicated.

Associated question, was there any change in Identity Caching behaviour when the ability to modify the aging time was introduced in 2.4 patch 6 (and I believe 2.2 and 2.3 via CSCvk74190; though the BugID only mentions Radius Token Identity Caching, I assume it applies to RSA also). It's disabled by default and I assume was enabled (but unconfigurable) pre-patch. But otherwise, any changes?

Before CSCvk74190 addressed, this is always enabled with the aging timeout hard-coded to 120 seconds (or 2 minutes). Afterwards, the default behavior is no caching (or disabled) but can be enabled and configured with an aging timeout between 1 and 1440 seconds.

0 Helpful

Go to solution
scott.stapleton
Level 1
Level 1
In response to hslai

‎07-19-2019 03:28 AM

Cheers - that's helpful.

0 Helpful
Customers Also Viewed These Support Documents