cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

506
Views
1
Helpful
5
Replies
Highlighted
Contributor

Posture lease

Hi All,

I would like to know, how the does ISE handle below

  1. If the user connects within 24 hours,does the ISE still contact the AD to validate the username/password
  2. If the user changes the password within 24 hours & the user connect again to the network,  does the ISE say auth failure for the user

Regards

Nikhil

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

On 1. Yes, unless session resume settings configured for the auth protocols, such as PEAP or EAP-FAST, or using some wireless optimal roaming.

On 2. the supplicants might cache the old password. Otherwise, no, unless active directory replication is slow and the user unable to use the new password yet.

View solution in original post

5 REPLIES 5
Highlighted
Cisco Employee

On 1. Yes, unless session resume settings configured for the auth protocols, such as PEAP or EAP-FAST, or using some wireless optimal roaming.

On 2. the supplicants might cache the old password. Otherwise, no, unless active directory replication is slow and the user unable to use the new password yet.

View solution in original post

Highlighted

Hi,

Thank you for the quick reply

On 1. Yes, unless session resume settings configured for the auth protocols, such as PEAP or EAP-FAST, or using some wireless optimal roaming.

I believe the session resume settings are from the client side. If the client request for session resume & ISE is honoring the request, this would mean the ISE should have cached the session details including the password. In most cases I can see in RADIUS live logs,"RADIUS is re-using an existing session ", does this mean the client has requested for session resume or if the ISE is taking from the ISE-cache by itself even though the client hasn't requested for the session resume & ISE does not contact the AD

On 2. the supplicants might cache the old password. Otherwise, no, unless active directory replication is slow and the user unable to use the new password yet.

Unless there is PAC involved, I don't think the supplicants might cache the old password

Highlighted

See Generate PAC for EAP-FAST Settings or  PEAP Settings.

Windows native supplicants, for example, have an option [ ] Remember my credentials for this connection each time I'm logged on. Other client OS's have similar.

Highlighted

I hope with anyconnect the only option for caching is PAC

Highlighted

Basic session resume (SR) is server-side caching and is specific to original PSN that client connected.  In later ISE releases that support RFC-5077 stateless session resume across node group, it is the client which maintains the key and must support the feature.  So in  original method, the client does not have knowledge of the server caching.  Server does not cache passwords, but simply bypasses TLS negotiation.  With stateless resume, client is active participant to bypass TLS negotiation.  Only with Fast Reconnect (FR) does server skip validation of inner identity such as with PEAP.  There is no password caching on server side for SR/FR.  FR requires client support.

Content for Community-Ad