Hi,

Thank you for the quick reply

On 1. Yes, unless session resume settings configured for the auth protocols, such as PEAP or EAP-FAST, or using some wireless optimal roaming.

I believe the session resume settings are from the client side. If the client request for session resume & ISE is honoring the request, this would mean the ISE should have cached the session details including the password. In most cases I can see in RADIUS live logs,"RADIUS is re-using an existing session ", does this mean the client has requested for session resume or if the ISE is taking from the ISE-cache by itself even though the client hasn't requested for the session resume & ISE does not contact the AD

On 2. the supplicants might cache the old password. Otherwise, no, unless active directory replication is slow and the user unable to use the new password yet.

Unless there is PAC involved, I don't think the supplicants might cache the old password

See Generate PAC for EAP-FAST Settings or  PEAP Settings.

Windows native supplicants, for example, have an option [ ] Remember my credentials for this connection each time I'm logged on. Other client OS's have similar.

I hope with anyconnect the only option for caching is PAC

Basic session resume (SR) is server-side caching and is specific to original PSN that client connected.  In later ISE releases that support RFC-5077 stateless session resume across node group, it is the client which maintains the key and must support the feature.  So in  original method, the client does not have knowledge of the server caching.  Server does not cache passwords, but simply bypasses TLS negotiation.  With stateless resume, client is active participant to bypass TLS negotiation.  Only with Fast Reconnect (FR) does server skip validation of inner identity such as with PEAP.  There is no password caching on server side for SR/FR.  FR requires client support.