A whisper of a networker.

上週把ACS 5.6弄起來，把SWITCH AAA 導至ACS驗証
ACS上新增RSA Authentication Manager
用意是要登入switch時，用員編+token做one time password login
使用上也都正常，但是有個小問題，就是無法在短時間內登入多台設備
也就是說，同組passcode只能登入一台設備，下一台設備要等passcode
變成另一組才能登入，不然會驗証失敗，去查RSA Log 會出現
Passcode reuse or previous token code detected for user "xxxxx"的訊息

原以為是哪裡有設錯  後來和朋友討論後的結論是

One Time Password 如果可以重複使用 就不叫One Time Password了

正想就這樣結束時，又有高人指點

在ACS 5.6中 RSA SecurID Token Server的設定裡
有一個選項叫
Passcode caching enables the user to perform more than one authentication
using the same passcode.

□ Enable passcode caching
Aging Time: _30_ seconds

這個功能如果勾選的話，第一次驗証會去問RSA AM，然後30秒內用同個passcode去
登入其它設備，是不會再去問RSA AM，而是直接給予放行
這樣也就解了我一開始的問題~ 這是ACS的功能，OTP依舊是OTP
ACS中間做了手腳就方便網管做事

CISCO ACS的Release Notes如下
ACS 5.5 provides a new feature called passcode caching, where ACS 5.5 stores
user credentials and their passcodes in a cache. The passcode cache in ACS is
available for a configurable amount of time from 1 to 300 seconds. After a
first successful authentication against an RSA Secure ID token server, ACS
stores the user credentials in its cache. The RSA passcode cache will be
available for the amount of time that you have configured. If the user
accesses the network within this time period again, ACS checks for the user
credentials in its cache and processes the request.