In this policy, you can disable the local caching of authenticators. The policy is supported for Windows Client, Mac OS X Client, and Linux PAM Client for chains that use the methods: LDAP Password, Password, HOTP, TOTP, Smartphone (offline mode), Card, FIDO U2F, Fingerprint, and PKI.
This policy allows you to configure the following settings:
By default, the Enable local caching option is enabled. To disable the caching, set the option to OFF and click Save.
The caching functionality enables the storing of credentials on the Client for offline authentication, when the Advanced Authentication server is not available. Therefore, a user who has successfully logged in once to the server with the authentication, can now login with the offline authentication.
By default, the Cache expire time is set to 0, to indicate that the cache never expires. Use the Cache expire time option to set the duration (in hours) to store user authenticators in Client cache. The maximum expiry time that you can set is 24 * 366 (8784 hours). This setting is applicable for the Advanced Authentication Clients.
When a user logs in with cached authenticators, Advanced Authentication compares the last online login time with the current offline authentication time. If the time duration is less than or equal to the specified duration in Cache expire time, the user is authenticated to Clients.
For example, consider the Cache expire time is set to 2 hours. The last online log in time of the user to Client is 1:00 PM. When the user tries to log in to Windows Client using cached authenticator credentials at 2:30 PM, the authentication is successful and the user is logged in to Windows Client. But, if the user tries to log in with cached authenticator credentials at 4:00 PM, the offline authentication fails and displays the following message as the cache has expired.
Authenticators of <user name> were not cached. Press OK and try again to log in as local user or cached user
By default, the Allow Local caching for logons by shared templates is set to OFF, to indicate that shared authenticators are not cached. To enable caching shared authenticators in Clients, set Allow Local caching for logons by shared templates to ON. Clients can use cached details for validation during the offline authentication.
Before you enable this option, ensure to enable the following settings to cache shared authenticators:
Enable Sharing of Authenticators in Policies > Authenticator management options
For more information, see Authenticator Management Options.
Enable Allow logon to this event by shared authenticator for the required events in Events
For more information, see Configuring an Existing Event.
NOTE:You can use the enforced cached logon instead of the default online logon, to improve the logon and unlock speed on Clients. For more information, refer to the following topics:
For Linux, see “Configuring the Enforced Cached Login” in the “Advanced Authentication- Linux PAM Client” guide.
For mac OS, see “Configuring the Enforced Cached Logon” in the “Advanced Authentication - Mac OS X Client” guide.
For Windows, see “Configuring the Enforced Cached Login” in the “Advanced Authentication - Windows Client” guide.