Skip to main content
pmit
pmit
New Member
April 17, 2015
Question

Session duration longer than timeout

  • April 17, 2015
  • 3 replies
  • 49282 views

We use LDAP (firewall) authentication for non AD devices with a captive portal. Under "User and Device" -> "Authentication" -> "Settings" we have "Authentication Timeout" set to 120. According to the user guide and help this is in mins. We have several user accounts remaning logged in however for very long periods of time (days). Right now I have more than 10 users with a firewall duration from 1 day to 18 days...

 

As a result if another device comes on campus and gets the same address days later via DHCP then they are "already authenticated" as the previous user?

 

What am I missing? How can I stop this from happening?

 

    3 replies

    Dave_Hall
    Dave_Hall
    New Member
    April 17, 2015

    pmit wrote:

    What am I missing? How can I stop this from happening?

    Maybe take a look at schedule-timeout under Firewall Policy.

     

     

     

     

    Vbharath_FTNT
    Staff
    Vbharath_FTNT
    Staff
    May 6, 2015

    Hi,

     

    User authentication timeout is idle timeout by default which means the user/host should not generate any traffic for xxx number of minutes minutes configured under user authentication timeout. In case if any application is generating traffic from user PC, user entry will be kept as long as there is an active session from the host.

     

    You can consider configuring keep alive setting. Whit keepalvie page, user will be redirected to a keepalive page after successful authentication. The keepalive page gives users the option to logout so users can logout before closing their browser/leaving their machines, so Fortigate will automatically de-authenticates the user when user clicks on logout button in keep alive page.

     

    # config system global

    # set auth-keepalive enable

    # end

     

    Note : If the user closes the keepalive page accidentally, user entry will be de-authenticated as per the configured timeout value, which is 120mins as per your config.

    .

    Viswa

    Sylvia
    Sylvia
    Explorer
    February 17, 2016

    Hello,

     

    as written in the previous post, the auth timeout is an idle timeout per default.

     

    But this can be changed in the CLI:

    config user setting     set auth-timeout-type ? idle-timeout    Idle timeout. hard-timeout    Hard timeout. new-session     New session timeout. With the hard-timeout the user will be logged out after the configured amount of time - no matter if he is idle or not...

     

    Regards,

    Sylvia

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    February 18, 2016

    @Dave:

    Hi! 'schedule-timeout' only determines what action to take if a policy schedule expires. Without that parameter enabled, the session remains active. With this param enable the session is terminated immediately after the schedule has timed out.

    New sessions are not affected - they are not allowed if the schedule has expired, in any case.

     

    But all of this in unrelated to the auth timeout. Sylvia pointed out the method how to 'enforce' the auth-timeout as a duration, and not as an idle period.

    aejaz
    aejaz
    New Member
    November 17, 2016

    if user closes the keepalive page accidentally, user entry has to be de-authenticated and terminated immediately

    Terms & ConditionsAccessibility statement