Description

This article describes the available options and explains how user 'authtimout' is actually enforced.   

There are many places in the configuration to set 'authtimout'. 

Solution

The value is actually applied to specific hierarchical rules outlined below.

'authtimeout' values are selected in the following order.

1. User #.     <----- Highest level.
   
   
2. User group.
   
   
3. User setting.
   
   

By default, the user and user group 'authtimeout' values are 0 and hence user setting 'authtimeout' value will take precedence.

When 'authtimeout' is configured, upper levels override lower levels.

authtimeout value is in minutes.

Sample configurations.

1. If the specific timeout value is configured for the user, then it needs to set the user 'authtimeout' at the user level.
   
   config user local
       edit <username>
           set authtimeout xx                     <----- Integer value from <0> to <43200>.
   end
   

With this setting, user authentication will get authtimeout at xx minutes depending on 'auth-timeout-type'.

2. If the specific timeout value is configured for the user group then it needs to set user 'authtimeout' at the user group level.
   
   config user group
       edit <user group name>
           set authtimeout xx                       <----- Integer value from <0> to <43200>.
   end
   
   

With this setting, user authentication belonging to a specific user group will get authtimeout at xx minutes depending on auth-timeout-type.

3. If authtimeout is not set in the user/user group level then authtimeout value in the user setting will be applied for all users.
   
   config user setting
       set authtimeout xx                               <----- Integer value from <0> to <43200>.
   end

Related Article:

Technical Tip: Change session ttl on firewall policy