- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Session duration longer than timeout
We use LDAP (firewall) authentication for non AD devices with a captive portal. Under "User and Device" -> "Authentication" -> "Settings" we have "Authentication Timeout" set to 120. According to the user guide and help this is in mins. We have several user accounts remaning logged in however for very long periods of time (days). Right now I have more than 10 users with a firewall duration from 1 day to 18 days...
As a result if another device comes on campus and gets the same address days later via DHCP then they are "already authenticated" as the previous user?
What am I missing? How can I stop this from happening?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pmit wrote:What am I missing? How can I stop this from happening?
Maybe take a look at schedule-timeout under Firewall Policy.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
User authentication timeout is idle timeout by default which means the user/host should not generate any traffic for xxx number of minutes minutes configured under user authentication timeout. In case if any application is generating traffic from user PC, user entry will be kept as long as there is an active session from the host.
You can consider configuring keep alive setting. Whit keepalvie page, user will be redirected to a keepalive page after successful authentication. The keepalive page gives users the option to logout so users can logout before closing their browser/leaving their machines, so Fortigate will automatically de-authenticates the user when user clicks on logout button in keep alive page.
# config system global
# set auth-keepalive enable
# end
Note : If the user closes the keepalive page accidentally, user entry will be de-authenticated as per the configured timeout value, which is 120mins as per your config.
.
Viswa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
as written in the previous post, the auth timeout is an idle timeout per default.
But this can be changed in the CLI:
config user setting set auth-timeout-type ? idle-timeout Idle timeout. hard-timeout Hard timeout. new-session New session timeout. With the hard-timeout the user will be logged out after the configured amount of time - no matter if he is idle or not...
Regards,
Sylvia
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@Dave:
Hi! 'schedule-timeout' only determines what action to take if a policy schedule expires. Without that parameter enabled, the session remains active. With this param enable the session is terminated immediately after the schedule has timed out.
New sessions are not affected - they are not allowed if the schedule has expired, in any case.
But all of this in unrelated to the auth timeout. Sylvia pointed out the method how to 'enforce' the auth-timeout as a duration, and not as an idle period.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if user closes the keepalive page accidentally, user entry has to be de-authenticated and terminated immediately