Explicit proxy authentication timeout
A kick-out feature with CLI options to control its behavior is available to prevent users from inadvertently taking over another user's profile when using IP-based user authentication.
The following is a possible scenario where a user can take over another user's profile.
- The network is configured to use explicit proxy and IP-based user authentication
- The option
proxy-auth-timeout
has a value of 10 minutes
Event #1 - User_A logs in and logs out within 10
minutes.
Event #2 - User_B logs in and uses the same IP that User_A used. (One possible explanation: the DHCP server has a really small lease time)
Possible result - User_B is identified as User_A without any authentication. This is a limitation of IP-based authentication.
In real-world situations, the time for these two user profiles to be confused could be longer than 10
seconds. The WAD requires a check to determine if the session is closed. This check is controlled by a 3600
-second, or 1 hour, default timeout in the kernel session before triggering the proxy-auth-timeout
timer.
With this feature a new user authentication is required if:
- The user session has been idle for a period longer than the value of
proxy-auth-timeout
- There is a new user session from the same IP being processed
If the users from both sessions match, there is no further action. If the new session is from a different user, the previous user is kicked out and the new user is authenticated.
The wad-informer timeout
is synchronized with proxy-auth-timeout
so the authentication behavior is consistent when wad crashes. The setting wad-informer timeout
is hard coded at 300
seconds.
The CLI options proxy-auth-lifetime
and proxy-auth-lifetime-timeout
disable or enable the lifetime control for all the users.
The proxy-auth-lifetime
is a cap on the total time a proxy user can be authenticated for. After this time limit has been reached, even if the two sessions described above belong to the same user, re-authentication occurs.
CLI
config system global
set proxy-auth-timeout <time in minutes>
set proxy-re-authentication-mode traffic
set proxy-auth-lifetime {enable|disable}
set proxy-auth-lifetime-timeout <time in minutes>
Option | Description |
---|---|
proxy-auth-timeout
|
Authentication timeout in minutes for authenticated users, default = 10 . |
proxy-re-authentication-mode traffic
|
Control if users need re-authentication after a session is closed, traffic has been idle, or from the point at which the user was first created.
|
proxy-auth-lifetime
|
Option to
|
proxy-auth-lifetime-timeout
|
Lifetime timeout in minutes for authenticated users (5 - 65535 min, default=480 mins). |