Explicit proxy authentication timeout

Submit Search

Explicit proxy authentication timeout

A kick-out feature with CLI options to control its behavior is available to prevent users from inadvertently taking over another user's profile when using IP-based user authentication.

The following is a possible scenario where a user can take over another user's profile.

The network is configured to use explicit proxy and IP-based user authentication
The option proxy-auth-timeout has a value of 10 minutes

Event #1 - User_A logs in and logs out within 10 minutes.

Event #2 - User_B logs in and uses the same IP that User_A used. (One possible explanation: the DHCP server has a really small lease time)

Possible result - User_B is identified as User_A without any authentication. This is a limitation of IP-based authentication.

In real-world situations, the time for these two user profiles to be confused could be longer than 10 seconds. The WAD requires a check to determine if the session is closed. This check is controlled by a 3600-second, or 1 hour, default timeout in the kernel session before triggering the proxy-auth-timeout timer.

With this feature a new user authentication is required if:

The user session has been idle for a period longer than the value of proxy-auth-timeout
There is a new user session from the same IP being processed

If the users from both sessions match, there is no further action. If the new session is from a different user, the previous user is kicked out and the new user is authenticated.

The wad-informer timeout is synchronized with proxy-auth-timeout so the authentication behavior is consistent when wad crashes. The setting wad-informer timeout is hard coded at 300 seconds.

The CLI options proxy-auth-lifetime and proxy-auth-lifetime-timeout disable or enable the lifetime control for all the users.

The proxy-auth-lifetime is a cap on the total time a proxy user can be authenticated for. After this time limit has been reached, even if the two sessions described above belong to the same user, re-authentication occurs.

CLI

config system global

set proxy-auth-timeout <time in minutes>

set proxy-re-authentication-mode traffic

set proxy-auth-lifetime {enable|disable}

set proxy-auth-lifetime-timeout <time in minutes>

Option	Description
`proxy-auth-timeout`	Authentication timeout in minutes for authenticated users, default = `10`.
`proxy-re-authentication-mode traffic`	Control if users need re-authentication after a session is closed, traffic has been idle, or from the point at which the user was first created. `session`: Proxy re-authentication timeout begins at the closure of the session. `traffic`: Proxy re-authentication timeout begins after traffic has not been received. `absolute`: Proxy re-authentication timeout begins when the user was first created.
`proxy-auth-lifetime`	Option to `disable` or `enable` the lifetime control. Default is `disable`. `disable`: No lifetime control for authenticated users. `enable`: Lifetime control depends on the setting of `proxy-auth-lifetime-timeout`.
`proxy-auth-lifetime-timeout`	Lifetime timeout in minutes for authenticated users (`5` - `65535` min, default=`480` mins).