Authentication Prompts
Use the
auth-prompt command to change the AAA challenge text for
HTTP, FTP, and Telnet access through the PIX Security Appliance
. This is text
that appears above the username and password prompts that are displayed when a
user is logging in.
Authentication Timeouts
Use the
timeout uauth command to specify how long the cache should
be kept after the user connections become idle
. The
timeout command value must be at least two minutes. Use the
clear uauth command to delete all authorization caches for
all users, which causes them to reauthenticate the next time they create a
connection.
The inactivity and absolute qualifiers cause users to
reauthenticate after either a period of inactivity or an absolute duration. The
inactivity timer starts after a connection becomes idle. If a user establishes
a new connection before the duration of the inactivity timer, the user is not
required to reauthenticate. If a user establishes a new connection after the
inactivity timer expires, the user must reauthenticate.
The absolute
timer runs continuously, but waits and prompts the user again when the user
starts a new connection, such as clicking a link after the absolute timer has
elapsed. The user is then prompted to reauthenticate. The absolute timer must
be shorter than the xlate timer, otherwise a user could be prompted again after
the session has ended.
Both an inactivity timer and an absolute timer can operate at the same time,
but the absolute timer duration should be set for a longer period than the
inactivity timer. If the absolute timer is set at less than the inactivity
timer, the inactivity timer is never invoked. For example, if the absolute
timer is set to 10 minutes and the inactivity timer to an hour, the absolute
timer prompts the user every 10 minutes, and the inactivity timer will never be
started.
If the inactivity timer is set to some duration, but set the
absolute timer to 0, users are reauthenticated only after the inactivity time
elapses. If both timers are set to 0, users have to reauthenticate on every new
connection.
 |
NOTE:
Do not set the timeout uauth duration to 0 seconds
when using the virtual HTTP option or passive FTP.
|