Configure AAA on the PIX Security Appliance
Authentication prompts and timeout

Authentication Prompts
Use the auth-prompt command to change the AAA challenge text for HTTP, FTP, and Telnet access through the PIX Security Appliance . This is text that appears above the username and password prompts that are displayed when a user is logging in.

Authentication Timeouts
Use the timeout uauth command to specify how long the cache should be kept after the user connections become idle . The timeout command value must be at least two minutes. Use the clear uauth command to delete all authorization caches for all users, which causes them to reauthenticate the next time they create a connection.

The inactivity and absolute qualifiers cause users to reauthenticate after either a period of inactivity or an absolute duration. The inactivity timer starts after a connection becomes idle. If a user establishes a new connection before the duration of the inactivity timer, the user is not required to reauthenticate. If a user establishes a new connection after the inactivity timer expires, the user must reauthenticate.

The absolute timer runs continuously, but waits and prompts the user again when the user starts a new connection, such as clicking a link after the absolute timer has elapsed. The user is then prompted to reauthenticate. The absolute timer must be shorter than the xlate timer, otherwise a user could be prompted again after the session has ended.

Both an inactivity timer and an absolute timer can operate at the same time, but the absolute timer duration should be set for a longer period than the inactivity timer. If the absolute timer is set at less than the inactivity timer, the inactivity timer is never invoked. For example, if the absolute timer is set to 10 minutes and the inactivity timer to an hour, the absolute timer prompts the user every 10 minutes, and the inactivity timer will never be started.

If the inactivity timer is set to some duration, but set the absolute timer to 0, users are reauthenticated only after the inactivity time elapses. If both timers are set to 0, users have to reauthenticate on every new connection.

NOTE:

Do not set the timeout uauth duration to 0 seconds when using the virtual HTTP option or passive FTP.