Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Newbie Pix 501 HTTP authentication timeout

two questions here:

1. Users who connect to the Internet through the Pix 501 are asked about every three minutes to enter their username and password. There must be a setting to change this, my reseller says there isn't.

2. Users who connect to the Internet the first time have their IE session hang. Clicking stop then refresh or home brings up the page. Any ideas.

Thanks in advance for any insights you might have

Jeff Charland

  • Other Security Subjects
1 ACCEPTED SOLUTION

Accepted Solutions

Re: Newbie Pix 501 HTTP authentication timeout

Jeff,

First rule is to never trust your salesman on technical issues ;). Your reseller is wrong. You can indeed change the time that a user is re-prompted to enter their credentials. There are essentially 2 settings you should know about on the PIX with respect to authentication timeouts:

1) the inactivity timer. This is just like it sounds. It will time out an authenticated session going through the PIX after it has reached X amount of time without passing any traffic. The default timer on the PIX for this setting is 0 which means we do no monitor (by default) inactivity time by the user.

2) the absoltue timer. This, again, is at sounds. This timer starts as soon as the user is authenticated and runs continuously. When the time is reached, the user is forced to re-authenticate when they attempt to start a new connection (such as clicking on a link in a web page). The default setting for the absolute timer is 5 mins.

We recommend that you do keep an absolute timer set for security purposes but for ease of access, you may want to tweak these settings. Something like this would not be an "off the wall" setting:

timeout uauth 1:00:00 absolute uauth 0:10:00 inactivity

These settings will force the user to re-authenticate every hour (absolute) and/or every 10 mins after the connection becomes idle.

And finally, no idea on #2 above. Does it happen with all users. Anyone tried Netscrape to see if this is an IE only issue?

Scott

3 REPLIES

Re: Newbie Pix 501 HTTP authentication timeout

Jeff,

First rule is to never trust your salesman on technical issues ;). Your reseller is wrong. You can indeed change the time that a user is re-prompted to enter their credentials. There are essentially 2 settings you should know about on the PIX with respect to authentication timeouts:

1) the inactivity timer. This is just like it sounds. It will time out an authenticated session going through the PIX after it has reached X amount of time without passing any traffic. The default timer on the PIX for this setting is 0 which means we do no monitor (by default) inactivity time by the user.

2) the absoltue timer. This, again, is at sounds. This timer starts as soon as the user is authenticated and runs continuously. When the time is reached, the user is forced to re-authenticate when they attempt to start a new connection (such as clicking on a link in a web page). The default setting for the absolute timer is 5 mins.

We recommend that you do keep an absolute timer set for security purposes but for ease of access, you may want to tweak these settings. Something like this would not be an "off the wall" setting:

timeout uauth 1:00:00 absolute uauth 0:10:00 inactivity

These settings will force the user to re-authenticate every hour (absolute) and/or every 10 mins after the connection becomes idle.

And finally, no idea on #2 above. Does it happen with all users. Anyone tried Netscrape to see if this is an IE only issue?

Scott

Re: Newbie Pix 501 HTTP authentication timeout

Sorry, I wanted to attach some reading in case you wanted to sanity check me:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#1026093

Scott

New Member

Re: Newbie Pix 501 HTTP authentication timeout

Thanks Scott,

You were right on the money. Went into PDM found the settings and made the changes. happy users = happy me.

After making the changes to the timeout settings, the problem with IE hanging seems to have gone away. Very strange. Also downloaded Netscape 7.1 and tried it. No problem at all. I guess I'll have to wait and see what happens from her on in.

Jeff Charland

112
Views
0
Helpful
3
Replies
This widget could not be displayed.