UAUTH timeout and automating logout of users

jwitherell · ‎11-23-2001

Hopefully some people have some good ideas for me. Recently, we deployed a PIX with AAA and PAT. It was decided that we didn't want to make the users authenticate very often, so we set the UAUTH ABSOLUTE timeout to 8 hours, and the UAUTH INACTIVITY timeout to 4 hours. This also required that we set the XLATE timeout to 8 hours.

Anyway, I'm sure you can imagine some of the problems from having the timeout so high. One of the exposures I see is that users can authenticate and be left open for extended periods while they are not at their desks, and if logged in mid-afternoon, they will be left open until late evening. I am trying to come up with ways to lock that down some more.

One thing I thought of is to set up some kind of batch job on a UNIX server of ours to log into the PIX and run CLEAR UAUTH at a specific time of day (say, 6pm). This would close users' workstations after they've left for the day, even if they logged in late. After thinking about this, I see other possibilities for automated batch jobs to take care of other things on the PIX as well as other Cisco gear.

Do other folks use other systems to periodically log in and do tasks such as this? It's concerning to use regular TELNET, as opposed to SSH or something else. I wonder if there are other vulnerabilities that I should be concerned with.

I appreciate the help!

rrbleeker · ‎11-26-2001

As often with security, it is an balance between security and ease of use. We had to deal with the same issues and came to a negotiated timeout values of 2 hours absolute and 1 hour idle timeout.

With automated batch jobs, you might run the risk that you are disabling a session in progress.