Hopefully some people have some good ideas for me. Recently, we deployed a PIX with AAA and PAT. It was decided that we didn't want to make the users authenticate very often, so we set the UAUTH ABSOLUTE timeout to 8 hours, and the UAUTH INACTIVITY timeout to 4 hours. This also required that we set the XLATE timeout to 8 hours.
Anyway, I'm sure you can imagine some of the problems from having the timeout so high. One of the exposures I see is that users can authenticate and be left open for extended periods while they are not at their desks, and if logged in mid-afternoon, they will be left open until late evening. I am trying to come up with ways to lock that down some more.
One thing I thought of is to set up some kind of batch job on a UNIX server of ours to log into the PIX and run CLEAR UAUTH at a specific time of day (say, 6pm). This would close users' workstations after they've left for the day, even if they logged in late. After thinking about this, I see other possibilities for automated batch jobs to take care of other things on the PIX as well as other Cisco gear.
Do other folks use other systems to periodically log in and do tasks such as this? It's concerning to use regular TELNET, as opposed to SSH or something else. I wonder if there are other vulnerabilities that I should be concerned with.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :