Authentication Timeout
After a user is successfully authenticated, their user information is saved in cache for a
predetermined amount of time. You set this time by configuring the timeout uauth command.
It is specified in hours, minutes, and seconds. If the user session idle time exceeds the timeout,
the session is terminated and the user is prompted to authenticate during the next connection.
To disable caching of users, use the timeout uauth 0 command. Be sure not to use timeout
uauth 0 when using virtual http. This setting prevents any connections to the real web server
after successful authentication at the Security Appliance.
Two command options or settings are associated with the timeout uauth command:
■ absolute—The default setting for the uauth timer. This setting sets the timer to prompt
the user to reauthenticate after the timer elapses only when the user starts a new
connection. If the user leaves the session open and the timer elapses, and the user closes
the browser without clicking another link, the user is not prompted to reauthenticate.
Setting the uauth timer to 0 disables caching of user authentication and therefore
disables the absolute option.
NOTE If the firewall is performing NAT, the timeout uauth value must be less than the
timeout xlate value to ensure that the user authentication times out before the address
translation.
554 Chapter 18: Configuration of AAA on the Cisco Security Appliance
■ inactivity—The inactivity timer starts after the connection becomes idle. If the user
establishes a new connection before the duration of the inactivity timer, the user is not
required to reauthenticate. If a user establishes a new connection after the inactivity
timer expires, the user must reauthenticate.
Example 18-7 depicts the timeout command with the absolute and inactivity settings. The
first command sets the timer to 4 hours and tells the system not to prompt the user after the
session times out unless the user initiates another session. The second command defines a
30-minute period of inactivity as an idle session and tells the system to start the timer at that
point.