https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226819#M6015 <HTML><HEAD></HEAD><BODY><P>Jeff,</P><P></P><P>First rule is to never trust your salesman on technical issues ;). Your reseller is wrong. You can indeed change the time that a user is re-prompted to enter their credentials. There are essentially 2 settings you should know about on the PIX with respect to authentication timeouts:</P><P></P><P>1) the inactivity timer. This is just like it sounds. It will time out an authenticated session going through the PIX after it has reached X amount of time without passing any traffic. The default timer on the PIX for this setting is 0 which means we do no monitor (by default) inactivity time by the user.</P><P></P><P>2) the absoltue timer. This, again, is at sounds. This timer starts as soon as the user is authenticated and runs continuously. When the time is reached, the user is forced to re-authenticate when they attempt to start a new connection (such as clicking on a link in a web page). The default setting for the absolute timer is 5 mins.</P><P></P><P>We recommend that you do keep an absolute timer set for security purposes but for ease of access, you may want to tweak these settings. Something like this would not be an "off the wall" setting:</P><P></P><P>timeout uauth 1:00:00 absolute uauth 0:10:00 inactivity</P><P></P><P>These settings will force the user to re-authenticate every hour (absolute) and/or every 10 mins after the connection becomes idle.</P><P></P><P>And finally, no idea on #2 above. Does it happen with all users. Anyone tried Netscrape to see if this is an IE only issue?</P><P></P><P>Scott</P></BODY></HTML> Tue, 02 Mar 2004 14:58:32 GMT scoclayton 2004-03-02T14:58:32Z https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226818#M6014 <P>two questions here:</P><P>1. Users who connect to the Internet through the Pix 501 are asked about every three minutes to enter their username and password. There must be a setting to change this, my reseller says there isn't.</P><P></P><P>2. Users who connect to the Internet the first time have their IE session hang. Clicking stop then refresh or home brings up the page. Any ideas.</P><P></P><P>Thanks in advance for any insights you might have</P><P></P><P>Jeff Charland</P> Fri, 21 Feb 2020 18:09:34 GMT https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226818#M6014 jeff_charland 2020-02-21T18:09:34Z https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226819#M6015 <HTML><HEAD></HEAD><BODY><P>Jeff,</P><P></P><P>First rule is to never trust your salesman on technical issues ;). Your reseller is wrong. You can indeed change the time that a user is re-prompted to enter their credentials. There are essentially 2 settings you should know about on the PIX with respect to authentication timeouts:</P><P></P><P>1) the inactivity timer. This is just like it sounds. It will time out an authenticated session going through the PIX after it has reached X amount of time without passing any traffic. The default timer on the PIX for this setting is 0 which means we do no monitor (by default) inactivity time by the user.</P><P></P><P>2) the absoltue timer. This, again, is at sounds. This timer starts as soon as the user is authenticated and runs continuously. When the time is reached, the user is forced to re-authenticate when they attempt to start a new connection (such as clicking on a link in a web page). The default setting for the absolute timer is 5 mins.</P><P></P><P>We recommend that you do keep an absolute timer set for security purposes but for ease of access, you may want to tweak these settings. Something like this would not be an "off the wall" setting:</P><P></P><P>timeout uauth 1:00:00 absolute uauth 0:10:00 inactivity</P><P></P><P>These settings will force the user to re-authenticate every hour (absolute) and/or every 10 mins after the connection becomes idle.</P><P></P><P>And finally, no idea on #2 above. Does it happen with all users. Anyone tried Netscrape to see if this is an IE only issue?</P><P></P><P>Scott</P></BODY></HTML> Tue, 02 Mar 2004 14:58:32 GMT https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226819#M6015 scoclayton 2004-03-02T14:58:32Z https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226820#M6018 <HTML><HEAD></HEAD><BODY><P>Sorry, I wanted to attach some reading in case you wanted to sanity check me:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#1026093" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/tz.htm#1026093</A></P><P></P><P>Scott</P></BODY></HTML> Tue, 02 Mar 2004 14:59:26 GMT https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226820#M6018 scoclayton 2004-03-02T14:59:26Z https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226821#M6021 <HTML><HEAD></HEAD><BODY><P>Thanks Scott,</P><P></P><P>You were right on the money. Went into PDM found the settings and made the changes. happy users = happy me.</P><P></P><P>After making the changes to the timeout settings, the problem with IE hanging seems to have gone away. Very strange. Also downloaded Netscape 7.1 and tried it. No problem at all. I guess I'll have to wait and see what happens from her on in.</P><P></P><P>Jeff Charland</P></BODY></HTML> Tue, 02 Mar 2004 18:10:46 GMT https://community.cisco.com/t5/network-access-control/newbie-pix-501-http-authentication-timeout/m-p/226821#M6021 jeff_charland 2004-03-02T18:10:46Z