Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
2
Replies

AnyConnect - Multifactor Authentication Timeouts

cisco.13
Level 1
Level 1

‎09-22-2023 08:20 AM

Hello,

In the context of an automation project, I want to configure the "Authentication Timeout" via CLI.

I know it's possible with a client profile Preferences (Part 2, attached),example okta : https://help.okta.com/en-us/content/topics/integrations/cisco-radius-intg-gw.htm

But:

- Is it possible to do it without a client profile?

- If not, is it possible via CLI?

Thank you.

Labels:
Preview file
113 KB
0 Helpful
2 Replies 2

Rob Ingram
VIP
VIP

‎09-22-2023 08:25 AM

@cisco.13 are you referring to the AAA server authentication timeout? This can be configured on the ASA CLI under the aaa server host using timeout <value>.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/general/asa-914-general-config/aaa-radius.html#ID-2113-00000a5a

 

 

0 Helpful

cisco.13
Level 1
Level 1

‎09-22-2023 09:22 AM

Hello @Rob Ingram ,

I think with AAA ok : timeout 120

timeout Specifies the maximum time to wait for a response from the configured server

 

But I use SAML!

Indeed, the time required for the user to enter his login, then his password, then the Push Notification MFA validation, results in the connection being closed long before the user has been able to complete all these steps.

I configured this but still ko : timeout assertion 7200

ASA(config-webvpn-saml-idp)# timeout ?

config-webvpn-saml-idp mode commands/options:
assertion (Optional) Configure assertion timeout which will override
NotOnOrAfter, if the sum of NotBefore and timeout is earlier than
NotOnOrAfter.

configure mode commands/options:
conn Configure idle time after which a TCP connection state
will be closed, default is 1:00:00

conn-holddown Connection Holddown timer to retain the routes till
the timer expires, default is 0:0:15

floating-conn Configure time after which connections using the
backup route will be closed once lower metric route
becomes available, default is 0:0:0

h225 Configure idle time after which an H.225 signaling
conn will be closed, default is 1:00:00

h323 Configure idle time after which an H.323 control
connection will be closed, default is 0:05:00

half-closed Configure idle time after which a TCP half-closed
connection will be freed, default is 0:10:00

icmp Configure idle timeout for ICMP, default is 0:00:02

icmp-error Configure connection timeout value for accepting ICMP
Error after receiving ICMP Echo Reply. Default is 0,
which means, timer will not be started and connection
will be terminated right after receiving ICMP Echo
Reply

igp Configure Interior gateway protocol timer

mgcp Configure idle time after which an MGCP media
connection will be closed, default is 0:05:00

mgcp-pat Configure the time after which an MGCP PAT Xlate will
be removed, default is 0:05:00

pat-xlate Configure idle time after which a dynamic port will be
returned to the free PAT pool, default is 0:00:30

sctp Configure idle time after which a SCTP connection
state will be closed, default is 0:02:00

sip Configure idle time after which a SIP control
connection will be closed, default is 0:30:00

sip-disconnect Configure idle timeout after which SIP session is
deleted if 200 OK is not received for a CANCEL or BYE
message, default s 0:02:00

sip-invite Configure idle time after which pinholes for
PROVISIONAL responsesand media xlates will be closed,
default is 0:03:00

sip-provisional-media Configure idle time after which a SIP provisional
Media connection will be closed, default is 0:02:00

sip_media Configure idle time after which a SIP Media connection
will be closed, default is 0:02:00

sunrpc Configure idle time after which a SUNRPC slot will be
closed, default is 0:10:00

tcp-proxy-reassembly Configure idle timeout after which buffered packets
waiting for reassembly in tcp-proxy are dropped,
default is 0:01:00

uauth Configure idle time after which an authentication will
no longer be cached and the user will need to

re-authenticate on their connection, default is
0:05:00. The default uauth timer is absolute.

udp Configure idle time after which general UDP states
will be closed, default is 0:02:00, This timer does
not apply to DNS or SUNRPC

xlate Configure idle time after which a dynamic address will
be returned to the free pool, default is 3:00:00

0 Helpful
Customers Also Viewed These Support Documents