Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4590
Views
0
Helpful
3
Replies

Is Cisco AnyConnect Client Re-authentication possible ?

jmaliaka
Cisco Employee
Cisco Employee

‎01-25-2013 08:51 PM - edited ‎02-21-2020 06:39 PM

Is it possible to force a user to re-authenticate say, every 15 minutes or so when connected via AnyConnect?

Here's what i am trying to do -

I have users connecting using the anyconnect client. These user accounts are enabled/disabled at various intervals. Without forcing the users to re-authenticate the anyconnect session remains up even when the user account is disabled.

Any suggestions/alternatives would really be helpful.

Regards,

John

Labels:
0 Helpful
3 Replies 3

Michal Garcarz
Cisco Employee
Cisco Employee

‎01-26-2013 03:01 AM

Hi

If you use IKEv2 re-xauth might work for you:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/qr.html#wp1839562

( i have not tested it for ikev2, just ikev1).

If you use SSL - i do not know any solution

You might  want to use vpn-idle-timeout:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1663941

But it's only for idle users.

---

Michal

0 Helpful

jmaliaka
Cisco Employee
Cisco Employee

‎01-26-2013 08:06 PM

Hi Michal,

Thank you for responding..

I am actually using SSL.. 

I had also read that the reauthentication on IKE rekey applied only to IPSec connections.

The vpn-idle-timeout doesnt relly work as a solution as its based on session being idle...

I am thinking of an automated alternative, where the automated script checks for the userid at a regular interval and then if the userid is disabled, the automation script will connect to the ASA and logoff the user.

I plan to use this command - "vpn-sessiondb logoff name "

Do you see any concerns/issues with this method... I am concerned of memory leak issues, as  I have seen a couple of TAC cases with such issues. Just wanted to be sure that this command actually clears active anyconnect ssl VPN connections in the desired way.

Regards,

John

0 Helpful

Michal Garcarz
Cisco Employee
Cisco Employee
In response to jmaliaka

‎01-27-2013 08:56 AM

Hi John,

Yes - "vpn-sessiondb logoff name " will do the job. But you have to remember that it will clear all the sessions for that username (both ipsec and ssl).

There should not be any problem with memory leaks (if you will experience any call TAC).

I have few customers which run many different commands via scripts (pretty often) and do not experience any problems.

---

Michal

0 Helpful
Customers Also Viewed These Support Documents