01-25-2013 08:51 PM - edited 02-21-2020 06:39 PM
Is it possible to force a user to re-authenticate say, every 15 minutes or so when connected via AnyConnect?
Here's what i am trying to do -
I have users connecting using the anyconnect client. These user accounts are enabled/disabled at various intervals. Without forcing the users to re-authenticate the anyconnect session remains up even when the user account is disabled.
Any suggestions/alternatives would really be helpful.
Regards,
John
01-26-2013 03:01 AM
Hi
If you use IKEv2 re-xauth might work for you:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/qr.html#wp1839562
( i have not tested it for ikev2, just ikev1).
If you use SSL - i do not know any solution
You might want to use vpn-idle-timeout:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/uz.html#wp1663941
But it's only for idle users.
---
Michal
01-26-2013 08:06 PM
Hi Michal,
Thank you for responding..
I am actually using SSL..
I had also read that the reauthentication on IKE rekey applied only to IPSec connections.
The vpn-idle-timeout doesnt relly work as a solution as its based on session being idle...
I am thinking of an automated alternative, where the automated script checks for the userid at a regular interval and then if the userid is disabled, the automation script will connect to the ASA and logoff the user.
I plan to use this command - "vpn-sessiondb logoff name
Do you see any concerns/issues with this method... I am concerned of memory leak issues, as I have seen a couple of TAC cases with such issues. Just wanted to be sure that this command actually clears active anyconnect ssl VPN connections in the desired way.
Regards,
John
01-27-2013 08:56 AM
Hi John,
Yes - "vpn-sessiondb logoff name
There should not be any problem with memory leaks (if you will experience any call TAC).
I have few customers which run many different commands via scripts (pretty often) and do not experience any problems.
---
Michal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide