Please read the following pdf DOC :
You will want to use session cookies.
Session cookies will remove user entries when the browser is closed.
If session cookies are enabled, the user’s entry will be removed from the authentication table after the user closes the browser. If session cookies are not enabled, the entry will be aged out after the specified inactivity timer/expiration timer.
Please refer to the session cookie information on page #11 of the DOC :
A session cookie is stored within the browser itself and is sent within each HTTP request packet. Session cookies are removed when the browser is closed. Enabling session cookie has two advantages:
• The user will not need to re-authenticate when the idle or expiration timers trigger.
• When roaming is enabled, if the machine’s IP address changes, the user will be re-mapped to the new IP. Re-authentication is not required.
The session cookie timeout is an absolute time value. After this period of time has passed, the user will be prompted to login again.
Best practice is to enable session cookies, and to configure the idle and expiration timer to be 1 minute. That way, once the browser is closed, the association will timeout in 60 seconds.
I hope it can help you further.
That is correct
If you close your browser and if your Idle/Expiration timer is set to 1 hour it will keep the association during that timeframe and you will not be asked to re-authenticate should you reopen your browser during that timeframe.
For example ... I configured CP using session cookies and I also configured an expiration and idle timer of 10 minutes :
When I first open my browser I will be redirected to the CP logon page.
When I logon, I get a cookie.
At the same time I get an ip-user-mapping with the timers specified in the above config.
You can check this mapping and timers with the 'show user ip-user-mapping all' command :
admin@PA-500-249> show user ip-user-mapping all
IP Vsys From User IdleTimeout(s) MaxTimeout(s)
--------------- ------ ------- -------------------------------- -------------- -------------
192.168.200.21 vsys1 CP testuser1 600 600
Total: 1 users
As you can see I got an IP user mapping from CP and the 10 minute timers I configured.
Because I am using session cookies, as long as the browser is kept open, I will not need to re-authenticate ... even if the Expiration/Idle timer expire. I will only need to re-authenticate if my cookies expires (=1440 minutes as per above screenshot).
When I close my browser my cookie will be deleted... however, if my previous mapping has not yet expired then I will not need to re-authenticate when I reopen my browser. That's why in the DOC it says best practice is to set the Idle/Expiration timer 1 minute.
I hope this clarifies things.
In CLI you can manually delete an ip-user-mapping with the following commands :
clear user-cache ip x.x.x.x
clear user-cache-mp ip x.x.x.x
If you close your browser and clear the ip-user-mapping as shown above the user will have to re-authenticate when reopening the browser.
Let me clear the thing a little bit so maybe it will be better to solve that.
we made timers as below:
idle 1 min
expiration 2 min
session cookie enabled 60min
so it works if you close the browser and wait max. 1 minute before opening new one.
the problem is when someone closes the browser and other person comes to same computer and opens a new browser in 15-20 seconds, it does not ask user pass !!!!
This is the real problem.So We know 1 minute is minimum.to trigger that situation.
When closing the browser we want to auto clear that session.
I'll try to do that with the commands you gave with API.Hope we'll solve that.
Thanks for help.
Question for you KWE,
Which version of PAN-OS are your answers valid for? I am working on Setting up Captive Portal and have it working - and your answers help address a major issue I have to handle before roll out... that of "resetting" captive portal when the browser closes and not forcing a user to re-authenticate every 15 minutes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!