Friendly Re-authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Friendly Re-authentication

L1 Bithead

Hi folks,

We have a number of users trialling our new Global Protect setup and it appears a small number are workaholics.
We have the authentication window set at 10hrs (its Radius with TOTP) - and the authentication cookie also expires after 10hrs.

 

From the user perspective, at the 10hr mark, all connectivity is cut and interactive apps (ssh for instance) are dropped. They can re-authenticate and return to work, so the setup is fine for most day-of-work use. But the user experience is poor for those working longer.

 

Coming from Checkpoint and ASA, both these products offer a re-authentication window, 5-10 mins before connectivity expires, to allow the user to reauthenticate and gain another 10hrs of tunnel time, without any hard cut off. 

 

Is this possible in GP and if so, how? Are we missing a setting or confusing the way expiry works on the certs, etc?

1 accepted solution

Accepted Solutions

L7 Applicator

Hi @GN_ROS 

Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @GN_ROS 

Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?

Thanks for the confirmation,

 

Yes login lifetime increase is not a recommended way round this. We want the users to be regularly checked, zero trust model.

 

The solution we are looking for (and pursuing through our SE) is a 5 min warning and option to re authenticate before the tunnel dies. 
This means existing TCP sessions, like SSH sessions, etc. do not drop, assuming the user wants to keep the tunnel up.

This seems like a really good option, we've been struggling with this same requirement for shorter session lengths for VPN to ensure the user is re-authenticated regularly, but don't want to interrupt someone in the middle of a session.

Did you get anywhere with your SE? Do they have a feature request we could tag on to as well?

  • 1 accepted solution
  • 4549 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!