Friendly Re-authentication

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Friendly Re-authentication

Hi folks,

We have a number of users trialling our new Global Protect setup and it appears a small number are workaholics.
We have the authentication window set at 10hrs (its Radius with TOTP) - and the authentication cookie also expires after 10hrs.

 

From the user perspective, at the 10hr mark, all connectivity is cut and interactive apps (ssh for instance) are dropped. They can re-authenticate and return to work, so the setup is fine for most day-of-work use. But the user experience is poor for those working longer.

 

Coming from Checkpoint and ASA, both these products offer a re-authentication window, 5-10 mins before connectivity expires, to allow the user to reauthenticate and gain another 10hrs of tunnel time, without any hard cut off. 

 

Is this possible in GP and if so, how? Are we missing a setting or confusing the way expiry works on the certs, etc?


Accepted Solutions
Highlighted
Cyber Elite

Hi @GN_ROS 

Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?

View solution in original post


All Replies
Highlighted
Cyber Elite

Hi @GN_ROS 

Globalprotect so far does not offer such an option. Depending on the actual authentication and connection type there are ways to make the login more userfriendly, but the hard cut-off will still be there. I assume increading the login lifetime is not an option because of some company policies - so that you will make sure that at least once a day your users have to log in again?

View solution in original post

Highlighted
L1 Bithead

Thanks for the confirmation,

 

Yes login lifetime increase is not a recommended way round this. We want the users to be regularly checked, zero trust model.

 

The solution we are looking for (and pursuing through our SE) is a 5 min warning and option to re authenticate before the tunnel dies. 
This means existing TCP sessions, like SSH sessions, etc. do not drop, assuming the user wants to keep the tunnel up.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!