User Guide

OmniAccess SafeGuard OS Administration Guide

219

Chapter 6: Configuring Authentication and Role Derivation

Tracking an Authenticated User Session

The authentication component records the time at which a user logs in. By default, the

system will keep the user session until the IP in question has been idle for a certain period

of time.

It may be desirable to force users to log in over a certain time period, for example a work

day. To do this, the administrator can configure a force-timeout. When a force timeout has

been configured for a protocol, users logging in using that protocol will be logged out

after the indicated time, regardless of subsequent activity. This is done using the

aaa

timer-config [protocol] force timeout

routine.

To configure the per-protocol timer, use the aaa session-tracking protocol-config

timeout Global Configuration command.

aaa timer-config protocol force-timeout

To display the age-out timer settings by protocol, use the show aaa timer-config

Privileged Exec command.

show aaa timer-config

ERROR Number of PDU errors. The sum of this column should

match the total PDU Errors field.

CUR Current number of events in the queue.

MAX Maximum queue limit.

HIGH High water mark.

TOUT Number of times a user’s request was aged out.

NOTE: A white-list can have a specific force-timeout applied to it. In this

case, the specific time out “wins” in priority over the less-specific protocol-

based white-list timeout.

Syntax Description protocol Protocol being configured. The argument can

be any one of the following:

■ Captive-portal

■ Kerberos

■ MAC-based RADIUS

■ 802.1x

■ RADIUS

Field Description