Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

firewall-authentication-forced-timeout

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

Description

Configure the firewall authentication forced timeout setting to apply to entries for user who authenticate through captive portal.

When a user authenticates through captive portal, an authentication table entry is generated for that user based on the information that the SRX Series device obtains from the firewall authentication module. At that point, the default traffic-based authentication timeout logic is applied to the entry. This statement gives you control over how long non-domain users who authenticate through captive portal remain authenticated.

When the firewall authentication forced timeout value is configured, it is used in conjunction with the traffic-based timeout logic.

Here is how timeout settings affect active directory authentication entries for users authenticated through captive portal.

  • The firewall authentication forced timeout is set for 3 hours.

    Traffic continues to be received and generated by a device associated with an authentication entry for a user. After 3 hours the authentication entry expires, although at that time there are sessions anchored in Packet Forwarding Engine for the authentication entry.

  • If set, the firewall authentication forced timeout has no effect.

    An authentication entry does not have sessions anchored to it. It expires after the time set for the authentication entry timeout, for example, 30 minutes.

  • The firewall authentication forced timeout configuration is deleted.

    Firewall authentication forced timeout has no effect on new authentication entries. Firewall authentication forced timeout remains enforced for existing authentication entries to which it applied before it was deleted. That is, for those authentication entries, the original forced timeout setting remains in effect.

  • The firewall authentication forced timeout configuration setting is changed.

    The new timeout setting is applied to new incoming authentication entries. Existing entries keep the original, former setting.

  • The firewall authentication forced timeout is set to 0, disabling it.

    If the firewall authentication forced timeout is set to a new value, that value is assigned to all incoming authentication entries. There is no firewall authentication forced timeout setting for existing authentication entries.

  • The firewall authentication forced timeout value is not configured.

    • The SRX Series device generates an authentication entry for a user. The default traffic-based timeout logic is applied to the authentication entry.

    • The active directory timeout value is configured for 50 minutes. A traffic-based timeout of 50 minutes is applied to an authentication entry.

    • The active directory timeout is not configured. The default traffic-based timeout of 30 minutes is applied to an authentication entry.

Options

minutesThe maximum duration for which the non-domain users who authenticate through captive portal remain authenticated.

Default: 30 minutes

Range: 10 through 1440 minutes

Required Privilege Level

  • services—To view this statement in the configuration.

  • services-control—To add this statement to the configuration.