Example: Defining Forced Timeout (NSM Procedure)

Forced timeout, unlike idle timeout, does not depend on the idleness of the user, but on an absolute timeout after which access for the authenticated user is terminated. The authentication table entry for the user is removed, as are all associated sessions for the authentication table entry. The default is 0 (disabled), and the range is 0 to 10000 (6.9 days).

In the following example, if you change the authentication idle timeout value from the default (10 minutes) to 30 minutes and the RADIUS retry timeout from 3 seconds to 4 seconds, the session could theoretically remain open indefinitely (as long as one keystroke is sent every 30 minutes). You can limit total session time by setting forced-timeout to 60 minutes. With this setting, after one hour the authentnication table entry for the user is removed, as are all associated sessions for the authentication table entry, and the user needs to reauthenticate.

Note: For detailed information on changing authentication server settings, see Concepts & Examples ScreenOS Reference Guide.

To define forced timeout:

  1. In the NSM navigation tree, select Device Manager>Security Devices.
  2. Select a security device and then double-click the device on which you want to define forced timeout. The device configuration appears.
  3. In the device navigation tree, select Auth>Default Servers.
  4. Specfiy a valid range in minutes for the Local Auth Server Timeout.
  5. Specify a valid range in minutes for the Local Auth Server Forced Timeout.
  6. Click OK to apply your settings.

Related Documentation