I have configured reverse authentication on an utm320 [9.308] for one internal webserver (Microsoft Reporting Services).
I use the form based front end mode and the users are remotly authenticated by a radius server (RSA SecureID Token).
This works quite well unless one problem:
Regardles of the configured session timeout and session lifetime 10-12 minutes after a successful login the user is prompted to authenticate to the frontend form again.
In the user authentication logfile appears the following entries:
192.168.130.0/24 is a seperate zone guest wifi - but the issue appears on every external network.
2015:03:17-11:48:44 verw-asg320-01-1 aua[20937]: id="3004" severity="info" sys="System" sub="auth" name="Authentication successful" srcip="192.168.130.24" host="" user="myusername" caller="reverseproxy" engine="radius"
2015:03:17-12:02:22 verw-asg320-01-1 aua[18600]: id="3006" severity="info" sys="System" sub="auth" name="Child 20937 is running too long. Terminating child"
2015:03:17-12:02:22 verw-asg320-01-1 aua[23170]: id="3006" severity="info" sys="System" sub="auth" name="Trying 172.25.85.12 (radius)"
2015:03:17-12:02:24 verw-asg320-01-1 aua[23170]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.130.24" host="" user="myusername" caller="reverseproxy" reason="DENIED"
Can anybody tell me if the session timeouts/session lifetime settings do work as expected?
The online help mentions "Caution – When using Reverse Authentication in combination with OTP the OTP tokens will only be checked once when a user session is set up. Once a session is set up, any subsequent request by the same user will not have their OTP tokens evaluated."
That would be my desired behaviour but I think this is just for the internal OTP tokens. Does anybody know if this behaviour can be 'configured' somewhere on the commandline in a configfile?
Regards
Manfred
This thread was automatically locked due to age.
