Authentication Timestamps
When configuring an Authentication policy rule, you
can specify a timeout period during which a user authenticates only
for initial access to services and applications, not for subsequent
access. Your goal is to specify a timeout that strikes a balance
between the need to secure services and applications and the need
to minimize interruptions to the user workflow. When a user authenticates,
the firewall records a timestamp for the first authentication challenge
(factor) and a timestamp for any additional
Multi-Factor
Authentication (MFA) factors. When the user subsequently
requests services and applications that match an Authentication rule,
the firewall evaluates the timeout specified in the rule relative
to each timestamp. This means the firewall reissues authentication
challenges on a per-factor basis when timeouts expire. If you
Redistribute
User Mappings and Authentication Timestamps, all your firewalls
will enforce Authentication policy timeouts consistently for all
users.
The firewall records a separate timestamp for each MFA
vendor. For example, if you use
Duo v2 and PingID servers
to issue challenges for MFA factors, the firewall records one timestamp
for the response to the Duo factor and one timestamp for the response
to the PingID factor.
Within the timeout period, a user who successfully authenticates
for one Authentication rule can access services or applications
that other rules protect. However, this portability applies only
to rules that trigger the same authentication factors. For example,
a user who successfully authenticates for a rule that triggers TACACS+
authentication must authenticate again for a rule that triggers
SAML authentication, even if the access requests are within the
timeout period for both rules.
When evaluating the timeout in each Authentication rule and the
global timer defined in the Captive Portal settings (see
Configure
Captive Portal), the firewall prompts the user to re-authenticate
for whichever setting expires first. Upon re-authenticating, the
firewall records new authentication timestamps for the rules and
resets the time count for the Captive Portal timer. Therefore, to
enable different timeout periods for different Authentication rules,
set the Captive Portal timer to a value that is the same as or higher
than the timeout in any rule.