Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How often will XAuth users need to enter username/password after initial login?

0

0

Article ID: KB8605 KB Last Updated: 11 Aug 2010Version: 3.0
Summary:
How often will XAuth users need to enter username/password after initial login?
Symptoms:
XAuth users are prompted for username/password again after several hours, but they are not prompted to re-login after XAuth lifetime expires.  However users may receive a different IP address from the XAuth pool after XAuth lifetime expires.
Solution:

The user will be prompted to enter username/password only after Phase 1 rekey.  So for example,  if the Phase 1 lifetime is 8 hours and XAuth lifetime is 1 hour, the user will not be prompted after 1 hour. 

Some extra information from the C&E guide:

To avoid repeating further logins after the initial login, configure the VPN tunnel with any idletime other than 0 with the CLI command:

set vpn name gateway  name idletime number (in minutes).
  • If there is VPN activity at the completion of Phase 1 IKE renegotiations, the NetScreen device does not prompt the XAuth user to log in again. This option enables the user to download large files, transmit or receive streaming media, of participate in Web conferences without interruption.
  • If the XAuth address lifetime had been shorter than the Phase 1 SA lifetime, the NetScreen device may have assigned the user another IP address, which might or might not have been the same as the previously assigned address.
  • If it is crucial that a user always be assigned the same IP address, you can specify an address in the user configuration. The NetScreen device then assigns this address instead of assigning one at random from an IP pool. Note that such an address must not be in an IP pool or it might get assigned to another user and be unavailable when needed.
  • IP address will not be released until the XAuth lifetime is expired. 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search