Skip to Content

Authentication timeout setting on global user authentication setting vs per user group

By: Author Alex Lim

Posted on

Categories Troubleshooting

This article describes which takes precedence whenever authentication timeout is set on each user group vs on the global setting.

Scope

FortiOS.

Solution

There are two ways to set the authentication for users when logging in. By default, in the global user setting under User&Authentication > Authentication settings, auth-time out is set to 5 minutes.

CLI:

CLI to set the authentication for users when logging in.

GUI:

GUI to set the authentication for users when logging in.

When using the command diag firewall auth list, the details for the user’s authentication are provided. In the sample below, expired and allow-idle was 300 (in seconds) which matches the default authentication timeout which is 5 mins

When using the command diag firewall auth list, the details for the user’s authentication are provided. In the sample below, expired and allow-idle was 300 (in seconds) which matches the default authentication timeout which is 5 mins

On the other hand, it is also possible to set the authentication timeout per user group. The default authtimeout setting for each user group is 0. This means that it follows the timeout set on the global user authentication setting shown above.

Default setting:

The default authtimeout setting for each user group is 0. This means that it follows the timeout set on the global user authentication setting shown above.

On this scenario, a separate user group was created with authtimeout set to 1 minute.

On this scenario, a separate user group was created with authtimeout set to 1 minute.

The auth list now shows that the expiration and allow-idle time have changed following the setting of the auth timeout on the user group.

The auth list now shows that the expiration and allow-idle time have changed following the setting of the auth timeout on the user group.