Authentication Timestamps

When configuring an Authentication policy rule, you can specify a timeout period during which a user authenticates only for initial access to services and applications, not for subsequent access. Your goal is to specify a timeout that strikes a balance between the need to secure services and applications and the need to minimize interruptions to the user workflow. When a user authenticates, the firewall records a timestamp for the first authentication challenge (factor) and a timestamp for any additional Multi-Factor Authentication (MFA) factors. When the user subsequently requests services and applications that match an Authentication rule, the firewall evaluates the timeout specified in the rule relative to each timestamp. This means the firewall reissues authentication challenges on a per-factor basis when timeouts expire. If you Redistribute User Mappings and Authentication Timestamps, all your firewalls will enforce Authentication policy timeouts consistently for all users.
The firewall records a separate timestamp for each MFA vendor. For example, if you use Duo v2 and PingID servers to issue challenges for MFA factors, the firewall records one timestamp for the response to the Duo factor and one timestamp for the response to the PingID factor.
Within the timeout period, a user who successfully authenticates for one Authentication rule can access services or applications that other rules protect. However, this portability applies only to rules that trigger the same authentication factors. For example, a user who successfully authenticates for a rule that triggers TACACS+ authentication must authenticate again for a rule that triggers SAML authentication, even if the access requests are within the timeout period for both rules.
When evaluating the timeout in each Authentication rule and the global timer defined in the Captive Portal settings (see Configure Captive Portal), the firewall prompts the user to re-authenticate for whichever setting expires first. Upon re-authenticating, the firewall records new authentication timestamps for the rules and resets the time count for the Captive Portal timer. Therefore, to enable different timeout periods for different Authentication rules, set the Captive Portal timer to a value that is the same as or higher than the timeout in any rule.

Related Documentation