Skip to main content

Tutorial: How to Adjust Access Server's Session Tokens

Abstract

How to change Access Server's settings for session tokens.

Overview

Access Server implements session-token-based authentication. After a normal successful authentication, the server sends a session token to the VPN client. Each time the VPN client must authenticate again, it offers this session token to the server. If the session token passes validation checks on the server side, the client is allowed to resume the VPN session.

This tutorial shows how to adjust session token settings from the command-line interface (CLI).

  • An installed Access Server.

  • Console access and the ability to get root access.

Start by learning about how session tokens work by reading our detailed topic:

  1. Connect to the console and get root privileges.

  2. Use the following commands to adjust the default session token values and define new behavior:

    • Set the session token timeout in seconds (default 86100 seconds or approximately 24 hours):

      sacli --key "vpn.server.session_expire" --value <SECONDS> ConfigPut
      sacli start
    • Remove this value to reset it to default:

      sacli --key "vpn.server.session_expire" ConfigDel
      sacli start
    • Change the mid-session TLS renegotiation period:

      sacli --key "vpn.tls_refresh.interval" --value <MINUTES> ConfigPut
      sacli start

      Note

      As of Access Server 2.9.3, the renegotiation default value is 60 minutes (1 hour). Previous versions used 360 minutes (6 hours). When you upgrade Access Server from an older version, the renegotiation value stays the same.

    • Restore this value to default by deleting it:

      sacli --key "vpn.tls_refresh.interval" ConfigDel
      sacli start

    Important

    If you set the value to an extremely high setting, such as 99999999999, it effectively disables the session token expiration. We advise against this. If you need a session never to require authentication use auto-login type profiles as they do not use session tokens.