Tutorial: How to Adjust Access Server's Session Tokens
How to change Access Server's settings for session tokens.
Overview
Access Server implements session-token-based authentication. After a normal successful authentication, the server sends a session token to the VPN client. Each time the VPN client must authenticate again, it offers this session token to the server. If the session token passes validation checks on the server side, the client is allowed to resume the VPN session.
This tutorial shows how to adjust session token settings from the command-line interface (CLI).
An installed Access Server.
Console access and the ability to get root access.
Start by learning about how session tokens work by reading our detailed topic:
Connect to the console and get root privileges.
Use the following commands to adjust the default session token values and define new behavior:
Set the session token timeout in seconds (default 86100 seconds or approximately 24 hours):
sacli --key "vpn.server.session_expire" --value <SECONDS> ConfigPut sacli start
Remove this value to reset it to default:
sacli --key "vpn.server.session_expire" ConfigDel sacli start
Change the mid-session TLS renegotiation period:
sacli --key "vpn.tls_refresh.interval" --value <MINUTES> ConfigPut sacli start
Note
As of Access Server 2.9.3, the renegotiation default value is 60 minutes (1 hour). Previous versions used 360 minutes (6 hours). When you upgrade Access Server from an older version, the renegotiation value stays the same.
Restore this value to default by deleting it:
sacli --key "vpn.tls_refresh.interval" ConfigDel sacli start
Important
If you set the value to an extremely high setting, such as 99999999999, it effectively disables the session token expiration. We advise against this. If you need a session never to require authentication use auto-login type profiles as they do not use session tokens.