Cisco Cisco Web Security Appliance S390 Betriebsanweisung

A user who fails authentication has transactions allowed when all of the following 
conditions are true:

The user matches an Identity with guest privileges.

A non-Identity policy group uses that Identity and applies to guest users.

For example, you can create an Access or Decryption Policy that is specific to 
guest users. 

If an Identity allows guest access and there is no user defined policy group that 
uses that Identity, users who fail authentication match the global policy for that 
policy type. For example, if MyIdentity allows guest access and there is no user 
defined Access Policy that uses MyIdentity, users who fail authentication match 
the global Access Policy. If you do not want guest users to match a global policy, 
create a policy group above the global policy that applies to guest users and blocks 
all access.

When the Web Proxy grants a user guest access, it identifies and logs the user as 
a guest in the access logs. You can specify whether the Web Proxy identifies the 
user by IP address or user name. In the access logs, reports, and end-user 
acknowledgement page, entries for guest users have one of the following formats:

(unauthenticated)IP_address 

(unauthenticated)username_entered 

You can enable guest access for an Identity that uses any authentication protocol 
or scheme.

To grant guest access to a user:

Define an Identity group and enable the Support Guest privileges option.