Cisco Cisco Web Security Appliance S370 사용자 가이드

If an end user logs out of a machine and another user logs in to the same 
machine before the IP address to user name mapping is updated on the Web 
Security appliance, then the Web Proxy logs the client as the previous user.

You can configure how the Web Proxy handles transactions when transparent 
user identification fails. It can grant users guest access, or it can force an 
authentication prompt to appear to end users.

When a user is shown an authentication prompt due to failed transparent user 
identification, and the user then fails authentication due to invalid credentials, 
you can choose whether to allow the user guest access.

When the assigned Identity uses an authentication sequence with multiple 
realms in which the user exists, AsyncOS for Web fetches the user groups 
from the realms in the order in which they appear in the sequence. 

When you configure an Identity to transparently authenticate users, the 
authentication surrogate must be IP address. You cannot select a different 
surrogate type. 

You can use the “network address” field of the user in Novell eDirectory to 
obtain the IP address of the workstation from where the user previously 
logged in.

You can log which users were identified transparently in the access logs and 
WC3 logs using the %m and x-auth-mechanism custom fields. A value of 
SSO_EDIR indicates that the user name was obtained by matching the client 
IP address to an authenticated user name in Novell eDirectory. (Similarly, a 
value of SSO_ASA indicates that the user is a remote user and the user name 
was obtained from a Cisco ASA using the Secure Mobility Solution.)

To use transparent user identification:

Create an LDAP authentication realm for a Novell eDirectory server. Configure 
the realm to use Version 3 and to “Support Novell eDirectory.”

For more information on configuring LDAP options, see 

For more information on creating authentication realms, see