Noauth User Name - Unauthenticated Traffic

I’m seeing noauthxxx listed as the user in the ZIA logs. SSL inspection is disabled at each GRE location and IP surrogate is enabled. The protocol is SSL. I’m understand that IP surrogate will apply the user policies to the unencrypted traffic, but is it normal to see noauthxxx as the user instead of the user the IP is mapped to?

Hi @mvalderas welcome to the Zscaler community!

I assume in your environment clients are either being explicitly proxied by PAC file, then included in the GRE tunnel or perhaps simply being transparently redirected by GRE. Either way I assume Zscaler APP is not used.

In this scenario Zscaler will attempt to track/identify transactions based on authentication cookies that may be present in each transaction. Since you are not inspecting SSL then it will not be possible to read the payload for those transactions, and hence the auth. cookie (if present in that transaction) will not be readable by our ZEN.

The Surrogate IP mechanism is intended to help in this scenario by associating username with the real client IP. However the ZEN must first see a valid auth cookie from that user before it can make the association. You are using GRE tunnel to allow our ZEN to see the real client IP. However, since in your case you are not inspecting SSL you are reliant on some HTTP traffic (with a valid auth cookie) reaching the ZEN from that client IP before Surrogate IP can associate all other traffic (including uninspected SSL) to that authenticated user.

Enabling SSL inspection will greatly reduce the amount of noauthxxx transactions in your logs. ZScaler App deployed to the endpoints should remove it entirely for those clients (since the traffic is then encapsulated into an authenticated ZApp tunnel)

HTH

1 Like

Thanks, @racingmonk. That helps put things into perspective. Much appreciated.

@racingmonk For client machines that won’t be using the ZApp and will be forced to go through the tunnel, will the zscaler root certificate have the same affect of identifying the traffic going though the GRE tunnel?

Installing the Zscaler Root CA certificate on workstations enables the browser or system to automatically trust all certificates signed by the Zscaler Certificate Authority. Once the root certificate is installed for all workstations in a location (or sublocation) you can enable ssl inspection for the location (or sublocation) without the concern that users will see an error stating that there is a problem with the website’s security certification.

https://help.zscaler.com/zia/about-ssl-inspection

The benefit in terms of authentication, for non-ZApp workstations, is that with SSL inspection enabled the Zscaler Enforcement Node (ZEN) is more likely to be able to be able to read browser auth cookies in a HTTPS transaction, and hence more quickly apply Surrogate IP mapping of an authenticated user to IP address.

2 Likes