Noauth User Name - Unauthenticated Traffic

(Marc V) #1

I’m seeing noauthxxx listed as the user in the ZIA logs. SSL inspection is disabled at each GRE location and IP surrogate is enabled. The protocol is SSL. I’m understand that IP surrogate will apply the user policies to the unencrypted traffic, but is it normal to see noauthxxx as the user instead of the user the IP is mapped to?

(Nick Morgan) #2

Hi @mvalderas welcome to the Zscaler community!

I assume in your environment clients are either being explicitly proxied by PAC file, then included in the GRE tunnel or perhaps simply being transparently redirected by GRE. Either way I assume Zscaler APP is not used.

In this scenario Zscaler will attempt to track/identify transactions based on authentication cookies that may be present in each transaction. Since you are not inspecting SSL then it will not be possible to read the payload for those transactions, and hence the auth. cookie (if present in that transaction) will not be readable by our ZEN.

The Surrogate IP mechanism is intended to help in this scenario by associating username with the real client IP. However the ZEN must first see a valid auth cookie from that user before it can make the association. You are using GRE tunnel to allow our ZEN to see the real client IP. However, since in your case you are not inspecting SSL you are reliant on some HTTP traffic (with a valid auth cookie) reaching the ZEN from that client IP before Surrogate IP can associate all other traffic (including uninspected SSL) to that authenticated user.

Enabling SSL inspection will greatly reduce the amount of noauthxxx transactions in your logs. ZScaler App deployed to the endpoints should remove it entirely for those clients (since the traffic is then encapsulated into an authenticated ZApp tunnel)


1 Like
(Marc V) #3

Thanks, @racingmonk. That helps put things into perspective. Much appreciated.