Valid users getting logged as guest on Edge SWG (ProxySG)
search cancel

Valid users getting logged as guest on Edge SWG (ProxySG)

book

Article ID: 167748

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

Valid authenticated users on the Edge SWG device are logged as "guest" in access logging and policy traces instead of their username.

Environment

Edge SWG with authentication surrogates enabled

Cause

There are many reasons valid users are logged as "guest" on the Edge SWG, such as a misconfiguration or a web client not supporting proxy authentication.

There is also a configuration setting that may cause unexpected logging and access. 

When selecting the "Permit Authentication Errors" action in policy, if the "invalid_surrogate" error is selected, the Edge SWG logs a valid user as "guest" when an authentication surrogate (cookie, IP, or connection)  has expired. 

Consider the following conditions to understand how this situation can occur:

  1. "Guest Authentication" is configured on the Edge SWG with the "Permit Authentication Errors" action in policy, with the "invalid_surrogate" error selected
  2. The user opens a browser to access the internet through the proxy
  3. The proxy successfully uses NTLM to authenticate the user and logs him with his domain username of bob.kent
  4. The proxy caches the cookie it used as the authentication surrogate for the configured "Refresh Time" of 15 mins
  5. The proxy allows the user to access the Internet but after 15 minutes, the authentication cookie surrogate that the browser presents is expired
  6. The proxy logs the user as "guest" since the "invalid_surrogate" error is permitted by the "Permit Authentication Errors" action in policy and subsequently, the user is limited to the guest access level 

Resolution

Uncheck the "invalid_surrogate" error in the "Permit Authentication Errors" action in policy.

When configuring the Permit Authentication Errors action, deselect the "invalid_surrogate" error only, so that all other errors required for guest authentication will be permitted.

  1. Click the "Selected errors" radio button
  2. Select "All errors" from the "Show:" drop-down menu
  3. Select "All Except User Credential Required"
  4. Expand the "All Except User Credentials Required" list
  5. Expand the "Invalid User Information" list
  6. Deselect the "invalid_surrogate" error check box (see screenshot below)
  7. Click OK

See Create and implement guest authentication for steps on configuring "guest authentication". 

 

 

 

Powered by Wolken Software