The Auth connector uses either Domain Controller Query (DCQ) or AClogon (ClientLogon) script to provide default authentication for the IPsec access method.
This article explains how the Domain Controller Query (DCQ) works and how the IP-to-User map is built using DCQ.
Here is how the Auth connector build the IP-to-User map using Domain Controller Query (DCQ)