In order for the user name to appear in the logs, implement the following prerequisites:
- User Identification needs to be enabled, configured, and working properly.
- In WCCP mode, the IP user cache needs to be enabled.
Even when the prerequisites are met, there are several scenarios wherein the traffic still appears under the IP address:
The IP address of the client computer is on the LDAP Authentication Approved List. No user identification will be done for IP addresses on this list. To access the said list, navigate to Administration > IWSVA Configuration > User Identification > Authentication Approved list.
The IP address of the client computer is on the Approved Server IP List. No user identification will be done for IP addresses on this list. To access the said list, go to IWSVA web console and navigate to HTTP > Configuration > Access Control Settings > Approved Server IP List.
The accessed URLs are HTTPS websites and IWSVA cannot get the user from the traffic because it is encrypted. This scenario happens in the following circumstances:
- HTTPS encryption is enabled, but not applied to the category to which the URL belongs. Decryption needs to be enabled for individual category on each HTTPS decryption policy.
- The URL is on the list of Global Trusted URLs. This list can be accessed from the IWSVA web console under HTTP > URL Access Control > Global Trusted URLs.
The traffic is not coming from a browser, but from some application (e.g. WebEx client). By default, IWSVA does not authenticate non-browser traffic. Therefore, the user cannot be identified.
To change the behavior of IWSVA to authenticate traffic from non-browser applications, refer to this article: Authenticating all HTTP sessions including non-browser applications in InterScan Web Security Appliance (IWSVA).