Showing results for 
Search instead for 
Did you mean: 

Transparent user ID vs Authenticated user

Reviewing a setup, and noticed in the later version of code, 8.0 for example, there are two methods for access.  Since FF and Safari have issues authenticating access when browsing, and IE does not, would the transparent user ID work the same way for authenticated users, and how would that work with AD?

Handy Putra
Cisco Employee

When you have transparent user ID enable and using AD agent(Context Directory Agent - CDA), this mechanism that maps IP Addresses to usernames in order to allow security gateways to understand which user is using which IP Address in the network, so those security gateways can now make decisions based on those users (or the groups to which the users belong to).

CDA monitors in real time a collection of Active Directory domain controller (DC) machines for authentication-related events that generally indicate user logins; learns, analyzes, and caches mappings of IP Addresses and user identities in its database; and makes the latest mappings available to its consumer devices.

Scenario example:

User machine logs in to the domain and CDA agent will catch the user credentials information and map with the IP address of the client and store it in local cache then pass the info to the WSA.

If the AD server down for example, the CDA will still be able to relay information regarding the users from its local cache to WSA.


For more information regarding Transparent user identification or CDA, please see below link for overview:


Hello, mates,


I have a S170 WSA with AsyncOS version 8.5.1-021.  I also have CDA deployed and configured.  Authentication tests say everything is good, including connection with CDA.  HTTPS decryption is activated as well.


However, my users are still getting authentication prompts everyday and many times inside the same day.  It happens randomly and is browser-independent.  I changed authentication timeouts from default values of 3600 seconds to 86400 (one day) but it did not solve the issue (please check attached image).


Could you please help me find the final solution to this?


I appreciate,

Mauricio Harley

You actually configure it to use the CDA agent under Identities.  In one of your Identities, you select Identify Users Transparently under Identification and Authentication.  This also assumes you have the CDA enabled under Network -> Authentication -> Authentication Realm ->Active Directory Agent.  You have to check the box for Enable Transparent User Identification using Active Directory Agent.  You need to have the Server defined under Primary Active Directory agent along with the shared secret you created on the CDA system.

If CDA is down will the WSA use the pass thru authentication from the user's browser as a failback authentication mechanism?


If CDA doesn't have the authentication information will the WSA try to get the creds from the browser?



Recognize Your Peers
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (36%)

Content for Community-Ad