You are probably using IP address surrogates. This is only ideal for environments where users do not share computers. Once a user authenticates, the WSA will remember that User X is logged on to this IP address for 1 hour by default. Once the 1 hour expires, then the WSA will ask the client for authentication again.
If you are in an environment where users share computers, you may want to change the surrogate to Session Cookie so that each socket will need authentication.
Hint: You can clear the authentication cache using the 'authcache' command in the CLI.
Based on your other posts, it sounds like all your users will be authenticated using the F5 Load Balancer's IP address. IP address surrogates are not an option for you with this type of deployment since most (if not all) of your users will be coming from the F5's IP address.
I think it will since your users do not share computers. But when going through the F5, every user will be coming from the same IP address so that is the same as sharing in the WSA's perspective.
But since you said your F5 is not in line, there may be challenges. Depending on what the F5 does to the packet, the client may reject it if the WSA responds directly to the client without passing through the F5 first.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...