Let me see if I can start to clarify the logic.
The UserID agent on the FW or installed on a DC, looks at the last 50k log entries, looking for login/logout request messages.
This list is sent over to the FW, so now the FW has the IP and the username associated with a user.
If an IP does not have any User information, then it becomes simply a IP inside your network. You decide if you trust/want unknown users/IP/rogue devices in your network.....
You *could* (and probably should....) do an authentication policy/captive portal, to help identify and add the user to the UserID cache of the FW. You could put up a splash page, to ask the user to identify themselves, if NTLM (browser based authentication does not work)
You *could* enabled IP probing (if a windows devices), so that unknown IPs are interrogated and with the correct service account permissions (Distributed COM User) allow the FW to ask the IP about who he is.. and based on the response back, update the IP cache.
When, and how, do the FWs confirm their IP address to UID associations? Customer defined... with the UserID agent.
Mine is set for 2 secs.
The user timeout is defined in User Identification section of the FW (under the Device tab)
Granted... I am showing on the integrated UserID agent, but the same information is on the standalong UserID agent as well.