As far as I know, this is by design.
Please correct me, if I'm wrong.
When you use Identity Awareness Browser-Based Authentictation with transparent SSO (autoauth), there is no browser tab with captive portal site which will or can stay open for the full user user session, so you cannot use the portal setting "Log out users when they close the portal browser", right?
And without that, the pdp just gets no notification, that user1 logs out of the machine and user2 logs in. PDP still uses that session entry entry for the ip address and does not reinitate authentication flow over captive portal.
If you need to resolve that, you would have to use Identity Agents or Identity Collector. With using Identity Collector, you get an update in pdp side during login of user2. This will logout user1 IA session because of an implicit "assume one user per ip address setting".
When you are concerned that someone malicous could re-use user1s ip address in your network before your configured IA session timer expires, you have to use Identity Agents (with a short agent session timeout), because in doing that, user1 session gets logged out when user1 logs out from the machine (while connected to network) or after the agent session timeout which can be much shorter that the session timeout for Captive Portal or Identity Collector due to Agent keepalive.