Authenticating multiple users from the same IP Address ?
I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the Authentication proxy feature on the IOS Firewall combined with a Tacacs server.
Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.
I was thinking of using the Authentication proxy feature on the IOS Firewall but Ive noticed the following in the Restrictions section :
The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.
Which I think defeats what Im trying to do.
Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?
Re: Authenticating multiple users from the same IP Address ?
I don't believe there's a good way around this for you. Both auth-proxy and authentication on the PIX, as you've already determined, use the source address in the packet to determine if that packet should be allowed through. As soon as the first user authenticates successfully, everyone else will get through automatically. There's really nothing in each packet that the PIX or router can look at to determine if that packet should get through other than the source address, there's certainly no authentication fields in the packet itself unfortunately.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :