Authenticating multiple users from the same IP Address ?

steve.saindon · ‎12-04-2002

Hi,

I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the “Authentication proxy feature” on the IOS Firewall combined with a Tacacs server.

Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.

I was thinking of using the “Authentication proxy feature” on the IOS Firewall but I’ve noticed the following in the “Restrictions” section :

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html

“The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.”

Which I think defeats what I’m trying to do.

Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?

Thanks !

Steve Saindon

Network Consultant

Interreseau-Conseils Inc.

gfullage · ‎12-04-2002

I don't believe there's a good way around this for you. Both auth-proxy and authentication on the PIX, as you've already determined, use the source address in the packet to determine if that packet should be allowed through. As soon as the first user authenticates successfully, everyone else will get through automatically. There's really nothing in each packet that the PIX or router can look at to determine if that packet should get through other than the source address, there's certainly no authentication fields in the packet itself unfortunately.