Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authenticating multiple users from the same IP Address ?

Hi,

I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the “Authentication proxy feature” on the IOS Firewall combined with a Tacacs server.

Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.

I was thinking of using the “Authentication proxy feature” on the IOS Firewall but I’ve noticed the following in the “Restrictions” section :

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html

“The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.”

Which I think defeats what I’m trying to do.

Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?

Thanks !

Steve Saindon

Network Consultant

Interreseau-Conseils Inc.

1 REPLY
Cisco Employee

Re: Authenticating multiple users from the same IP Address ?

I don't believe there's a good way around this for you. Both auth-proxy and authentication on the PIX, as you've already determined, use the source address in the packet to determine if that packet should be allowed through. As soon as the first user authenticates successfully, everyone else will get through automatically. There's really nothing in each packet that the PIX or router can look at to determine if that packet should get through other than the source address, there's certainly no authentication fields in the packet itself unfortunately.

324
Views
0
Helpful
1
Replies
CreatePlease to create content