Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1652
Views
0
Helpful
2
Replies

Authenticating multiple users from the same IP Address ?

steve.saindon
Level 1
Level 1

‎12-04-2002 08:51 AM - edited ‎02-21-2020 10:05 AM

Hi,

I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the “Authentication proxy feature” on the IOS Firewall combined with a Tacacs server.

Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.

I was thinking of using the “Authentication proxy feature” on the IOS Firewall but I’ve noticed the following in the “Restrictions” section :

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html

“The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.”

Which I think defeats what I’m trying to do.

Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?

Thanks !

Steve Saindon

Network Consultant

Interreseau-Conseils Inc.

Labels:
0 Helpful
2 Replies 2

rais
Level 7
Level 7

‎12-04-2002 11:29 AM

I believe you have to have a separate internal proxy server that sees all users' IP addresses the way they are. The server then direct them to the internet based upon the correct user/password.

Hope this helps.

0 Helpful

bdube
Level 2
Level 2

‎12-04-2002 01:24 PM

Salut Steve,

Even to surf the Web, your client is forcing users to pass through the Citrix server(s) ? This seems a little bit strange.

About the restriction, i've got the same one before and i didn't find a solution with the PIX.

Since users connect to Citrix before, and i suppose that users have been authentified there, you may leave all traffics from Citrix servers pass through without auth.

Salut

Benoît

0 Helpful
Customers Also Viewed These Support Documents