Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Authenticating multiple users from the same IP Address ?


I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the “Authentication proxy feature” on the IOS Firewall combined with a Tacacs server.

Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.

I was thinking of using the “Authentication proxy feature” on the IOS Firewall but I’ve noticed the following in the “Restrictions” section :

“The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.”

Which I think defeats what I’m trying to do.

Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?

Thanks !

Steve Saindon

Network Consultant

Interreseau-Conseils Inc.


Re: Authenticating multiple users from the same IP Address ?

I believe you have to have a separate internal proxy server that sees all users' IP addresses the way they are. The server then direct them to the internet based upon the correct user/password.

Hope this helps.

New Member

Re: Authenticating multiple users from the same IP Address ?

Salut Steve,

Even to surf the Web, your client is forcing users to pass through the Citrix server(s) ? This seems a little bit strange.

About the restriction, i've got the same one before and i didn't find a solution with the PIX.

Since users connect to Citrix before, and i suppose that users have been authentified there, you may leave all traffics from Citrix servers pass through without auth.



CreatePlease login to create content