https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150985#M6303 <P>Hi,</P><P></P><P>I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the &#147;Authentication proxy feature&#148; on the IOS Firewall combined with a Tacacs server.</P><P></P><P>Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.</P><P></P><P>I was thinking of using the &#147;Authentication proxy feature&#148; on the IOS Firewall but I&#146;ve noticed the following in the &#147;Restrictions&#148; section :</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html</A></P><P></P><P>&#147;The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.&#148;</P><P></P><P>Which I think defeats what I&#146;m trying to do.</P><P></P><P>Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?</P><P></P><P>Thanks !</P><P></P><P>Steve Saindon</P><P>Network Consultant</P><P>Interreseau-Conseils Inc.</P><P></P><P></P> Fri, 21 Feb 2020 18:05:35 GMT steve.saindon 2020-02-21T18:05:35Z https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150985#M6303 <P>Hi,</P><P></P><P>I have a situation where I need to authenticate inside http users before going on the Internet. Easy enough with the PIX or the &#147;Authentication proxy feature&#148; on the IOS Firewall combined with a Tacacs server.</P><P></P><P>Problem is : All users appear as the same IP Address to the Firewall, since Citrix servers are used on the inside. The firewall sees traffic just if it had just passed a NAT : the same IP address for everyone but only multiplexed on a port basis.</P><P></P><P>I was thinking of using the &#147;Authentication proxy feature&#148; on the IOS Firewall but I&#146;ve noticed the following in the &#147;Restrictions&#148; section :</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html" target="_blank">http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c7.html</A></P><P></P><P>&#147;The authentication proxy does not support concurrent usage; that is, if two users try to log in from the same host at the same time, authentication and authorization applies only to the user who first submits a valid username and password.&#148;</P><P></P><P>Which I think defeats what I&#146;m trying to do.</P><P></P><P>Question : Is there anyone with a similar situation ? If yes, did you find any features that would support such an environment ?</P><P></P><P>Thanks !</P><P></P><P>Steve Saindon</P><P>Network Consultant</P><P>Interreseau-Conseils Inc.</P><P></P><P></P> Fri, 21 Feb 2020 18:05:35 GMT https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150985#M6303 steve.saindon 2020-02-21T18:05:35Z https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150986#M6304 <HTML><HEAD></HEAD><BODY><P>I believe you have to have a separate internal proxy server that sees all users' IP addresses the way they are. The server then direct them to the internet based upon the correct user/password.</P><P></P><P>Hope this helps.</P></BODY></HTML> Wed, 04 Dec 2002 19:29:14 GMT https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150986#M6304 rais 2002-12-04T19:29:14Z https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150987#M6305 <HTML><HEAD></HEAD><BODY><P>Salut Steve,</P><P></P><P>Even to surf the Web, your client is forcing users to pass through the Citrix server(s) ? This seems a little bit strange.</P><P></P><P>About the restriction, i've got the same one before and i didn't find a solution with the PIX.</P><P></P><P>Since users connect to Citrix before, and i suppose that users have been authentified there, you may leave all traffics from Citrix servers pass through without auth.</P><P></P><P>Salut</P><P></P><P>Benoît</P><P></P></BODY></HTML> Wed, 04 Dec 2002 21:24:58 GMT https://community.cisco.com/t5/network-access-control/authenticating-multiple-users-from-the-same-ip-address/m-p/150987#M6305 bdube 2002-12-04T21:24:58Z