In theory, yes it is possible to have two auth table entries with the same Ip but different user names. But, the IC should eventually clean it up.
This can happen in cases where an endpoint does not gracefully disconnect from the IC and thus the auth table is not cleared until the user's session is expired on the IC. If NAT is detected, the IC will not push the auth table down to the IE as the IP is used by the IE to filter access to the protected resource.
The only way NAT and auth tables will work is to use IPSEC from the OAC or Pulse Clients. In this case, the IC will send down the IP address issued to it from an address pool.
Does that help?