Same IP source address different username in infranet enforcer auth table?
Is this situation possible as stated in subject? In other words does the infranet controller push to the same IE policies with same source address but different usernames. As I read from one KB article then IC can omit the IP when IC detects NAT'd source while authenticating and thus not sending the source IP to IE.
And if the situation is possible (same source IP/diff. user in IE auth table) then how does the enforcer match the policy for different users? Can the enforcer differentiate between them?
Re: Same IP source address different username in infranet enforcer auth table?
In theory, yes it is possible to have two auth table entries with the same Ip but different user names. But, the IC should eventually clean it up.
This can happen in cases where an endpoint does not gracefully disconnect from the IC and thus the auth table is not cleared until the user's session is expired on the IC. If NAT is detected, the IC will not push the auth table down to the IE as the IP is used by the IE to filter access to the protected resource.
The only way NAT and auth tables will work is to use IPSEC from the OAC or Pulse Clients. In this case, the IC will send down the IP address issued to it from an address pool.