I have a few users who are hidden behind a NAT address. The public address users at the site are using the standard authentication which is based on IP address.
The problem is the users coming in from NATed public IP address are not all getting prompted to sign in because once one user authenticates everyone behind the NAT can get right out to the internet.
I spoke with support a few minutes ago and they indicated cookie authentication would resolve this issue but how does the web gateway know to send the cookie back to the private address if it is hidden behind a public IP address?
You would need the cookie authentication ruleset in place in order for the Web Gateway to be able to do cookie authentication (this would have the MWG send a "set-cookie" header after successfully authenticating the user).
The fact that the user is "hidden behind a public IP address" makes no difference when cookie authentication is used. The cookie will be used by the MWG to determine who the user is, rather than the IP.