04-11-2023 05:43 AM
The easiest path to accomplish this is to enforce GlobalProtect from client machines on the network and then use a script to ensure that each user-id is only ever associated once. There's a script example that @Remo shared years ago HERE that uses the API to ensure only a single mapping.
The problem that you'll run into if you don't use an enforced GlobalProtect connection is that there's certain situations where we'd expect to see someone map to multiple IPs. Keeping in mind that user-id isn't a User->IP mapping but rather an IP->User mapping, if you have an environment where someone would get a different IP address when they move around the building(s) having the user associated temporarily with multiple IPs wouldn't be unexpected.
