so if I summarize your issue, then some users are stealing IP addresses of already authenticated users known through FSSO, and so those impersonate and pass the firewall as someone else misusing the access privileges of original FSSO user.
That is not a fault of FSSO but flaw of the technology itself.
If you do allow the misuse or have misconfigured DNS, this can happen.
Keep in mind that FSSO is at the end source IP pre-authorization.
I see two possible scenarios:
A) original user is logged off and new user was simply provided with IP of the previous user.
In this case new user get unintentionally access according to old user's access privileges, simply because logoff was not detected, or workstation check failed or was not run fast enough.
- retention on DHCP, to keep recently released IPs a bit longer inside and do not provide them back to newcomers so easily
- shorten workstation checks
- use WMI logoff detection on standalone Collector Agent (by default is turned on)
B) new user stole IP of previous FSSO user to gain access
Just a few mitigation hints ..
- shorten the workstation checks and so user should not pass verification of his existence in AD
- secure DHCP so it's not going to assign IPs to everyone
- split ranges of assigned IPs from DHCP to guests/others and AD computers so then simple source IP in policy will eliminate those out of AD
- make DHCP semi-static, assign static (always the same) IP per MAC to known workstations and reject others
If you wont a stronger authentication then switch to port based identity .. 802.1x !
Tom xSilver, planet Earth, over and out!