Router Access Point
192.168.0.10 | 192.168.5.1................192.168.5.7<--NAT<--192.168.10.1
In this topology, the clients in the AP get translated to the internet interface which is X.X.5.7. I want the router to perform authentication actually per individual client in the AP but because it sees only the IP of the X.X.5.7 and it's gateway and authenticates that , all users in the AP are automatically authenticated. What i want to do is for the router to be able to authenticate each client with their MAC address instead of the AP internet gateway. But since they are behind NAT, i can't see a way to do it. Any ideas how ARP could successfully resolve the MACs when the clients are being translated ? If there isn't any working solution(like changing the protocol/header), maybe your ideas of how to make it possible logically will be helpful. NAT has to stay. i could easily resolve it without NAT. But in my network NAT is of essence ! :)
The X.X.5.7 and X.X.10.1 are likely in different subnets, so you would not be able to get ARP messages from one subnet to another. ARP is sent only in the same subnet. If the destination is in a different subnet, then the host (sitting behind the AP) would simply send it to the gateway (perhaps the AP).
You mentioned that you were able to do this without NAT. I am curious without NAT, did you put the clients in the X.X.10.1 subnet or in X.X.5.1 subnet?