Then you need a firewall update for each new user.

Whereas matching on user+ip is a one-time proxy install.