Security problem with ESP and challenge response radius when using NAT.


For a while I've noticed a problem with the ESP security when using 2 factor authentication and I wanted to get some input on this. 

I have configured the ESP as form based authentication. 
The client side single authentication is configured against a RADIUS server that is configured as a chalenge response. (Meaning, the user enters username/password, if this is correct, he is asked for his challenge, if the challenge is correct, the user is granted access). 

This system works in general but seems to have a flaw. 

When the same username logs in from a differend browser while he is logged in to Kemp ESP, or a PC using the same ip address (behind the same NAT router), the second factor is no longer required.
Kemp asks for username/password but Kemp doesn't contact the RADIUS server, Kemp uses the cached credentials to validate the user and grand access. Meaning, when the user is logged in to Kemp, two factor authentication is no longer a requirement for browser sessions using the same wan IP and the same username. 

Is there some check/option that could fix this behaviour?