Could you share the plugin configuration manifests you have, and examples of what requests you’re sending (e.g. curl output or similar) that demonstrate the unexpected behavior?
In general, the rate-limiting plugin will limit by some criteria (in your case, probably
limit_by = credential or
limit_by = consumer), and if those criteria are not available, it will fall back to identifying clients by their IP. If this is a single plugin configuration, the same limit will apply to all users, but it should be accounted based on their identified credential or consumer when available.
If you want to instead apply different limits to identified and unknown/IP-only users, you’d normally create multiple rate-limiting configurations, one applied to the route/service only (to apply generic limits to unidentified clients) and then one or more applied to route+consumer (to apply specific limits to identified clients). The latter are handled by adding annotations for that plugin configuration to both the KongConsumer and to the Ingress (or Service).