Hi all, Just wondering if this may be a bug or just some misconfiguration and someone in the list experienced this before.
I’ve got this question from a dual-stack deployment, I will try to summarise it with the info I’ve got (not my deployment, just trying to help). Network using Windows AD and basically only Windows clients. The Windows clients are dual-stack and are authenticated in the AD. The DNS registers correctly both their IPv4 and IPv6 addresses. The Fortinet authenticator is pulling every few seconds via LDAP to the AD in order to “allow” certain groups of users to get access to Internet thru the firewall. The firewall rules are based on the user IPv4 and IPv6 addresses. It seems that this means that because the user has registered initially with IPv6 (as in dual stack takes precedence over IPv4), is reported by the authentication event from the AD to the Fortinet authenticator only the IPv6 address, so it is only gaining access to IPv6. So how you fix this in the authenticator so it gathers both the IPv4 and IPv6 addresses and consequently open the firewall for both IPv4 and IPv6 of this user? Right now it seems the only way to force the authenticator to recognise both the IPv4 and IPv6 addresses of the user is to reautenticate the user with both addresses. It looks to me strange that the authenticator only looks for the “registration event” with a single IP address and not both of them (IPv4 and IPv6, or even multiple IPv6 addresses - like the privacy one). I tried to help looking for Fortinet documents about this, but didn’t found anything relevant. Anyone has seen this behaviour before and/or has any idea about how to fix it? Regards, Jordi @jordipalet ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it. ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
