Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 613 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG750 Dual Stack Captive Portal. How To?

akshay_r

We have 2 XG 750s (Passive HA) facing the WAN (IPv4) and a large 10.0.0.0/8 network on the LAN side. The LAN side consists of L3 core switches and several hierarchies of L3 and L2 switches.

As of today, the captive portal authenticates all users against IPv4.

We are now in the process of getting an IPv6 /32 block and want to transition to IPv6 using a dual-stack mode.

When it comes to the captive portal, will the users need to log in using captive portals (one ipv4 and one ipv6) to access both IPv4 and IPv6 sites?

If yes, is there a workaround for it?

If not, how does it authenticate both IPs?



This thread was automatically locked due to age.
  • 0

    Hi,

    a /32 IPv6 is a very large range of addresses.

    The current version of XG does not support IPv6 very well, all IPv6 rules need a NAT. 

    As of today, I have not found away of using IPv6 addressing FQDNs in XG. A FQDN will be resolved and connected when a device makes a request.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian, Thanks for the reply.

    /32 is pretty large for a university, but we only had choices from RIR between 48 and /32, and as we have a multi-site setup, /32 was the better choice.

    I am not clear on "all IPv6 rules need a NAT". We have an IPv6 network coming into the WAN interface for the XG750, and I am not sure if NAT applies to IPv6 (both LAN and WAN are on IPv6).

    We have a dual-stack setup, so clients have both IPv4 and IPv6 addresses allocated to them via a set of DHCP servers. We have not yet enabled IPv6 over the switches in our network.

    The concern we have is, say a user accesses ipv4.google.com, they (browser) will naturally connect to the sophos on the IPv4 interface IP, the captive portal will capture this IP and allow login and pass the request.

    Then say the user accesses ipv6.google.com, which exclusively has a AAAA record, the browser will initiate a IPv6 packet towards the sophos firewall on its IPv6 interface, the captive portal might show up again as the previous login was against the IPv4 IP.

    We haven't tested it yet but this seems like what is most likely going to happen. If this is true, how can the first login page capture both IPv4 and IPv6 IPs of the client?

  • 0 in reply to akshay_r

    Hi,

    I am not a captive portal user, so I cannot help you with the question. I  have a dual stack system and you need a NAT for all IPv6 traffic between LAN and WAN.

    I need to make a correction, you  can create networks with IPv6 addresses, but you can't use FQDNs' in IPv6 firewall rules

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • +1

    Hello Akshay,

    Thank you for contacting the Sophos Community.

    Since the IPv6 address is another address they’ll need to re-auth.

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 0 in reply to emmosophos

    Hi Emmanuel,

    Thanks for the response. Do you have customers that run dual-stack IPv6/IPv4 behind the firewall and also use user authentication? If yes, any idea on how they handle the double login issue?

  • 0 in reply to emmosophos

    I can confirm this.  The "user aware firewall" associates an IP address (either IPv4 or IPv6) with a user.  While you can have the user log into IPv4, the XG does not keep track that a specific IPv4 and IPv6 is held by the same computer and therefore is the same user.  You need to separately associate the IPv6 with the user.

    AFAIK Captive Portal supports both but it uses the source IP that you connect with to the XG - not the source IP that you use to connect to the far site. So if you go to ipv6.google.com and it redirects you to myxg.mycompany if your client resolves that as IPv4 and connects as IPv4 then you will log in as IPv4.  When you then go to ipv6.google.com you will still not be logged in.  By changing your internal dns you can log into IPv6 instead.  So I *think* it supports either but not both (at least not easily).

    Currently AD SSO only supports IPv4.

    As far as I know STAS supports both.

  • 0 in reply to akshay_r

    Hello Akshay,

    For that question, I would recommend you to reach out to your Sales Engineer. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?