Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 615 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG750 Dual Stack Captive Portal. How To?

akshay_r

We have 2 XG 750s (Passive HA) facing the WAN (IPv4) and a large 10.0.0.0/8 network on the LAN side. The LAN side consists of L3 core switches and several hierarchies of L3 and L2 switches.

As of today, the captive portal authenticates all users against IPv4.

We are now in the process of getting an IPv6 /32 block and want to transition to IPv6 using a dual-stack mode.

When it comes to the captive portal, will the users need to log in using captive portals (one ipv4 and one ipv6) to access both IPv4 and IPv6 sites?

If yes, is there a workaround for it?

If not, how does it authenticate both IPs?



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    Hi Emmanuel,

    Thanks for the response. Do you have customers that run dual-stack IPv6/IPv4 behind the firewall and also use user authentication? If yes, any idea on how they handle the double login issue?

  • 0 in reply to emmosophos

    I can confirm this.  The "user aware firewall" associates an IP address (either IPv4 or IPv6) with a user.  While you can have the user log into IPv4, the XG does not keep track that a specific IPv4 and IPv6 is held by the same computer and therefore is the same user.  You need to separately associate the IPv6 with the user.

    AFAIK Captive Portal supports both but it uses the source IP that you connect with to the XG - not the source IP that you use to connect to the far site. So if you go to ipv6.google.com and it redirects you to myxg.mycompany if your client resolves that as IPv4 and connects as IPv4 then you will log in as IPv4.  When you then go to ipv6.google.com you will still not be logged in.  By changing your internal dns you can log into IPv6 instead.  So I *think* it supports either but not both (at least not easily).

    Currently AD SSO only supports IPv4.

    As far as I know STAS supports both.

  • 0 in reply to akshay_r

    Hello Akshay,

    For that question, I would recommend you to reach out to your Sales Engineer. 

    Regards,

     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?