Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 28 subscribers
  • Views 622 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG750 Dual Stack Captive Portal. How To?

akshay_r

We have 2 XG 750s (Passive HA) facing the WAN (IPv4) and a large 10.0.0.0/8 network on the LAN side. The LAN side consists of L3 core switches and several hierarchies of L3 and L2 switches.

As of today, the captive portal authenticates all users against IPv4.

We are now in the process of getting an IPv6 /32 block and want to transition to IPv6 using a dual-stack mode.

When it comes to the captive portal, will the users need to log in using captive portals (one ipv4 and one ipv6) to access both IPv4 and IPv6 sites?

If yes, is there a workaround for it?

If not, how does it authenticate both IPs?



This thread was automatically locked due to age.
Parents
  • +1

    Hello Akshay,

    Thank you for contacting the Sophos Community.

    Since the IPv6 address is another address they’ll need to re-auth.

    Regards,

  • 0 in reply to emmosophos

    I can confirm this.  The "user aware firewall" associates an IP address (either IPv4 or IPv6) with a user.  While you can have the user log into IPv4, the XG does not keep track that a specific IPv4 and IPv6 is held by the same computer and therefore is the same user.  You need to separately associate the IPv6 with the user.

    AFAIK Captive Portal supports both but it uses the source IP that you connect with to the XG - not the source IP that you use to connect to the far site. So if you go to ipv6.google.com and it redirects you to myxg.mycompany if your client resolves that as IPv4 and connects as IPv4 then you will log in as IPv4.  When you then go to ipv6.google.com you will still not be logged in.  By changing your internal dns you can log into IPv6 instead.  So I *think* it supports either but not both (at least not easily).

    Currently AD SSO only supports IPv4.

    As far as I know STAS supports both.

Reply
  • 0 in reply to emmosophos

    I can confirm this.  The "user aware firewall" associates an IP address (either IPv4 or IPv6) with a user.  While you can have the user log into IPv4, the XG does not keep track that a specific IPv4 and IPv6 is held by the same computer and therefore is the same user.  You need to separately associate the IPv6 with the user.

    AFAIK Captive Portal supports both but it uses the source IP that you connect with to the XG - not the source IP that you use to connect to the far site. So if you go to ipv6.google.com and it redirects you to myxg.mycompany if your client resolves that as IPv4 and connects as IPv4 then you will log in as IPv4.  When you then go to ipv6.google.com you will still not be logged in.  By changing your internal dns you can log into IPv6 instead.  So I *think* it supports either but not both (at least not easily).

    Currently AD SSO only supports IPv4.

    As far as I know STAS supports both.

Children
No Data