Tks Paolo.

I guess this SSO Mobility Agent means paying licenses … (instead of boxes).

I looked at RFC9686. Not sure how well is supported, probably not yet, but it may be a long term solution for this problem.

Saludos,
Jordi

@jordipalet


El 20 oct 2025, a las 21:46, Paolo Nero <neropaolo0@gmail.com> escribió:

Hi,

On Mon, Oct 20, 2025 at 4:49 PM jordi.palet--- via ipv6-wg <ipv6-wg@ripe.net> wrote:
> The Fortinet authenticator is pulling every few seconds via LDAP to the AD in order to “allow” certain groups of users to get access to Internet thru the firewall. The firewall rules are based on the user IPv4 and IPv6 addresses.
> It seems that this means that because the user has registered initially with IPv6 (as in dual stack takes precedence over IPv4), is reported by the authentication event from the AD to the Fortinet authenticator only the IPv6 address, so it is only gaining access to IPv6.

The way these vendors implement this is they periodically tail the Windows Security Logs of the Domain Controllers looking for logon and logout events; these logs contain the source IP address of the login attempts and the username, allowing for a mapping to be built.

As the Activer Directory logs are meant for security auditing I am quite sure that they only contain one IP (the one that sent the request) and you can quickly realize that they aren't meant for this kind of usage, even though it ends up working somewhat well in most cases.

The mapping can be built and updated through other methods as well, vendors offer alternatives like WMI polling of the end client and Syslog parsing from RADIUS servers, again looking for the current IP of user endpoints.

I see a trend, however, where they are starting to suggest using their endpoint agents to monitor device addresses. This is really the only viable solution going forward, although it implies installing the vendor's software on all computers and trusting the client to an extent (but not fully). Fortinet's agent is called "FortiClient SSO Mobility Agent" and is essentially a feature of FortiClient + FortiAuthenticator. I'm not positive that it supports pulling multiple IPs from an endpoint, but at least in this case there would be a path forward with an enhancement request.

All things considered you can start to see why the enterprise isn't jumping into v6, it's more about losing the 1 host = 1 IP paradigm than it is about the protocol itself. Even in a situation with 1 IPv6 address, you are looking at a minimum of 2 addresses in a dual-stack environment. This breaks all kinds of assumptions made by products, and the organization is at the mercy of the vendor most of the times.

Paolo


 


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.