Hi,

On Mon, Oct 20, 2025 at 4:49 PM jordi.palet--- via ipv6-wg <ipv6-wg@ripe.net> wrote:

> The Fortinet authenticator is pulling every few seconds via LDAP to the AD in order to “allow” certain groups of users to get access to Internet thru the firewall. The firewall rules are based on the user IPv4 and IPv6 addresses.

> It seems that this means that because the user has registered initially with IPv6 (as in dual stack takes precedence over IPv4), is reported by the authentication event from the AD to the Fortinet authenticator only the IPv6 address, so it is only gaining access to IPv6.

The way these vendors implement this is they periodically tail the Windows Security Logs of the Domain Controllers looking for logon and logout events; these logs contain the source IP address of the login attempts and the username, allowing for a mapping to be built.

As the Activer Directory logs are meant for security auditing I am quite sure that they only contain one IP (the one that sent the request) and you can quickly realize that they aren't meant for this kind of usage, even though it ends up working somewhat well in most cases.

The mapping can be built and updated through other methods as well, vendors offer alternatives like WMI polling of the end client and Syslog parsing from RADIUS servers, again looking for the current IP of user endpoints.

I see a trend, however, where they are starting to suggest using their endpoint agents to monitor device addresses. This is really the only viable solution going forward, although it implies installing the vendor's software on all computers and trusting the client to an extent (but not fully). Fortinet's agent is called "FortiClient SSO Mobility Agent" and is essentially a feature of FortiClient + FortiAuthenticator. I'm not positive that it supports pulling multiple IPs from an endpoint, but at least in this case there would be a path forward with an enhancement request.

All things considered you can start to see why the enterprise isn't jumping into v6, it's more about losing the 1 host = 1 IP paradigm than it is about the protocol itself. Even in a situation with 1 IPv6 address, you are looking at a minimum of 2 addresses in a dual-stack environment. This breaks all kinds of assumptions made by products, and the organization is at the mercy of the vendor most of the times.

Paolo