anyone experienced this trouble with Fortinet (authenticator+firewall) and Windows AD
Hi all, Just wondering if this may be a bug or just some misconfiguration and someone in the list experienced this before. I’ve got this question from a dual-stack deployment, I will try to summarise it with the info I’ve got (not my deployment, just trying to help). Network using Windows AD and basically only Windows clients. The Windows clients are dual-stack and are authenticated in the AD. The DNS registers correctly both their IPv4 and IPv6 addresses. The Fortinet authenticator is pulling every few seconds via LDAP to the AD in order to “allow” certain groups of users to get access to Internet thru the firewall. The firewall rules are based on the user IPv4 and IPv6 addresses. It seems that this means that because the user has registered initially with IPv6 (as in dual stack takes precedence over IPv4), is reported by the authentication event from the AD to the Fortinet authenticator only the IPv6 address, so it is only gaining access to IPv6. So how you fix this in the authenticator so it gathers both the IPv4 and IPv6 addresses and consequently open the firewall for both IPv4 and IPv6 of this user? Right now it seems the only way to force the authenticator to recognise both the IPv4 and IPv6 addresses of the user is to reautenticate the user with both addresses. It looks to me strange that the authenticator only looks for the “registration event” with a single IP address and not both of them (IPv4 and IPv6, or even multiple IPv6 addresses - like the privacy one). I tried to help looking for Fortinet documents about this, but didn’t found anything relevant. Anyone has seen this behaviour before and/or has any idea about how to fix it? Regards, Jordi @jordipalet ********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Hi, On Mon, Oct 20, 2025 at 04:49:02PM +0200, jordi.palet--- via ipv6-wg wrote:
I tried to help looking for Fortinet documents about this, but didn???t found anything relevant.
Fortinet and dual-stack deployments is a deep abyss of pain (try setting up a captive portal on a dual-stack client network...). Their support generally considers this "works as implemented, as your team to open a feature request", which is countered with "how many new boxes can we sell to you?". VERY annoying. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
Yes, it looks like they just look for more boxes, but this is not the way! Regards, Jordi @jordipalet
El 20 oct 2025, a las 21:12, Gert Doering <gert@space.net> escribió:
Hi,
On Mon, Oct 20, 2025 at 04:49:02PM +0200, jordi.palet--- via ipv6-wg wrote:
I tried to help looking for Fortinet documents about this, but didn???t found anything relevant.
Fortinet and dual-stack deployments is a deep abyss of pain (try setting up a captive portal on a dual-stack client network...).
Their support generally considers this "works as implemented, as your team to open a feature request", which is countered with "how many new boxes can we sell to you?". VERY annoying.
Gert Doering -- NetMaster -- have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Karin Schuler, Sebastian Cler Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
Hi, On Mon, Oct 20, 2025 at 4:49 PM jordi.palet--- via ipv6-wg <ipv6-wg@ripe.net> wrote:
The Fortinet authenticator is pulling every few seconds via LDAP to the AD in order to “allow” certain groups of users to get access to Internet thru the firewall. The firewall rules are based on the user IPv4 and IPv6 addresses. It seems that this means that because the user has registered initially with IPv6 (as in dual stack takes precedence over IPv4), is reported by the authentication event from the AD to the Fortinet authenticator only the IPv6 address, so it is only gaining access to IPv6.
The way these vendors implement this is they periodically tail the Windows Security Logs of the Domain Controllers looking for logon and logout events; these logs contain the source IP address of the login attempts and the username, allowing for a mapping to be built. As the Activer Directory logs are meant for security auditing I am quite sure that they only contain one IP (the one that sent the request) and you can quickly realize that they aren't meant for this kind of usage, even though it ends up working somewhat well in most cases. The mapping can be built and updated through other methods as well, vendors offer alternatives like WMI polling of the end client and Syslog parsing from RADIUS servers, again looking for the current IP of user endpoints. I see a trend, however, where they are starting to suggest using their endpoint agents to monitor device addresses. This is really the only viable solution going forward, although it implies installing the vendor's software on all computers and trusting the client to an extent (but not fully). Fortinet's agent is called "FortiClient SSO Mobility Agent" and is essentially a feature of FortiClient + FortiAuthenticator. I'm not positive that it supports pulling multiple IPs from an endpoint, but at least in this case there would be a path forward with an enhancement request. All things considered you can start to see why the enterprise isn't jumping into v6, it's more about losing the 1 host = 1 IP paradigm than it is about the protocol itself. Even in a situation with 1 IPv6 address, you are looking at a minimum of 2 addresses in a dual-stack environment. This breaks all kinds of assumptions made by products, and the organization is at the mercy of the vendor most of the times. Paolo
Tks Paolo. I guess this SSO Mobility Agent means paying licenses … (instead of boxes). I looked at RFC9686. Not sure how well is supported, probably not yet, but it may be a long term solution for this problem. Saludos, Jordi @jordipalet
El 20 oct 2025, a las 21:46, Paolo Nero <neropaolo0@gmail.com> escribió:
Hi,
On Mon, Oct 20, 2025 at 4:49 PM jordi.palet--- via ipv6-wg <ipv6-wg@ripe.net <mailto:ipv6-wg@ripe.net>> wrote:
The Fortinet authenticator is pulling every few seconds via LDAP to the AD in order to “allow” certain groups of users to get access to Internet thru the firewall. The firewall rules are based on the user IPv4 and IPv6 addresses. It seems that this means that because the user has registered initially with IPv6 (as in dual stack takes precedence over IPv4), is reported by the authentication event from the AD to the Fortinet authenticator only the IPv6 address, so it is only gaining access to IPv6.
The way these vendors implement this is they periodically tail the Windows Security Logs of the Domain Controllers looking for logon and logout events; these logs contain the source IP address of the login attempts and the username, allowing for a mapping to be built.
As the Activer Directory logs are meant for security auditing I am quite sure that they only contain one IP (the one that sent the request) and you can quickly realize that they aren't meant for this kind of usage, even though it ends up working somewhat well in most cases.
The mapping can be built and updated through other methods as well, vendors offer alternatives like WMI polling of the end client and Syslog parsing from RADIUS servers, again looking for the current IP of user endpoints.
I see a trend, however, where they are starting to suggest using their endpoint agents to monitor device addresses. This is really the only viable solution going forward, although it implies installing the vendor's software on all computers and trusting the client to an extent (but not fully). Fortinet's agent is called "FortiClient SSO Mobility Agent" and is essentially a feature of FortiClient + FortiAuthenticator. I'm not positive that it supports pulling multiple IPs from an endpoint, but at least in this case there would be a path forward with an enhancement request.
All things considered you can start to see why the enterprise isn't jumping into v6, it's more about losing the 1 host = 1 IP paradigm than it is about the protocol itself. Even in a situation with 1 IPv6 address, you are looking at a minimum of 2 addresses in a dual-stack environment. This breaks all kinds of assumptions made by products, and the organization is at the mercy of the vendor most of the times.
Paolo
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
W dniu 20.10.2025 o 16:49, jordi.palet--- via ipv6-wg pisze:
So how you fix this in the authenticator so it gathers both the IPv4 and IPv6 addresses and consequently open the firewall for both IPv4 and IPv6 of this user?
Fortinet appliances have supported NAT64 for quite some time without any issues. To simplify captive portal authentication in the network, you can configure Windows clients to operate in IPv6-only mode. If that’s not feasible, the setup described below might be helpful. In our campus wireless network (which runs dual-stack), we’ve been advertising RDNSS servers via Router Advertisements that provide DNS64, along with a DHCPv4 configuration that includes option v6-only-preferred 43200. It seems that Android clients stop the DHCPv4 negotiation after receiving the first DHCPOFFER packet. Although the ISC-DHCP daemon doesn’t fully implement RFC 8925 as far as I know, this setup works fine - all recent Android devices switch to IPv6-only mode. Windows devices in this environment run in dual-stack mode with dual DNS servers (IPv6 with DNS64 and IPv4 without). As a result, Windows also primarily utilizes NAT64 for most connections. Cheers -- Marek Zarychta
Yep, this seems a viable solution. Tks! Saludos, Jordi @jordipalet
El 20 oct 2025, a las 22:56, Marek Zarychta via ipv6-wg <ipv6-wg@ripe.net> escribió:
W dniu 20.10.2025 o 16:49, jordi.palet--- via ipv6-wg pisze:
So how you fix this in the authenticator so it gathers both the IPv4 and IPv6 addresses and consequently open the firewall for both IPv4 and IPv6 of this user?
Fortinet appliances have supported NAT64 for quite some time without any issues. To simplify captive portal authentication in the network, you can configure Windows clients to operate in IPv6-only mode. If that’s not feasible, the setup described below might be helpful.
In our campus wireless network (which runs dual-stack), we’ve been advertising RDNSS servers via Router Advertisements that provide DNS64, along with a DHCPv4 configuration that includes option v6-only-preferred 43200. It seems that Android clients stop the DHCPv4 negotiation after receiving the first DHCPOFFER packet. Although the ISC-DHCP daemon doesn’t fully implement RFC 8925 as far as I know, this setup works fine - all recent Android devices switch to IPv6-only mode. Windows devices in this environment run in dual-stack mode with dual DNS servers (IPv6 with DNS64 and IPv4 without). As a result, Windows also primarily utilizes NAT64 for most connections.
Cheers
-- Marek Zarychta
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
By the way, wondering how other firewall vendors are actually resolving this?
El 20 oct 2025, a las 23:13, jordi.palet--- via ipv6-wg <ipv6-wg@ripe.net> escribió:
Yep, this seems a viable solution.
Tks!
Saludos, Jordi
@jordipalet
El 20 oct 2025, a las 22:56, Marek Zarychta via ipv6-wg <ipv6-wg@ripe.net> escribió:
W dniu 20.10.2025 o 16:49, jordi.palet--- via ipv6-wg pisze:
So how you fix this in the authenticator so it gathers both the IPv4 and IPv6 addresses and consequently open the firewall for both IPv4 and IPv6 of this user?
Fortinet appliances have supported NAT64 for quite some time without any issues. To simplify captive portal authentication in the network, you can configure Windows clients to operate in IPv6-only mode. If that’s not feasible, the setup described below might be helpful.
In our campus wireless network (which runs dual-stack), we’ve been advertising RDNSS servers via Router Advertisements that provide DNS64, along with a DHCPv4 configuration that includes option v6-only-preferred 43200. It seems that Android clients stop the DHCPv4 negotiation after receiving the first DHCPOFFER packet. Although the ISC-DHCP daemon doesn’t fully implement RFC 8925 as far as I know, this setup works fine - all recent Android devices switch to IPv6-only mode. Windows devices in this environment run in dual-stack mode with dual DNS servers (IPv6 with DNS64 and IPv4 without). As a result, Windows also primarily utilizes NAT64 for most connections.
Cheers
-- Marek Zarychta
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
----- To unsubscribe from this mailing list or change your subscription options, please visit: https://mailman.ripe.net/mailman3/lists/ipv6-wg.ripe.net/ As we have migrated to Mailman 3, you will need to create an account with the email matching your subscription before you can change your settings. More details at: https://www.ripe.net/membership/mail/mailman-3-migration/
********************************************** IPv4 is over Are you ready for the new Internet ? http://www.theipv6company.com The IPv6 Company This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
participants (4)
-
Gert Doering -
jordi.palet@consulintel.es -
Marek Zarychta -
Paolo Nero