Web-Auth with Pure IPv6 Client

Konstantin Kabassanov · ‎04-03-2017

Hello,
Looking at "Web-Auth with Pure IPv6 Client" of this document (http://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/IPV6_DG.html#pgfId-77275), I remarked something strange: [::ffff:192.0.2.1] is an address transported by the IPv4 stack. IPv6 only clients (without IPv4 stack) are unable to route it since there is nothing in their ipv4 routing table. For me, the address should be [::ffff:0:0:192.0.2.1], but wism2 controller considers it as a foreign address and creates a redirection loop...

Any hints?

Thanks.

sandjose_cisco · ‎04-05-2017

[::ffff:0:0:192.0.2.1] is not going to work ,the redirection to the CP will be set to the address [::ffff:192.0.2.1] which is embedded with the virtual IP .

In case you see this an issue raise a tac case with appropriate RFC which states it will not work in a pure IPV6 stack implementation.

Konstantin Kabassanov · ‎04-05-2017

It is really very simple to test using tcpdump... Packets for [::ffff:192.0.2.1] are sent into ipv4 packets with 192.0.2.1 as destination address...

Check: http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding-2.htm ; and you will see that theses addresses are not made for ipv6 traffic.

But you are right, [::ffff:0:0:192.0.2.1] is not the right solution. There are IPv4-Compatible IPv6 Addresses ("deprecated because the current IPv6 transition mechanisms no longer use these addresses" [RFC 4291]), that seem to be useful for Cisco web portal mechanism in the form [::192.0.2.1]. But, of course controller redirects them as it does for [::ffff:0:0:192.0.2.1].

sandjose_cisco · ‎04-05-2017

Raise a tac case the default assignment of the IPV6 address for the system for virtual IP is defined under dtl0 interface

(Cisco Controller) >show system interfaces
dtl0      Link encap:Ethernet HWaddr A4:93:4C:B0:75:6F
          inet addr:2.2.2.2 Bcast:2.2.2.2 Mask:255.255.255.255
          inet6 addr: ::ffff:2.2.2.2/64 Scope:Global
          UP BROADCAST RUNNING MULTICAST MTU:1430 Metric:1
          RX packets:361504371 errors:0 dropped:157 overruns:0 frame:0
          TX packets:152016892 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:107192721133 (99.8 GiB) TX bytes:36451502969 (33.9 GiB)

Konstantin Kabassanov · ‎04-06-2017

OK, thanks.

By the way, on my controller I have:

dtl0      Link encap:Ethernet HWaddr B8:38:21:B2:0A:0F
          inet addr:10.122.14.98 Bcast:10.122.255.255 Mask:255.255.0.0
          inet6 addr: fe80::ba38:21ff:feb2:a0f/64 Scope:Link
          inet6 addr: ::ffff:2.2.2.2/64 Scope:Global

and

dtl0:1    Link encap:Ethernet HWaddr B8:38:21:B2:0A:0F
          inet addr:2.2.2.2 Bcast:2.2.2.2 Mask:255.255.255.255

where dtl0 is the management interface and dtl0:1 the service one...

I wonder why ::ffff:2.2.2.2/64 belongs to the first one?

sandjose_cisco · ‎04-06-2017

which release are you on

8.2 bought about changes the way the interfaces are created on the box

Konstantin Kabassanov · ‎04-10-2017

80.0.140.0

8.2 release has some annoying open caveats and some of them won't be solved before 8.3.

Konstantin Kabassanov · ‎04-11-2017

"Actually, this feature is not supported for pure IPv6 clients."