If your Authentication Portal deployment uses redirect mode and Security Assertion Markup Language (SAML) or Lightweight Directory Access Protocol (LDAP) with multi-factor authentication (MFA), you can now use an IPV6 address for the domain name system (DNS) address (AAAA) record, as well as an IPv4 address.

This allows you to map an IPv6 address on the Layer 3 interface to the redirect host in addition to an IPv4 address (for example, to provide redundancy). By entering a CLI command, you can configure the fully qualified domain name (FQDN) of the redirect host as an IPv6 address. When the firewall starts an Authentication Portal session, it detects whether the FQDN of the host uses IPv4 or IPv6 when it creates the mapping for the user. With this capability, even if the user changes the traffic type from IPv4 to IPv6 during the same session, the firewall can still map the user correctly, ensuring that your user-based security policy is applied consistently throughout your network and across enforcement devices.

You can also use the CLI commands to view or remove the currently configured FQDN of the redirect host. To ensure that the Authentication Portal configuration is successful, make sure to add the required IPv6 address as a DNS attribute in the Subject Alternative Name (SAN) field for the certificate that you configure for your Authentication Portal deployment. This capability allows you to use different internet protocol versions, supporting even more options for your Authentication Portal deployment.