Verifying the User Query Connection from an SRX Series Device
Before you begin, you need the following information:
The port number on the JIMS server for receiving HTTPS requests (by default, port 443)
The client ID to obtain an OAuth token from the JIMS server for user queries
The client secret to obtain an OAuth token from the JIMS server for user queries
To verify that the Web API connection and user queries and responses between the SRX Series device and Juniper Identity Management Service are working properly:
- If there are no entries in the authentication table and
the status of the Query State on Juniper Identity Management Service
is Inactive, do the following:
Check if traffic is allowed between Juniper Identity Management Service and the SRX Series device on the configured port (by default, port 443).
Check the client ID and client secret for OAuth authentication configured on the SRX Series device and on Juniper Identity Management Service and verify that these values match.
Perform a packet capture on the JIMS server.
Switch to the HTTP protocol to view cleartext messages.
- If the status of the Query State on Juniper Identity Management
Service is Active, display in the trace log any error messages generated
by the user query function using the following commands:[edit services user-identification]user@host#set services user-identification authentication-source aruba-clearpass traceoptions file cp_queryuser@host#set services user-identification authentication-source aruba-clearpass traceoptions file size 5muser@host#set services user-identification authentication-source aruba-clearpass traceoptions level alluser@host#set services user-identification authentication-source aruba-clearpass traceoptions flag all
The SRX Series device creates a new log named cp_query under
/var/log. Check for an XML post similar to the following:May 12 09:24:49 uid_set_query_url: query url: https://192.168.5.10/user_query/v1/ip/192.168.8.30 May 12 09:24:49 uid_set_http_header: set HTTP header "Authorization:Bearer FGDfuanyhlhDhlbuvsoapO6q7VkdvZN8hamxYgk" May 12 09:24:49 CURLINFO (query for 192.168.8.30): Added 192.168.5.10:443:192.168.5.10 to DNS cache May 12 09:24:49 CURLINFO (query for 192.168.8.30): Found bundle for host 192.168.5.10: 0x868f0c0 May 12 09:24:49 CURLINFO (query for 192.168.8.30): Re-using existing connection! (#7) with host 192.168.5.10 May 12 09:24:49 CURLINFO (query for 192.168.8.30): Connected to 192.168.5.10 (192.168.5.10) port 443 (#7) May 12 09:24:49 uid_query_write_data_cb: saved curl data: { "source": "Aruba ClearPass", "ip": "192.168.8.30", "user": "peter", "domain": "TME.JNPR.LOCAL", "roles": [ "Administrators", "Domain Admins", "Domain Users", "Denied RODC Password Replication Group", "Users" ], "spt": "Healthy", "updated_at": "2017-05-12T16:14:56.202000Z", "is_online": true, "end-user-attribute": { "device-identity": { "value": "FGU-TMEWIN7-06$", May 12 09:24:49 CURLINFO (query for 192.168.8.30): Connection #7 to host 192.168.5.10 left intactJuniper Identity Management Service replies in JavaScript Object Notation (JSON) format. Look for any error messages in the output.
- When you are done, disable the trace logging.