Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Preparing SRX Series Devices Running Junos OS Release 15.1X49-D100, 17.4R1, or Later

 

To enable SRX Series devices (including the vSRX Virtual Firewall) running Junos OS Release 15.1X49-D100, 17.4R1, or a later release, to work with Juniper Identity Management Service, you must configure the Advanced Query feature on the SRX. This feature enables the SRX Series device to perform an advanced user identities query from the JIMS server to obtain user identity information, and for the SRX Series device to pull information from a range of user identities from the JIMS server.

When you configure the Advanced Query feature, the SRX Series device

  • Queries the JIMS server for identity information that it collected.

  • Populates its local active directory authentication table with the information that it obtained from the JIMS server.

  • Uses its populated local active directory authentication table to authenticate a user or a device requesting access to a protected resource.

The Advanced Query feature also allows you to push authentication entries to the JIMS server for users for whom there are not entries in JIMS but who have successfully authenticated to the SRX Series device through captive portal.

To configure the Advanced Query feature for SRX Series devices:

Table 5: SRX Series Device Configuration Tasks

identity-management Configuration Statement

Function

Junos OS for SRX Series Documentation Reference

authentication-entry-timeout

Configure the time-out for the user identity authentication entries. You configure this parameter as part of the advanced user identity query feature for SRX Series devices.

authentication-entry-timeout (Identity Management Advanced Query)

batch-query

Configure the SRX Series device to communicate with the JIMS server to obtain an access token to use to query the server for identity information for an individual user (IP query and user query) or a group of users (batch query). The access token allows the SRX Series device to connect to the JIMS server to query it for this information.

batch-query

connection

Configure parameters for connecting SRX Series devices to the JIMS server to obtain user identity and device information. These parameters include the protocol, the IP address of the JIMS server, and the information to authenticate the SRX Series device to the JIMS server.

Note: If you are using more than one JIMS server, you must configure each server separately. The SRX Series device always attempts to connect to the primary server first. If the primary server fails, the SRX Series device falls back to the secondary server. The SRX Series device periodically probes the failed primary server and reverts to it when it is available.

connection (Identity Management Advanced Query)

filter

The advanced user identity query feature enables the SRX Series device to communicate with the JIMS server to obtain user identity information for an individual user (ip-query) or a group of users (batch query). Optionally, you can configure filters to convey to the JIMS server at a more granular level the users for whom you want information, based on their IP addresses.

filter (Identity ManagementAdvanced Query)

invalid-authentication-entry-timeout

Configure an independent timeout value to be assigned to invalid user authentication entries in the SRX Series device authentication table for Windows Active Directory. The invalid authentication entry timeout setting is different from the general authentication entry timeout setting. It allows you to protect invalid user authentication entries in an authentication table from expiring before the user can be validated.

invalid-authentication-entry-timeout (Services User Identification Active Directoryand ClearPass)

ip-query

Used for the IP query function. When this feature is enabled, the SRX Series device queries the JIMS server for user identity information based on the IP address of a user’s device.

ip-query (Identity Management Advanced Query)

The following configuration illustrates a basic JIMS server configuration on an SRX Series device:



root@srx1# show services user-identification identity-management