Use Case # 1: Configuring JIMS to Receive Remote Syslog Messages and Verifying the Syslog Messages from SRX Series Device
This configuration example provides step-by-step instructions on receiving the ClearPass messages on Juniper Identity Management Service, how to configure the Juniper Identity Management Service to receive and parse ClearPass syslog messages, and verifying syslog messages on SRX Series device.
Requirements
This example uses the following hardware and software components:
SRX5600 Series device running Junos OS Release 18.3R3 or later.
SRX5600 Series device must be configured as a client.
Syslog source: ClearPass on C3000V platform, IP address: 192.0.2.1
Juniper Identity Management Service, Release 1.2.0 or later
Overview and Topology
Juniper Identity Management Service support the ability to receive remote system log (also called syslog) event and user information data from an event source such as a ClearPass server. JIMS uses port 514 for both tcp and udp to receive syslog messages. JIMS server collects data from syslog messages and transmits the information to each SRX Series device for it to use in making policy decisions in the user firewall.
Logon and Logoff messages from ClearPass Server to Juniper
Identity Management Service
<143>Nov 11 2019 10:56:49.567 CST 10.208.164.25 LEEF:1.0|Aruba Networks|ClearPass|6.7.0.101814|3009|messageId=189694-1-0 Auth.Roles=[Employee]|[Guest]|[User Authenticated] Radius.Username=test3529 Endpoint.Roles=[Employee]|[Guest]|[User Authenticated] Endpoint.Username=test3529 Endpoint.Hostname=huashengmi Endpoint.IP-Address=60.0.13.201 Endpoint.MAC-Address=5f823c000dc9 Endpoint.System-Posture-Token=UNKNOWN src=10.208.164.25 devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z cat=Insight Logs
<143>Nov 11 2019 13:33:32.840 CST 10.208.164.25 LEEF:1.0|Aruba Networks|ClearPass|6.7.0.101814|3006|messageId=793838-1-0 RADIUS.Acct-Username=test3529 RADIUS.Acct-Framed-IP-Address=60.0.13.201 RADIUS.Acct-Timestamp=2019-11-11 13:33:13.325+08 RADIUS.Acct-Status-Type=Stop Common.Roles=[Employee], [Guest], [User Authenticated] RADIUS.Auth-Source=Local:localhost src=10.208.164.25 devTimeFormat=MMM dd yyyy HH:mm:ss.SSS z cat=Session Logs
For more information on ClearPass configuration, see ClearPass Configuration Manual
Configuration
Configure Juniper Identity Management Service to Receive and Parse ClearPass Syslog Messages
Step-by-Step Procedure
The tasks required to configure Juniper Identity Management Service include:
- In the navigation pane, select Data Sources and then select the Syslog Sources tab.
- In the upper Syslog Configured Sources pane, click Add. The Syslog Server Configuration page appears.
- In the Syslog Server Configuration box, type the remote syslog server IP address as 192.0.2.1
- Click Add to parse the received syslog messages by using a regex to define a search pattern. The Add Syslog Regular Expression Builder dialog appears.
- Define the syslog regex for this source for logon messages:
Specify the type of the regex processing.as Create and Begin
Specify which actions the trigger match will tell the JIMS server to do as .*Endpoint.IP-Address=.*
To create a regex that defines how to extract a specific attribute from the string, click Add. The Regex Attribute Editor appears. Specify the attributes as:
IP-address: Endpoint.IP-Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
username: Endpoint.Username=([^ ]+?)\t
groups: Auth.Roles=(\[.*\])!!!\[(.*?)\]
domain: default: cppm.com
devicename: Endpoint.Hostname=([^ ]+?)\t
devicegroups:Endpoint.Roles=(\[.*\])!!!\[(.*?)\]
timestamp: <.+>(.*)\s+CST format: -8%b %d %Y %H:%M:%S
- Repeat step 4 to define the syslog regex for this source
for logoff messages:
Specify the type of the regex processing.as End Session
Specify which actions the trigger match will tell the JIMS server to do as .*RADIUS.Acct-Status-Type=Stop.*
Click Add to create a regex that defines how to extract a specific attribute from the string. The Regex Attribute Editor appears. Specify the attributes as:
IP-Address: Acct-Framed-IP-Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\t
Timestamp: RADIUS.Acct-Timestamp=(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d+[+-]\d\d) format: %Y-%m-%d %H:%M:%S
Verification
Verify the User or Device Entries are Generated Along with Logon Syslog Message on SRX5600 Series Device
Purpose
Verify the user or device entries are generated along with logon syslog message on SRX5600 Series device
Action
On the SRX5600 device, use the show services user-identification authentication-table ip-address 60.0.13.201 CLI command.
user@host> show services user-identification authentication-table
ip-address 60.0.13.201node0:
--------------------------------------------------------------------------
Logical System: root-logical-system
Domain: cppm.com
Source-ip: 60.0.13.201
Username: test3529
Groups:posture-healthy, employee, user authenticated, guest
Groups referenced by policy:employee, user authenticated, guest
State: Valid
Source: JIMS - Syslog
Access start date: 2019-11-11
Access start time: 10:57:49
Last updated timestamp: 2019-11-11 02:56:49
Age time: 0
On the SRX5600 device, use the show services user-identification device-information table ip-address 60.0.13.201 CLI command.
user@host> show services user-identification device-information
table ip-address 60.0.13.201 node0:
--------------------------------------------------------------------------
Domain: cppm.com
Source IP: 60.0.13.201
Device ID: huashengmi$
Device-Groups: employee, guest, user authenticated
Referred by: N/A
Meaning
The output displays that user and device entry are generated along with the logon message.
Verify the User or Device Entries are Removed Along with Logoff Syslog Message on SRX5600 Series Device
Purpose
Verify the user or device entries are removed along with logoff syslog message on SRX5600 Series device
Action
On the SRX5600 device, use the show services user-identification authentication-table ip-address 60.0.13.201 CLI command.
user@host> show services user-identification authentication-table
ip-address 60.0.13.201node0: -------------------------------------------------------------------------- warning: "This IP address isn't in authentication table."
On the SRX5600 device, use the show services user-identification device-information table ip-address 60.0.13.201 CLI command.
user@host> show services user-identification device-information
table ip-address 60.0.13.201 node0: -------------------------------------------------------------------------- warning: "This IP address isn't in device-identity table."
Meaning
The output displays that SRX5600 Series device user and device entries are removed along with the logoff message.