Preparing SRX Series Devices Running Junos OS Release 12.3X48-D45 or Later
To prepare SRX Series devices running Junos OS Release 12.3X48-D45 or later to work with Juniper Identity Management Service, perform the following tasks.
Configuring the SRX Series User Query Function to Connect to Juniper Identity Management Service
Configuring the user query function allows an SRX Series device running Junos OS Release 12.3X48-D45 or later to connect automatically to Juniper Identity Management Service to make requests for authentication information for individual users.
The user query function supplements input from Juniper Identity Management Service. For the user query function, the SRX Series device is the HTTPS client and sends HTTPS requests to Juniper Identity Management Service on port 443.
Before you begin, you need the following information:
The hostname of the JIMS server
The IP address of the JIMS server
The port number on the JIMS server for receiving HTTPS requests
The client ID to obtain an OAuth token from the JIMS server for user queries
The client secret to obtain an OAuth token from the JIMS server for user queries
To configure the SRX Series device to make individual user queries automatically:
- Configure Juniper Identity Management Service as the authentication
source for user query requests, and configure the JIMS server name
and its IP address. The SRX Series device requires this information
to contact the server.[edit services user-identification]user@host#set authentication-source aruba-clearpass user-query web-server jims address 192.168.5.10
- Configure the port number on the JIMS server to which
the SRX Series device sends HTTPS requests.[edit services user-identification]user@host#set authentication-source aruba-clearpass user-query web-server jims port 443
- Configure the client ID and client secret that the SRX
Series device requires to obtain an OAuth access token required for
user queries.[edit services user-identification]user@host#set authentication-source aruba-clearpass user-query client-id client-iduser@host#set authentication-source aruba-clearpass user-query client-secret client-secret
The client ID and client secret are required values. They must match the client ID and client secret that you configure later for this SRX Series client on Juniper Identity Management Service.
- Configure the token API that is used in generating the
URL for acquiring an OAuth access token.[edit services user-identification]user@host#set authentication-source aruba-clearpass user-query token-api “oauth_token/oauth”
In this example, the token API is oauth_token/oauth. It is combined with the following information to generate the complete URL for acquiring an OAuth access token (https://192.168.5.10/oauth_token/oauth).
The connection method is HTTPS.
In this example, the IP address of the JIMS server is 192.168.5.10.
- Configure the query API to use for querying individual
user authentication and identity information.[edit services user-identification]user@host#set authentication-source aruba-clearpass user-query query-api “user_query/v1/ip/$IP$”
In this example, the query-api is user_query/v1/ip/$IP$. It is combined with the URL https://192.168.5.10/oauth_token/oauth resulting in https://192.168.5.10/oauth_token/oauth/user_query/v1/ip/$IP$.
The $IP$ variable is replaced with the IP address of the end-user’s device for the user whose authentication information the SRX Series device is requesting.
- Configure the amount of time in seconds to delay before
the SRX Series device sends the individual user query. In this example,
there is no delay.[edit services user-identification]user@host#set authentication-source aruba-clearpass user-query delay-query-time 0
- Configure the timeout interval in minutes after which
idle entries in the authentication table on the SRX Series device
expire. The timeout interval begins from when the user authentication
entry is added to the authentication table.[edit services user-identification]user@host#set authentication-source aruba-clearpass authentication-entry-timeout 240
Configuring the SRX Series Web API to Connect to Juniper Identity Management Service
Configuring the SRX Series Web API allows Juniper Identity Management Service to initialize a connection to an SRX Series device running Junos OS Release 12.3X48-D45 or later.
Before you begin, you need the following information:
A username and password for the Web API daemon account
The IP address of the JIMS server’s data port
The name of the security zone to allow the Web API at the zone level
To configure the Web API daemon to work with Juniper Identity Management Service:
- Configure the Web API daemon (webapi) username and password
for the account.
This information is used for the HTTPS certification request.
[edit system services]user@host#set webapi user username password password - Configure the Web API client address. This is the IP address
of the JIMS server’s data port.
The SRX Series device accepts information from this address only.
Note The JIMS server’s data port whose address is configured here is the same one that is used for the user query function, if you configure that function.
[edit system services]user@host#set webapi client 192.168.5.10In this example, 192.168.5.10 is the IP address of the JIMS server’s data port.
- Configure the Web API daemon HTTP service port and HTTPS
service port.
If you enable the Web API service on the default TCP port 8080 or 8443, you must enable host inbound traffic on that port.
[edit system services]user@host#set webapi http port 8080user@host#set webapi https port 8443 - Configure the Web API daemon to use the HTTPS default
certificate.[edit system services]user@host#set webapi https default-certificate
- Configure the trace level for the Web API daemon.
The supported trace levels are notice, warn, error, crit, alert, emerg. The default value is error.
[edit system services]user@host#set webapi debug-level alert - Allow the Web API at the zone level (the zone in this
example is called Infra).[edit security zones]user@host#set security-zone Infra host-inbound-traffic system-services webapi-clear-textuser@host#set security-zone Infra host-inbound-traffic system-services webapi-ssl