Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Preparing SRX Series Devices Running Junos OS Release 12.3X48-D45 or Later

 

To prepare SRX Series devices running Junos OS Release 12.3X48-D45 or later to work with Juniper Identity Management Service, perform the following tasks.

Configuring the SRX Series User Query Function to Connect to Juniper Identity Management Service

Configuring the user query function allows an SRX Series device running Junos OS Release 12.3X48-D45 or later to connect automatically to Juniper Identity Management Service to make requests for authentication information for individual users.

The user query function supplements input from Juniper Identity Management Service. For the user query function, the SRX Series device is the HTTPS client and sends HTTPS requests to Juniper Identity Management Service on port 443.

Before you begin, you need the following information:

  • The hostname of the JIMS server

  • The IP address of the JIMS server

  • The port number on the JIMS server for receiving HTTPS requests

  • The client ID to obtain an OAuth token from the JIMS server for user queries

  • The client secret to obtain an OAuth token from the JIMS server for user queries

To configure the SRX Series device to make individual user queries automatically:

  1. Configure Juniper Identity Management Service as the authentication source for user query requests, and configure the JIMS server name and its IP address. The SRX Series device requires this information to contact the server.

  2. Configure the port number on the JIMS server to which the SRX Series device sends HTTPS requests.
  3. Configure the client ID and client secret that the SRX Series device requires to obtain an OAuth access token required for user queries.

    The client ID and client secret are required values. They must match the client ID and client secret that you configure later for this SRX Series client on Juniper Identity Management Service.

  4. Configure the token API that is used in generating the URL for acquiring an OAuth access token.

    In this example, the token API is oauth_token/oauth. It is combined with the following information to generate the complete URL for acquiring an OAuth access token (https://192.168.5.10/oauth_token/oauth).

    • The connection method is HTTPS.

    • In this example, the IP address of the JIMS server is 192.168.5.10.

  5. Configure the query API to use for querying individual user authentication and identity information.

    In this example, the query-api is user_query/v1/ip/$IP$. It is combined with the URL https://192.168.5.10/oauth_token/oauth resulting in https://192.168.5.10/oauth_token/oauth/user_query/v1/ip/$IP$.

    The $IP$ variable is replaced with the IP address of the end-user’s device for the user whose authentication information the SRX Series device is requesting.

  6. Configure the amount of time in seconds to delay before the SRX Series device sends the individual user query. In this example, there is no delay.
  7. Configure the timeout interval in minutes after which idle entries in the authentication table on the SRX Series device expire. The timeout interval begins from when the user authentication entry is added to the authentication table.

Configuring the SRX Series Web API to Connect to Juniper Identity Management Service

Configuring the SRX Series Web API allows Juniper Identity Management Service to initialize a connection to an SRX Series device running Junos OS Release 12.3X48-D45 or later.

Before you begin, you need the following information:

  • A username and password for the Web API daemon account

  • The IP address of the JIMS server’s data port

  • The name of the security zone to allow the Web API at the zone level

To configure the Web API daemon to work with Juniper Identity Management Service:

  1. Configure the Web API daemon (webapi) username and password for the account.

    This information is used for the HTTPS certification request.

  2. Configure the Web API client address. This is the IP address of the JIMS server’s data port.

    The SRX Series device accepts information from this address only.

    Note

    The JIMS server’s data port whose address is configured here is the same one that is used for the user query function, if you configure that function.

    In this example, 192.168.5.10 is the IP address of the JIMS server’s data port.

  3. Configure the Web API daemon HTTP service port and HTTPS service port.

    If you enable the Web API service on the default TCP port 8080 or 8443, you must enable host inbound traffic on that port.

  4. Configure the Web API daemon to use the HTTPS default certificate.
  5. Configure the trace level for the Web API daemon.

    The supported trace levels are notice, warn, error, crit, alert, emerg. The default value is error.

  6. Allow the Web API at the zone level (the zone in this example is called Infra).