Verifying the Web API Connection from an SRX Series Device
Before you begin, you need the following information:
The HTTPS port number (default value is 8443) or HTTP port number (default value is 8080) on the SRX Series device
The username and password that the HTTPS or HTTP server on the SRX Series device uses to authenticate incoming connections
To verify that the Web API connection and data communications between an SRX Series device and Juniper Identity Management Service are working properly:
- Verify that users are in the Valid state by checking the
user authentication tables on the SRX Series device:user@host>show services user-identification authentication-table authentication-source aruba-clearpass alluser@host>show services user-identification authentication-table authentication-source aruba-clearpass all extensive
These commands display the entire ClearPass authentication table contents. In this scenario, the ClearPass authentication table’s user entries include authentication and identity information that the SRX Series device obtains from Juniper Identity Management Service.
- If there are no entries in the authentication table and
the status of the Web API connection on Juniper Identity Management
Service is Connect Failed, do the following:
Check if traffic is allowed between Juniper Identity Management Service and the SRX Series device on the configured ports (by default, HTTPS port 8443 and HTTP port 8080).
Check the configured user credentials.
Perform a packet capture on Juniper Identity Management Server.
Switch to the HTTP protocol to view cleartext messages.
- If the status of the Web API connection on the JIMS server
is Connected, enable debugging by using the following commands:[edit services user-identification]user@host#set system services webapi debug-log api-loguser@host#set system services webapi debug-level info
The SRX Series device creates a new log named api_log under
/var/log. Check for an XML post similar to the following:2017/05/12 18:39:08 [info] 99992#0: 99992#0: <?xml version=”1.0” encoding=”UTF-8”> <userfw-entries> <userfw-entry> <source>Aruba ClearPass</source> <timestamp>2017-05-12T01:38:38.850000Z</timestamp> <operation>logon</logon> <IP>192.168.8.29></IP> <domain>domain_name</domain> <user>pete</user> <role-list> <role>Domain Admins</role> <role>Administrators</role> <role>Denied RODC Password Replication Group</role> <role>Domain Users</role> <role>juniper</role> </role-list> <posture>Healthy</posture> <end-user-attribute> <device-identity> <value>FGU-TMEWIN7-06$</value> </device-identity> </end-user-attibute> </userfw-entry> </userfw-entries>
This is the HTTPS POST message from Juniper Identity Management Service to the SRX Series device. Following this post is the parsing of XML data by the SRX Series device. Look for any error messages in the data.
- When you are done, disable debug logging.