Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

Understanding the Integrated ClearPass Authentication and Enforcement User Query Function

This topic focuses on how you can obtain user authentication and identity information for an individual user when that information is not posted directly to the SRX Series device by the ClearPass Policy Manager (CPPM).

The SRX Series integrated ClearPass authentication and enforcement feature allows the SRX Series device and Aruba ClearPass to control access to protected resources and the Internet from wireless and wired devices. For this to occur, ClearPass sends user authentication and identity information to the SRX Series device. The SRX Series device stores the information in its ClearPass authentication table. To send this information, usually the CPPM uses the Web API (webapi) services implementation, which allows it to make HTTP or HTTPS POST requests to the SRX Series device.

It can happen that the CPPM does not send user authentication information for a user, for various reasons. When traffic from that user arrives at the SRX Series device, the device cannot authenticate the user. If you configure the SRX Series device to enable the user query function, it can query the ClearPass webserver for authentication information for an individual user. The SRX Series device bases the query on the IP address of the user’s device, which it obtains from the user’s access request traffic.

If the user query function is configured, the query process is triggered automatically when the SRX Series device does not find an entry for the user in its ClearPass authentication table when it receives traffic from that user requesting access to a resource or the Internet. The SRX Series device does not search its other authentication tables. Rather, it sends a query to the CPPM requesting authentication information for the user. Figure 3 depicts the user query process. In this example:

  1. A user attempts to access a resource. The SRX Series device receives the traffic requesting access. The SRX Series device searches for an entry for the user in its ClearPass authentication table, but none is found.
  2. The SRX Series device requests authentication for the user from the CPPM.
  3. The CPPM authenticates the user and returns the user authentication and identity information to the SRX Series device.
  4. The SRX Series device creates an entry for the user in its ClearPass authentication table, and grants the user access to the Internet.

Figure 3: The SRX Series ClearPass Integration User Query Function

The SRX Series ClearPass Integration
User Query Function

You can control when the SRX Series device sends its requests automatically by configuring the following two mechanisms:

  • The delay-query-time parameter

    To determine the value to set for the delay-query-time parameter, it helps to understand the events and duration involved in how user identity information is transferred to the SRX Series device from ClearPass, and how the delay-query-time parameter influences the query process.

    A delay is incurred from when the CPPM initially posts user identity information to the SRX Series device using the Web API to when the SRX Series device can update its local ClearPass authentication table with that information. The user identity information must first pass through the ClearPass device’s control plane and the control plane of the SRX Series device. In other words, this process can delay when the SRX Series device can enter the user identity information in its ClearPass authentication table.

    While this process is taking place, traffic might arrive at the SRX Series device that is generated by an access request from a user whose authentication and identity information is in transit from ClearPass to the SRX Series device.

    Rather than allow the SRX Series device to respond automatically by sending a user query immediately, you can set a delay-query-time parameter, specified in seconds, that allows the SRX Series device to wait for a period of time before sending the query.

    After the delay timeout expires, the SRX Series device sends the query to the CPPM and creates a pending entry in the Routing Engine authentication table. During this period, the traffic matches the default policy and is dropped or allowed, depending on the policy configuration.

    Note: If there are many query requests in the queue, the SRX Series device can maintain multiple concurrent connections to ClearPass to increase throughput. However, to ensure that ClearPass is not stressed by these connections, the number of concurrent connections is constrained to no more than 20 (<=20). You cannot change this value.

  • A default policy, which is applied to a packet if the SRX Series device does not find an entry for the user associated with the traffic in its ClearPass authentication table.

    The system default policy is configured to drop packets. You can override this action by configuring a default policy that specifies a different action to apply to this traffic.

Table 3 shows the effect on the user query function in regard to whether or not Active Directory is enabled.

Table 3: Relationship Between User Query Function and Active Directory Authentication as Processed by the CLI

Active Directory Is Configured

ClearPass User Query Function Is Enabled

CLI Check Result

No

No

Pass

No

Yes

Pass

Yes

No

Pass

Yes

Yes

Fail

To avoid the failure condition reflected in the bottom row of the table, you must disable either Active Directory or the user query function. If both are configured, the system displays the following error message:

The priority of CP auth source is higher than AD auth source, and the CP user-query will shadow all AD features. Therefore, please choose either disabling CP user-query or not configuring AD.

Related Documentation

Modified: 2016-05-01