Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

query-api (Services User Identification)

Syntax

query-api query-api

Hierarchy Level

[edit services user-identification authentication-source aruba-clearpass user-query]

Release Information

Statement introduced in Junos OS Release 12.3X48-D30.

Description

Configure query-api to specify the path of the URL that the SRX Series device uses to query the ClearPass Policy Manager (CPPM) webserver for authentication and identity information for an individual user. For the SRX Series device to be able to make a request, you must have configured it to obtain an access token. See token-api (Services User Identification).

The integrated ClearPass authentication and enforcement user query function supplements the Web API function (webapi) by allowing the SRX Series device to obtain from the CPPM authentication information for an individual user whose information does not already exist in the SRX Series ClearPass authentication table.

Consider the following query-api example:

api/v1/insight/endpoint/ip/$IP$

The SRX Series device generates the complete URL for the user query request by combining the query-api string with the connection method (HTTPS) and the CPPM webserver IP address ({$server}).

https://{$server}/api/v1/insight/endpoint/ip/$IP$

In this example, the SRX Series device replaces the variables with the following values resulting in a specific URL request for the individual user:

https://10.17.4.12/api/v1/insight/endpoint/ip/10.17.4.12

Under normal circumstances, the ClearPass webserver sends user authentication information to the SRX Series device in POST request messages and the SRX Series device writes that information to its ClearPass authentication table. When the SRX Series device receives an access request from a user, it searches its ClearPass authentication table for an entry for that user.

It can happen that the SRX Series device might not have received authentication for a user from the CPPM because the user has not yet been authenticated by the CPPM. For example, the user might have joined the network through an access layer not on a managed switch or WLAN. When the CPPM receives the user query from the SRX Series device, it authenticates the user and returns the authentication information to the device.

Required Privilege Level

  • services—To view this statement in the configuration.
  • services-control—To add this statement to the configuration.

Modified: 2016-05-01