Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation  Back up to About Overview 
ContentIndex
  
[+] Expand All
[-] Collapse All

No index entries found.

show services user-identification authentication-table

Syntax

show services user-identification authentication-table ip-address ip-address | authentication-source authentication-source (brief | domain domain-name (<enter> | brief | extensive) | group group-name (<enter> | brief | extensive) | user user-name (<enter> | brief | extensive) ) all | active directory

Release Information

Command introduced in Junos OS release 12.3X48-D30.

Description

Display the ClearPass authentication table contents for an individual user based on the IP address of the user’s device, the entire ClearPass authentication table contents, users who belong to a domain, users who belong to a group, or a user’s entry based on the user’s name.

The ClearPass authentication table user entries include authentication and identity information that the SRX Series device obtains from the ClearPass Policy Manager (CPPM). ClearPass, which is the authentication source for the Integrated ClearPass Authentication and Enforcement feature, posts the user authentication information to the SRX Series device. The SRX Series device UserID daemon synchronizes the ClearPass user authentication information from the Routing Engine authentication table, which includes entries from other authentication sources, to the ClearPass authentication table on the Packet Forwarding Engine.

To supplement posting from the ClearPass authentication table, the SRX Series device supports a user query function that allows you to obtain authentication information for an individual user.

Options

ip-address

Displays information for a user identified by the IP address of their device.

authentication-source

The authentication source for the Integrated ClearPass Authentication and Enforcement feature. For this feature, you must specify the value aruba-clearpass.

Specify the following identifiers to control the degree and kind of information to display:

brief

By default, the show command displays brief information for ClearPass authentication table user entries. For each domain, it displays the domain name and the number of users who belong to it. For each user, it shows the user’s device IP address, username, groups that the user belongs to that are referenced by a security policy, and the state of the user entry.

domain

Specifies the name of domain whose user member information your want to view. You can specify extensive with domain to show extensive information for user entries for all of its members. By default, brief information is displayed.

extensive

Shows extensive information for the ClearPass authentication table user entries. For each domain, extensive displays the domain name and the number of users who belong to it. For each user, it shows the user’s device IP address, username, the groups that the user belongs to, the groups that the user belongs to that are referenced by a security policy, the state of the user entry, the authentication source (Aruba ClearPass), the access start date and time, a timestamp showing the last time the entry was updated, and the age after which time the entry expires.

You can specify extensive without a qualifying identifier to display extensive information for all of the table’s user entries. You can specify it in conjunction with domain, group, or user to display extensive information for that category of users—that is, all members of the domain, all users who belong to the group, or an individual user identified by their username.

group

Specifies the name of the group whose member information you want to view. You can specify extensive with group to show extensive information for users who belong to the group. By default, brief information is displayed.

user

Specifies the name of the user whose information you want to view. You can specify extensive to show extensive information for that user.

Required Privilege Level

view

List of Sample Output

show services user-identification authentication-table authentication-source aruba-clearpass
show services user-identification authentication-table authentication-source aruba-clearpass domain
show services user-identification authentication-table authentication-source aruba-clearpass group
show services user-identification authentication-table authentication-source aruba-clearpass user

Output Fields

Field Name

Field Description

Domain

Name of the domain that the users belong to. If the CPPM does not send domain information to the SRX Series device for a user, the user belongs to the GLOBAL domain.

Total entries

Number of user entries in the ClearPass authentication table by domain.

For each entry:

Source IP

The IP address of the user’s device. If a user is logged in to the network with more than one device, a separate entry is created for the user for each device. It showing the devices IP address.

username

The name by which the user is logged in to the network.

Groups

A list of the groups that the user belongs to. The list can include a group that identifies the device posture.

State

The state of the entry. There are four states for an authentication entry: initial, valid, invalid, and pending.

  • An initial state is a temporary state, and it can be created from either a valid or an invalid entry.
  • A valid state indicates that the authentication entry has a valid IP address, domain, and username.
  • An invalid state indicates that the entry does not have a valid IP address, domain, and username. This can happen when the SRX Series device does not receive a query response from the CPPM. If the entry is invalid, it is put in the null domain.
  • A pending state indicates that the entry was created after the user query was sent and before the response was received.

Source

The name of the authentication source. For the Integrated ClearPass Authentication and Enforcement feature, this value is always aruba-clearpass.

Access start date

The date when the authentication entry was created by the SRX Series device.

Access start time

The time when the authentication entry was created by the SRX Series device.

Last updated timestamp

The time when ClearPass creates the user information. This value is taken from the timestamp field in the user information posted by ClearPass to the SRX Series device.

Age time:

The time after which the entry expires, as configured by the authentication-entry-timeout statement. If a value of 0 was specified, the entry never expires. When an expiration time is reached, the SRX Series device deletes the user entry from the ClearPass authentication table.

Sample Output

show services user-identification authentication-table authentication-source aruba-clearpass

Note that in the following example, the output would show the same results whether or not you specified brief. The default behavior is to display brief output.

user@host> show services user-identification authentication-table authentication-source aruba-clearpass brief

In this case, if there was more than one domain configured, the output would show the following kind of information for each domain.

Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
10.0.0.1        viki2          accounting-grp-and-company-dev Valid
20.0.0.1        abew1          marketing-access-limited-grp   Valid
30.0.0.1        jxchan         marketing-access-for-pcs-limit Valid
40.0.0.1        lchen1         corporate-limited              Valid
50.0.0.1        guest1                                        Valid
50.0.0.2        guest2                                        Valid
user@host> show services user-identification authentication-table authentication-source aruba-clearpass extensive
Domain: GLOBAL
Total entries: 6
  Source-ip: 10.0.0.1
    Username: viki2
    Groups:posture-healthy, accounting-grp, accounting-grp-and-company-device,
    corporate-limited, [user authenticated]
    Groups referenced by policy:accounting-grp-and-company-device,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:20:30
    Last updated timestamp: 2015-12-22 04:02:48
    Age time: 0
  Source-ip: 20.0.0.1
    Username: abew1
    Groups:posture-unknown, marketing-access-limited-grp, [user authenticated]
    Groups referenced by policy:marketing-access-limited-grp
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:31:40
    Last updated timestamp: 2015-12-22 04:18:48
    Age time: 0
  Source-ip: 30.0.0.1
    Username: jxchan
    Groups:posture-healthy, marketing-access-for-pcs-limited-group,
    marketing-general, sales-limited, corporate-limited, [user authenticated]
    Groups referenced by policy:marketing-access-for-pcs-limited-group,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:22:48
    Last updated timestamp: 2015-12-22 05:46:21
    Age time: 0
  Source-ip: 40.0.0.1
    Username: lchen1
    Groups:posture-healthy, human-resources-grp, accounting-limited,
    corporate-limited, [user authenticated]
    Groups referenced by policy:corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:21:37
    Last updated timestamp: 2015-12-22 05:41:18
    Age time: 0
  Source-ip: 50.0.0.1
    Username: guest1
    Groups:posture-healthy, guest, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:10
    Last updated timestamp: 2015-12-22 05:50:47
    Age time: 0
  Source-ip: 50.0.0.2
    Username: guest2
    Groups:posture-healthy, guest-device-byod, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:21
    Last updated timestamp: 2015-12-22 05:52:44
    Age time: 0

show services user-identification authentication-table authentication-source aruba-clearpass domain

Note that in the following example the output would show the same results whether or not you specified brief. The default behavior is to display brief output.

user@host> show services user-identification authentication-table authentication-source aruba-clearpass domain GLOBAL brief
Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
10.0.0.1        viki2          accounting-grp-and-company-dev Valid
20.0.0.1        abew1          marketing-access-limited-grp   Valid
30.0.0.1        jxchan         marketing-access-for-pcs-limit Valid
40.0.0.1        lchen1         corporate-limited              Valid
50.0.0.1        guest1                                        Valid
50.0.0.2        guest2                                        Valid
user@host> show services user-identification authentication-table authentication-source aruba-clearpass domain GLOBAL extensive
Domain: GLOBAL
Total entries: 6
  Source-ip: 10.0.0.1
    Username: viki2
    Groups:posture-healthy, accounting-grp, accounting-grp-and-company-device,
    corporate-limited, [user authenticated]
    Groups referenced by policy:accounting-grp-and-company-device,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:20:30
    Last updated timestamp: 2015-12-22 04:02:48
    Age time: 0
  Source-ip: 20.0.0.1
    Username: abew1
    Groups:posture-unknown, marketing-access-limited-grp, [user authenticated]
    Groups referenced by policy:marketing-access-limited-grp
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:31:40
    Last updated timestamp: 2015-12-22 04:18:48
    Age time: 0
  Source-ip: 30.0.0.1
    Username: jxchan
    Groups:posture-healthy, marketing-access-for-pcs-limited-group,
    marketing-general, sales-limited, corporate-limited, [user authenticated]
    Groups referenced by policy:marketing-access-for-pcs-limited-group,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:22:48
    Last updated timestamp: 2015-12-22 05:46:21
    Age time: 0
  Source-ip: 40.0.0.1
    Username: lchen1
    Groups:posture-healthy, human-resources-grp, accounting-limited,
    corporate-limited, [user authenticated]
    Groups referenced by policy:corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:21:37
    Last updated timestamp: 2015-12-22 05:41:18
    Age time: 0
  Source-ip: 50.0.0.1
    Username: guest1
    Groups:posture-healthy, guest, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:10
    Last updated timestamp: 2015-12-22 05:50:47
    Age time: 0
  Source-ip: 50.0.0.2
    Username: guest2
    Groups:posture-healthy, guest-device-byod, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:21
    Last updated timestamp: 2015-12-22 05:52:44
    Age time: 0

show services user-identification authentication-table authentication-source aruba-clearpass group

Note that in the following example, the output would show the same results whether or not you specified brief. The default behavior is to display brief output.

user@host> show services user-identification authentication-table authentication-source aruba-clearpass group posture-healthy brief
Domain: GLOBAL
Source IP       Username       groups(Ref by policy)          state
10.0.0.1        viki2          accounting-grp-and-company-dev Valid
30.0.0.1        jxchan         marketing-access-for-pcs-limit Valid
40.0.0.1        lchen1         corporate-limited              Valid
50.0.0.1        guest1                                        Valid
50.0.0.2        guest2                                        Valid
user@host> show services user-identification authentication-table authentication-source aruba-clearpass group posture-healthy extensive
Domain: GLOBAL
  Source-ip: 10.0.0.1
    Username: viki2
    Groups:posture-healthy, accounting-grp, accounting-grp-and-company-device,
    corporate-limited, [user authenticated]
    Groups referenced by policy:accounting-grp-and-company-device,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:20:30
    Last updated timestamp: 2015-12-22 04:02:48
    Age time: 0
  Source-ip: 30.0.0.1
    Username: jxchan
    Groups:posture-healthy, marketing-access-for-pcs-limited-group,
    marketing-general, sales-limited, corporate-limited, [user authenticated]
    Groups referenced by policy:marketing-access-for-pcs-limited-group,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:22:48
    Last updated timestamp: 2015-12-22 05:46:21
    Age time: 0
  Source-ip: 40.0.0.1
    Username: lchen1
    Groups:posture-healthy, human-resources-grp, accounting-limited,
    corporate-limited, [user authenticated]
    Groups referenced by policy:corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:21:37
    Last updated timestamp: 2015-12-22 05:41:18
    Age time: 0
Source-ip: 50.0.0.1
    Username: guest1
    Groups:posture-healthy, guest, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:10
    Last updated timestamp: 2015-12-22 05:50:47
    Age time: 0
  Source-ip: 50.0.0.2
    Username: guest2
    Groups:posture-healthy, guest-device-byod, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:21
    Last updated timestamp: 2015-12-22 05:52:44
    Age time: 0

Sample Output

show services user-identification authentication-table authentication-source aruba-clearpass user

user@host> show services user-identification authentication-source aruba-clearpass user brief abew1
Domain: GLOBAL
Source IP       Username       groups(Ref by policy)          state
20.0.0.1        abew1          marketing-access-limited-grp   Valid  
user@host> show services user-identification authentication-source aruba-clearpass user extensive abew1
Domain: GLOBAL
 Source-ip: 20.0.0.1
    Username: abew1
    Groups:posture-unknown, marketing-access-limited-grp, [user authenticated]
    Groups referenced by policy:marketing-access-limited-grp
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:31:40
    Last updated timestamp: 2015-12-22 04:18:48
    Age time: 0

Modified: 2016-05-01