Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    show services user-identification authentication-table

    Syntax

    show services user-identification authentication-table ip-address ip-address | authentication-source authentication-source (brief | domain domain-name (<enter> | brief | extensive) | group group-name (<enter> | brief | extensive) | user user-name (<enter> | brief | extensive) ) all | active directory

    Release Information

    Command introduced in Junos OS release 12.3X48-D30.

    Description

    Display the ClearPass authentication table contents for an individual user based on the IP address of the user’s device, the entire ClearPass authentication table contents, users who belong to a domain, users who belong to a group, or a user’s entry based on the user’s name.

    The ClearPass authentication table user entries include authentication and identity information that the SRX Series device obtains from the ClearPass Policy Manager (CPPM). ClearPass, which is the authentication source for the Integrated ClearPass Authentication and Enforcement feature, posts the user authentication information to the SRX Series device. The SRX Series device UserID daemon synchronizes the ClearPass user authentication information from the Routing Engine authentication table, which includes entries from other authentication sources, to the ClearPass authentication table on the Packet Forwarding Engine.

    To supplement posting from the ClearPass authentication table, the SRX Series device supports a user query function that allows you to obtain authentication information for an individual user.

    Options

    ip-address

    Displays information for a user identified by the IP address of their device.

    authentication-source

    The authentication source for the Integrated ClearPass Authentication and Enforcement feature. For this feature, you must specify the value aruba-clearpass.

    Specify the following identifiers to control the degree and kind of information to display:

    brief

    The show command displays brief information for ClearPass authentication table user entries. For each domain, it displays the domain name and the number of users who belong to it. For each user, it shows the user’s device IP address, username, groups that the user belongs to that are referenced by a security policy, and the state of the user entry.

    domain

    Specifies the name of domain whose user member information your want to view. You can specify extensive with domain to show extensive information for user entries for all of its members.

    extensive

    Shows extensive information for the ClearPass authentication table user entries. For each domain, extensive displays the domain name and the number of users who belong to it. For each user, it shows the user’s device IP address, username, the groups that the user belongs to, the groups that the user belongs to that are referenced by a security policy, the state of the user entry, the authentication source (Aruba ClearPass), the access start date and time, a timestamp showing the last time the entry was updated, and the age after which time the entry expires.

    You can specify extensive without a qualifying identifier to display extensive information for all of the table’s user entries. You can specify it in conjunction with domain, group, or user to display extensive information for that category of users—that is, all members of the domain, all users who belong to the group, or an individual user identified by their username.

    group

    Specifies the name of the group whose member information you want to view. You can specify extensive with group to show extensive information for users who belong to the group.

    user

    Specifies the name of the user whose information you want to view. You can specify extensive to show extensive information for that user.

    Default: brief

    Required Privilege Level

    view

    List of Sample Output

    show services user-identification authentication-table authentication-source aruba-clearpass
    show services user-identification authentication-table authentication-source aruba-clearpass domain
    show services user-identification authentication-table authentication-source aruba-clearpass group
    show services user-identification authentication-table authentication-source aruba-clearpass user

    Output Fields

    Field Name

    Field Description

    Domain

    Name of the domain that the users belong to. If the CPPM does not send domain information to the SRX Series device for a user, the user belongs to the GLOBAL domain.

    Total entries

    Number of user entries in the ClearPass authentication table by domain.

    For each entry:

    Source IP

    The IP address of the user’s device. If a user is logged in to the network with more than one device, a separate entry is created for the user for each device. It showing the devices IP address.

    username

    The name by which the user is logged in to the network.

    Groups

    A list of the groups that the user belongs to. The list can include a group that identifies the device posture.

    State

    The state of the entry. There are four states for an authentication entry: initial, valid, invalid, and pending.

    • An initial state is a temporary state, and it can be created from either a valid or an invalid entry.
    • A valid state indicates that the authentication entry has a valid IP address, domain, and username.
    • An invalid state indicates that the entry does not have a valid IP address, domain, and username. This can happen when the SRX Series device does not receive a query response from the CPPM. If the entry is invalid, it is put in the null domain.
    • A pending state indicates that the entry was created after the user query was sent and before the response was received.

    Source

    The name of the authentication source. For the Integrated ClearPass Authentication and Enforcement feature, this value is always aruba-clearpass.

    Access start date

    The date when the authentication entry was created by the SRX Series device.

    Access start time

    The time when the authentication entry was created by the SRX Series device.

    Last updated timestamp

    The time when ClearPass creates the user information. This value is taken from the timestamp field in the user information posted by ClearPass to the SRX Series device.

    Age time:

    The time after which the entry expires, as configured by the authentication-entry-timeout statement. If a value of 0 was specified, the entry never expires. When an expiration time is reached, the SRX Series device deletes the user entry from the ClearPass authentication table.

    Sample Output

    show services user-identification authentication-table authentication-source aruba-clearpass

    Note that in the following example, the output would show the same results whether or not you specified brief. (The default behavior is to display brief output.)

    user@host> show services user-identification authentication-table authentication-source aruba-clearpass brief

    In this case, if there was more than one domain configured, the output would show the following kind of information for each domain.

    Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
203.0.113.21        viki2          accounting-grp-and-company-dev Valid
203.0.113.89        abew1          marketing-access-limited-grp   Valid
203.0.113.52        jxchan         marketing-access-for-pcs-limit Valid
203.0.113.53        lchen1         corporate-limited              Valid
203.0.113.54        guest1                                        Valid
203.0.113.55        guest2                                        Valid
    user@host> show services user-identification authentication-table authentication-source aruba-clearpass extensive 
    Domain: GLOBAL
Total entries: 6
  Source-ip: 203.0.113.21
    Username: viki2
    Groups:posture-healthy, accounting-grp, accounting-grp-and-company-device,
    corporate-limited, [user authenticated]
    Groups referenced by policy:accounting-grp-and-company-device,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:20:30
    Last updated timestamp: 2015-12-22 04:02:48
    Age time: 0
  Source-ip: 203.0.113.89
    Username: abew1
    Groups:posture-unknown, marketing-access-limited-grp, [user authenticated]
    Groups referenced by policy:marketing-access-limited-grp
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:31:40
    Last updated timestamp: 2015-12-22 04:18:48
    Age time: 0
  Source-ip: 203.0.113.52
    Username: jxchan
    Groups:posture-healthy, marketing-access-for-pcs-limited-group,
    marketing-general, sales-limited, corporate-limited, [user authenticated]
    Groups referenced by policy:marketing-access-for-pcs-limited-group,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:22:48
    Last updated timestamp: 2015-12-22 05:46:21
    Age time: 0
  Source-ip: 203.0.113.53
    Username: lchen1
    Groups:posture-healthy, human-resources-grp, accounting-limited,
    corporate-limited, [user authenticated]
    Groups referenced by policy:corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:21:37
    Last updated timestamp: 2015-12-22 05:41:18
    Age time: 0
  Source-ip: 203.0.113.54
    Username: guest1
    Groups:posture-healthy, guest, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:10
    Last updated timestamp: 2015-12-22 05:50:47
    Age time: 0
  Source-ip: 203.0.113.55
    Username: guest2
    Groups:posture-healthy, guest-device-byod, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:21
    Last updated timestamp: 2015-12-22 05:52:44
    Age time: 0

    show services user-identification authentication-table authentication-source aruba-clearpass domain

    Note that in the following example the output would show the same results whether or not you specified brief. The default behavior is to display brief output.

    user@host> show services user-identification authentication-table authentication-source aruba-clearpass domain GLOBAL brief
    Domain: GLOBAL
Total entries: 6
Source IP       Username       groups(Ref by policy)          state
203.0.113.21        viki2          accounting-grp-and-company-dev Valid
203.0.113.89        abew1          marketing-access-limited-grp   Valid
203.0.113.52        jxchan         marketing-access-for-pcs-limit Valid
203.0.113.53        lchen1         corporate-limited              Valid
203.0.113.54        guest1                                        Valid
203.0.113.55            guest2                                        Valid
    user@host> show services user-identification authentication-table authentication-source aruba-clearpass domain GLOBAL extensive
    Domain: GLOBAL
Total entries: 6
  Source-ip: 203.0.113.21
    Username: viki2
    Groups:posture-healthy, accounting-grp, accounting-grp-and-company-device,
    corporate-limited, [user authenticated]
    Groups referenced by policy:accounting-grp-and-company-device,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:20:30
    Last updated timestamp: 2015-12-22 04:02:48
    Age time: 0
  Source-ip: 203.0.113.89
    Username: abew1
    Groups:posture-unknown, marketing-access-limited-grp, [user authenticated]
    Groups referenced by policy:marketing-access-limited-grp
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:31:40
    Last updated timestamp: 2015-12-22 04:18:48
    Age time: 0
  Source-ip: 203.0.113.52
    Username: jxchan
    Groups:posture-healthy, marketing-access-for-pcs-limited-group,
    marketing-general, sales-limited, corporate-limited, [user authenticated]
    Groups referenced by policy:marketing-access-for-pcs-limited-group,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:22:48
    Last updated timestamp: 2015-12-22 05:46:21
    Age time: 0
  Source-ip: 203.0.113.53
    Username: lchen1
    Groups:posture-healthy, human-resources-grp, accounting-limited,
    corporate-limited, [user authenticated]
    Groups referenced by policy:corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:21:37
    Last updated timestamp: 2015-12-22 05:41:18
    Age time: 0
  Source-ip: 203.0.113.54
    Username: guest1
    Groups:posture-healthy, guest, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:10
    Last updated timestamp: 2015-12-22 05:50:47
    Age time: 0
  Source-ip: 203.0.113.55
    Username: guest2
    Groups:posture-healthy, guest-device-byod, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:21
    Last updated timestamp: 2015-12-22 05:52:44
    Age time: 0

    show services user-identification authentication-table authentication-source aruba-clearpass group

    Note that in the following example, the output would show the same results whether or not you specified brief. (The default behavior is to display brief output.)

    user@host> show services user-identification authentication-table authentication-source aruba-clearpass group posture-healthy brief
    Domain: GLOBAL
Source IP       Username       groups(Ref by policy)          state
203.0.113.21        viki2          accounting-grp-and-company-dev Valid
203.0.113.52        jxchan         marketing-access-for-pcs-limit Valid
203.0.113.53        lchen1         corporate-limited              Valid
203.0.113.54        guest1                                        Valid
203.0.113.55        guest2                                        Valid
    user@host> show services user-identification authentication-table authentication-source aruba-clearpass group posture-healthy extensive
    Domain: GLOBAL
  Source-ip: 203.0.113.21
    Username: viki2
    Groups:posture-healthy, accounting-grp, accounting-grp-and-company-device,
    corporate-limited, [user authenticated]
    Groups referenced by policy:accounting-grp-and-company-device,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:20:30
    Last updated timestamp: 2015-12-22 04:02:48
    Age time: 0
  Source-ip: 203.0.113.52
    Username: jxchan
    Groups:posture-healthy, marketing-access-for-pcs-limited-group,
    marketing-general, sales-limited, corporate-limited, [user authenticated]
    Groups referenced by policy:marketing-access-for-pcs-limited-group,
    corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:22:48
    Last updated timestamp: 2015-12-22 05:46:21
    Age time: 0
  Source-ip: 203.0.113.53
    Username: lchen1
    Groups:posture-healthy, human-resources-grp, accounting-limited,
    corporate-limited, [user authenticated]
    Groups referenced by policy:corporate-limited
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:21:37
    Last updated timestamp: 2015-12-22 05:41:18
    Age time: 0
Source-ip: 203.0.113.54
    Username: guest1
    Groups:posture-healthy, guest, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:10
    Last updated timestamp: 2015-12-22 05:50:47
    Age time: 0
  Source-ip: 203.0.113.55
    Username: guest2
    Groups:posture-healthy, guest-device-byod, [user authenticated]
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:23:21
    Last updated timestamp: 2015-12-22 05:52:44
    Age time: 0

    Sample Output

    show services user-identification authentication-table authentication-source aruba-clearpass user

    user@host> show services user-identification authentication-source aruba-clearpass user brief abew1
    Domain: GLOBAL
Source IP           Username       groups(Ref by policy)          state
203.0.113.89        abew1          marketing-access-limited-grp   Valid
    user@host> show services user-identification authentication-source aruba-clearpass user extensive abew1 
    Domain: GLOBAL
 Source-ip: 203.0.113.89
    Username: abew1
    Groups:posture-unknown, marketing-access-limited-grp, [user authenticated]
    Groups referenced by policy:marketing-access-limited-grp
    State: Valid
    Source: Aruba ClearPass
    Access start date: 2016-03-08
    Access start time: 17:31:40
    Last updated timestamp: 2015-12-22 04:18:48
    Age time: 0

    Modified: 2016-08-16

    Previous Page Next Page