Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

client-identity (NETCONF TLS)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 20.2R1.

Description

For NETCONF sessions over Transport Layer Security (TLS), configure the method to derive the NETCONF username for a given client certificate.

Each configured client must include a client’s certificate fingerprint and a map type. If the fingerprint of a client’s presented certificate matches the fingerprint for a configured client, then Junos OS uses the corresponding map type to derive the NETCONF username for that certificate. If the certificate fingerprint does not match that of any configured client, then Junos OS uses the default map type defined at the [edit system services netconf tls default-client-identity] hierarchy level to derive the NETCONF username. If the certificate fingerprint does not match a configured client, and there is no default client identity configured, Junos OS does not establish the NETCONF session.

Junos OS supports local users and Lightweight Directory Access Protocol (LDAP) remote users for NETCONF sessions over TLS. The username must either have a user account defined locally on the device, or it must be authenticated by an LDAP server, which then maps it to a local user template account that is defined locally on the device.

Default

If you do not include the client-identity statement, then you must define a default client at the [edit system services netconf tls default-client-identity] hierarchy level, or Junos OS does not establish the NETCONF session.

Options

client-idUser-defined name that uniquely identifies the client.
fingerprint fingerprintClient’s certificate fingerprint, which is a cryptographic hash of an X.509 certificate in x509c2n:tls-fingerprint format.

The fingerprint’s first octet value is the hashing algorithm identifier as defined in RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2. The remaining octets are the result of the hashing algorithm.

Acceptable hash algorithms and their identifiers are:

  • md5: 1

  • sha1: 2

  • sha224: 3

  • sha256: 4

  • sha384: 5

  • sha512: 6

map-type typeMap type that defines how to derive the NETCONF username.

Values:

  • san-dirname-cn—Use the common name (CN) defined for the SubjectAltName’s (SAN) DirName field (DirName:/CN) in the client certificate as the NETCONF username.

    If you specify san-dirname-cn as the map type, but the client certificate does not have a username in this field, the connection fails.

  • specified—Use the NETCONF username defined in the username statement at the same hierarchy level.

username usernameUsername under whose access privileges the NETCONF operations are executed when map-type specified is configured.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.