client-identity (NETCONF TLS)
Statement introduced in Junos OS Release 20.2R1.
For NETCONF sessions over Transport Layer Security (TLS), configure the method to derive the NETCONF username for a given client certificate.
Each configured client must include a client’s certificate fingerprint and a map type. If the fingerprint of a client’s presented certificate matches the fingerprint for a configured client, then Junos OS uses the corresponding map type to derive the NETCONF username for that certificate. If the certificate fingerprint does not match that of any configured client, then Junos OS uses the default map type defined at the [edit system services netconf tls default-client-identity] hierarchy level to derive the NETCONF username. If the certificate fingerprint does not match a configured client, and there is no default client identity configured, Junos OS does not establish the NETCONF session.
Junos OS supports local users and Lightweight Directory Access Protocol (LDAP) remote users for NETCONF sessions over TLS. The username must either have a user account defined locally on the device, or it must be authenticated by an LDAP server, which then maps it to a local user template account that is defined locally on the device.
If you do not include the client-identity statement, then you must define a default client at the [edit system services netconf tls default-client-identity] hierarchy level, or Junos OS does not establish the NETCONF session.
The fingerprint’s first octet value is the hashing algorithm identifier as defined in RFC 5246, The Transport Layer Security (TLS) Protocol Version 1.2. The remaining octets are the result of the hashing algorithm.
Acceptable hash algorithms and their identifiers are:
san-dirname-cn—Use the common name (CN) defined for the SubjectAltName’s (SAN) DirName field (
DirName:/CN) in the client certificate as the NETCONF username.
If you specify san-dirname-cn as the map type, but the client certificate does not have a username in this field, the connection fails.
specified—Use the NETCONF username defined in the
usernamestatement at the same hierarchy level.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.