default-client-identity (NETCONF TLS)
Statement introduced in Junos OS Release 20.2R1.
For NETCONF sessions over Transport Layer Security (TLS), configure the default method to derive the NETCONF username for clients that do not match any configured clients.
If the fingerprint of a client’s presented certificate does not match the fingerprint for a client configured at the [edit system services netconf tls client-identity] hierarchy level, then Junos OS uses the default-client-identity map type to derive the NETCONF username for the client.
Junos OS supports local users and LDAP remote users for NETCONF sessions over TLS. The username must either have a user account defined locally on the device, or it must be authenticated by an LDAP server, which then maps it to a local user template account that is defined locally on the device.
If you do not include the default-client-identity statement, and a NETCONF-over-TLS client does match any clients configured at the [edit system services netconf tls client-identity] hierarchy level, then Junos OS does not establish the NETCONF session.
san-dirname-cn—Use the common name (CN) defined for the SubjectAltName’s (SAN) DirName field (
DirName:/CN) in the client certificate as the NETCONF username.
If you specify san-dirname-cn as the map type, but the client certificate does not have a username in this field, the connection fails.
specified—Use the NETCONF username defined in the
usernamestatement at the same hierarchy level.
Required Privilege Level
system—To view this statement in the configuration.
system-control—To add this statement to the configuration.