Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    invalid-authentication-entry-timeout (Services User Identification Active Directory and Aruba ClearPass)


    invalid-authentication-entry-timeout time-out-value-in-minutes;

    Hierarchy Level

    [edit services user-identification active-directory-access][edit services user-identification authentication-source aruba-clearpass]

    Release Information

    Statement introduced in Junos OS Release 15.1X49-D100.


    Configure a time-out value for invalid user authentication entries in the authentication source table–either the active directory authentication table for Windows active directory or the Aruba ClearPass authentication table for SRX Series ClearPass. User authentication entries in an authentication table contain a time-out value after which the entry expires, or is no longer valid. An invalid authentication entry is created with a NULL and INVALID state for a user’s IP address and stored in the access directory authentication table when there is no identity information for that user. Prior to implementation of this feature, the current time-out value that applies to all user entries was applied to the invalid entry also.

    For active directory, Windows uses a WMI-probe mechanism to probe the unauthenticated user’s workstation for identity information based on the IP address of the user’s device. A failed probe could put the IP address of the user’s workstation into a NULL and INVALID state for the duration of the currently configured authentication entry time-out value. This condition can occur if the probe is triggered prior to the user attempting to log in. Circumstances that lead to an unsuccessful WMI-probe are not uncommon.

    To ensure that an invalid entry for a user does not expire during the waiting period, this feature introduces a new time-out parameter that you can configure which is implemented specifically for invalid authentication table entries.


    time-out-value-in-minutesExpiration time applied to invalid entries in the active directory authentication table.

    Range: 0 through 1440 minutes.

    Default: 30 minutes

    Note: If you do not configure a time-out period for invalid entries, the default value of 30 minutes is applied to all invalid entries.

    Required Privilege Level

    security—To view this statement in the configuration.

    security-control—To add this statement to the configuration.

    Modified: 2017-09-07