Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

filter (Identity Management Advanced Query)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

Description

The advanced user identity query feature enables the SRX Series device to communicate with the Juniper Identity Management Service (JIMS) server to obtain user identity information for an individual user (ip-query) or a group of users (batch query).

Optionally, you can configure filters to convey to the JIMS server at a more granular level the users for whom you want information, based on their IP addresses. The filter statement gives you the flexibility to specify a range of IP addresses to be excluded from the record that the JIMS server sends in response or a range of IP addresses to be included in it. You can also constrain the query target to users in one or more specific active directory domains. Only IPv4 addresses are supported.

You can configure a filter that includes all three specifications: include-ip, exclude-ip, and domain.

Note

Filters are contextual. That is, you can use a different filter configuration for different requests. If you change the filter configuration, the new filter applies to subsequent user identity requests exclusively. It has no bearing on prior query requests

Use of the JIMS allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.

Warning

Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.

Options

include-ip address-book book-name address-set address-set-name. Optionally, configure a filter that directs the SRX Series device to issue a query to the JIMS server to include in its response record user identity information for users based on IP addresses in certain address-ranges.

The following are the two behaviors when an include-ip is configured:

  • Batch query—An SRX Series device sends a request to JIMS with the include list of IP addresses.

  • IP query—If the IP address to be queried is included, then the SRX Series device queries JIMS only for those IP addresses that need to be included and does not query for other IP addresses; based on the IP query, JIMS does not trigger the PC probe for the IP addresses that are not included in the IP query.

A filter can include up to twenty IP address ranges. Therefore, an address set that contains more than twenty ranges will cause the filter configuration to fail. To specify the ranges, specify the name of a predefined address set which includes them and which is included in an existing address book.

Note

The filter for IP addresses does not support nested address sets in an address book. If an address book contains nested address sets, it is ignored.

Here is an include-ip address configuration:

exclude-ipaddress-book book-name address-set address-set-name. Optionally, configure a filter that directs the SRX Series device to issue a query to the JIMS server to exclude from its response record user identity information for users based on the specified address-ranges.

The following are the two behaviors when an exclude-ip is configured:

  • Batch query—An SRX Series device sends a request to JIMS with the exclude list of IP addresses.

  • IP query—If the IP address to be queried is excluded, then no request is sent from an SRX Series device to JIMS.

To specify the ranges, specify the name of a predefined address set which includes them and which is included in an existing address book. The address set must not include more than twenty IP addresses, otherwise the exclude-ip filter will fail. Here is an exclude-ip address configuration similar to that of the include-ip filter:

Note

Starting in Junos OS Release 18.3R1, you can include or exclude IPv6 addresses for filtering the IP addresses, in addition to IPv4 addresses.

domainOne or more active directory domains of interest to the SRX Series device. You can specify up to twenty domain names for the filter.

Required Privilege Level

  • services—To view this statement in the configuration.

  • services-control—To add this statement to the configuration.