ip-query (Identity Management Advanced Query)
Statement introduced in Junos OS Release 15.1X49-D100.
Configure the parameters to be used for the IP query function. When this feature is enabled, the SRX Series device queries the Juniper Identity Management Service (JIMS) server for user identity information based on the IP address of a user’s device.
For example, if information for a user is missing from a flow, the SRX Series device can issue a query request specifying the IP address of the user’s device. Also, If the SRX Series device does not have identity information for a specific user, it can engage captive portal to authenticate the user. After it authenticates the user, the SRX Series device can issue a query request to the Juniper Identity Management Service, specifying the user ID and the IP address of the user’s device to obtain additional information, such as the names of the groups that the user belongs to.
If there are many IP query requests in the queue, the SRX Series device can maintain multiple concurrent HTTP/HTTPS connections with the Juniper Identity Management Service to increase throughput. However, the number of concurrent connections are kept at a reasonable level, which is twenty or less, so as not to impose pressure on the Juniper Identity Management Service.
IP query is one of three query methods: IP query, batch query, and user query. All three types of queries can occur concurrently. They are not mutually exclusive.
The advanced user identity query feature, to which this configuration statement belongs, relies on the Juniper Identity Management Service that allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting. The feature allows the SRX Series device to query the Juniper Identity Management Service to pull user identity information.
Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.
To obtain device information, such as device identity, groups, and the operating system, from the Juniper Identity Management Service server using either the batch-query or ip-query configuration, you must set the device authentication source, as follows.
Range: 0-60 seconds
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.