Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

invalid-authentication-entry-timeout (Services User Identification Active Directory and ClearPass)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

Description

Configure an independent timeout value to be assigned to invalid user authentication entries in the SRX Series authentication table for either Windows active directory or Aruba ClearPass. The invalid authentication entry timeout setting is different from the general authentication entry timeout setting. It allows you to protect invalid user authentication entries in an authentication table from expiring before the user can be validated.

User authentication entries in an authentication table contain a time-out value after which the entry expires, or is no longer valid. An invalid authentication entry is created with a NULL and INVALID state for a user’s IP address and stored in the access directory authentication table when there is no identity information for that user. Prior to implementation of this feature, the current time-out value that applies to all user entries was applied to the invalid entry also.

Separate authentication tables exist for the two authentication sources and you configure separate settings for them, as illustrated in the following examples.

Use the following command to configure the invalid authentication entry timeout for entries in the Windows active directory authentication table. In this example, invalid authentication entries in the active directory authentication table will expire 40 minutes after they were created.

Use the following command to configure the invalid authentication entry timeout for entries in the SRX Series ClearPass authentication table. In this example, invalid authentication entries in the SRX Series ClearPass authentication table will expire 22 minutes after they were created.

The following rules govern how the invalid authentication entry timeout setting is used:

  • When you initially configure the invalid authentication entry timeout value, it is applied to any invalid authentication entries that are created after it was configured.

    However, all existing invalid authentication entries retain the default timeout of 30 minutes.

  • If you do not configure the invalid authentication entry timeout function, then the default timeout of 30 minutes is applied to all invalid authentication entries.

  • If you configure the invalid authentication entry timeout value but later you delete it, the default timeout of 30 minutes is applied to any invalid authentication entries created after the deletion.

    However, any invalid authentication entries to which the invalid entry timeout value was applied before the deletion retain that setting.

  • If you change the setting for the invalid authentication entry timeout value, the new value is applied to all invalid authentication entries that were created after the value was changed. However, all existing invalid authentication entries retain the former invalid authentication entry timeout setting, if it applied to them. Those to which the default value of 30 minutes applies retain that setting.

  • When the state of an invalid authentication entry changes to Pending or Valid, the invalid authentication entry timeout setting is no longer applicable to it. Therefore, the timeout value assigned to that entry is changed to the value that is set for the general authentication entry timeout.

Options

timeout-value-in-minutesExpiration time in minutes to be applied to invalid authentication entries in the SRX Series authentication table for either Windows active directory or Aruba ClearPass authentication sources.

Range: 0 through 1440 minutes.

Default: 30 minutes

Required Privilege Level

  • services—To view this statement in the configuration.

  • services-control—To add this statement to the configuration.