Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure ClearPass and JIMS at the Same Time

 

You can configure ClearPass and Juniper Identity Management Service (JIMS) at the same time. By configuring the ClearPass and JIMS at the same time, the SRX Series or NFX Series devices can query JIMS for user identification entries, and ClearPass can push these entries to the devices through the Web API.

Understanding How ClearPass and JIMS Works at the Same Time

The device relies on Juniper Identity Management Service (JIMS) and ClearPass for user identity information. Starting in Junos OS Release 18.2R1, you can configure JIMS, ClearPass, and Web API at the same time in UserFW. Prior to Junos OS Release 18.2R1, you can either configure ClearPass Policy Manager (CPPM) or JIMS. By configuring ClearPass and JIMS at the same time, the device can query JIMS to obtain user identity information from Active Directory and the exchange servers, and ClearPass can push the user authentication and identity information to the device through Web API.

How ClearPass and JIMS Works at the Same Time?

When a user gets authenticated by CPPM, the CPPM uses a Web API to push user or device information to a device. The device builds up the authentication entry or device information for the user, and the user traffic can pass-through the device based on security policy. When windows Active Directory client log on to domain, device obtains client’s user or device information from JIMS via batch query. The authentication table gets updated with entry provided by JIMS. The user traffic can pass-through the device based on security policy.

When both JIMS IP query and ClearPass user query are enabled, device always queries ClearPass first. If CPPM returns with IP-user mapping information, then the information is subsequently added to authentication table. If CPPM does not return the IP-user mapping information or if a device receives a response from CPPM without IP-user mapping, then the device queries JIMS to obtain IP-user or group mapping.

When the IP-user or group mapping is received from both JIMS and CPPM, device considers the latest authentication entries and overwrites the existing authentication entries.

You can set a delay-query-time parameter, specified in seconds, that allows the device to wait for a period of time before sending the query. The delay time should be the same value for ClearPass and JIMS. Otherwise, an error message is displayed and the commit check fails.

Note

When the IP-user or group mapping is received from both JIMS and CPPM, the device considers the latest authentication entries and overwrites the existing authentication entries.

Different Scenarios of How ClearPass and JIMS Works at the Same TIme

A more detailed explanation with scenarios of how ClearPass and JIMS works is as follows:

Scenario 1: What an SRX Series Device Does If CPPM Responds with IP-User or Group Mapping Information?

Figure 1 shows when an SRX Series device queries CPPM for IP-user or group mapping information and adds to the authentication table.

  1. A user attempts to access a resource. When the SRX Series device receives the traffic request, it searches for an entry for the user in its ClearPass authentication table and the local Active Directory authentication table, but the user information is not found.

  2. The SRX Series device queries ClearPass for user identity.

  3. The ClearPass sends the IP-user or group mapping information to the SRX Series device.

  4. The SRX Series device adds the information to the authentication table.

Figure 1: What SRX Series Device Does If CPPM Responds with IP-User or Group Mapping Information?
What SRX Series Device Does If CPPM Responds
with IP-User or Group Mapping Information?

Scenario 2: What an SRX Series Device Does If CPPM Does Not Respond or CPPM Responds with No IP-User or Group Mapping Information?

Figure 2 shows when an SRX Series device queries JIMS if there is no response or no IP-user or group mapping information received from CPPM.

  1. A user attempts to access a resource. When the SRX Series device receives the traffic request, it searches for an entry for the user in its ClearPass authentication table and JIMS authentication table, but the user information is not found.

  2. The SRX Series device queries ClearPass for user identity.

  3. If the SRX Series does not receive a response from ClearPass, the SRX Series device queries JIMS.

  4. The JIMS sends IP-user or group mapping information to the SRX Series device.

  5. The SRX Series device adds the information received from JIMS to the authentication table.

Figure 2: What SRX Series Device Does If CPPM Does Not Respond or CPPM Responds with No IP-User or Group Mapping Information?
What SRX Series Device Does If CPPM Does
Not Respond or CPPM Responds with No IP-User or Group Mapping Information?

Example: Configure ClearPass and JIMS at the Same Time

This example shows how to enable Juniper Identity Management Service (JIMS) and ClearPass at the same time for user identity information, and verify how JIMS and ClearPass works at the same time. Also, this example explains which authentication entries are given first preference and how the timeouts behave for JIMS and ClearPass.

Requirements

This example uses the following hardware and software components:

  • An SRX Series device.

  • An IP address of the JIMS server.

  • ClearPass client IP address.

  • Aruba ClearPass Policy Manager (CPPM). The CPPM is configured to use its local authentication source to authenticate users.

    Note

    It is assumed that the CPPM is configured to provide the SRX Series device with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.

Overview

An SRX Series device obtains the user or device identity information from different authentication sources. After the SRX Series device obtains the device identity information, it creates an entry in the device identity authentication table. The SRX Series device relies on JIMS and ClearPass for user identity information. By enabling JIMS and ClearPass at the same time, an SRX Series device queries JIMS to obtain user identity information from Active Directory and the exchange servers, and CPPM pushes the user authentication and identity information to the SRX Series device through Web API.

When both JIMS IP query and ClearPass user query are enabled, SRX Series device always queries ClearPass first. When the IP-user or group mapping is received from both JIMS and CPPM, an SRX Series device considers the latest authentication entries and overwrites the existing authentication entries. You can set a delay-query-time parameter, specified in seconds, that allows the SRX Series device to wait for a period of time before sending the query. When JIMS and ClearPass are enabled, the delay time should be the same value for each other. Otherwise, an error message is displayed and the commit check fails.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Step-by-Step Procedure

To configure JIMS and ClearPass at the same time, use the following configurations:

  1. Configure the IP address of the primary JIMS server.
  2. Configure the client ID that the SRX Series provides to the JIMS primary server as part of its authentication.
  3. Configure the client secret that the SRX Series provides to the JIMS primary server as part of its authentication.
  4. Configure Aruba ClearPass as the authentication source for user query requests, and configure the ClearPass webserver name and its IP address. The SRX Series device requires this information to contact the ClearPass webserver.
  5. Configure the client ID and the client secret that the SRX Series device requires obtaining an access token required for user queries.
  6. Configure the token API that is used in generating the URL for acquiring an access token.
  7. Configure the query API to use for querying individual user authentication and identity information.
  8. Configure the Web API daemon username and password for the account.
  9. Configure the Web API client address–that is, the IP address of the ClearPass webserver’s data port.
  10. Configure the Web API process HTTPS service port.
  11. Configure an authentication entry timeout value for Aruba ClearPass.
  12. Configure an independent timeout value to be assigned to invalid user authentication entries in the SRX Series authentication table for Aruba ClearPass.
  13. Configure an independent timeout value to be assigned to invalid user authentication entries in the SRX Series authentication table for JIMS.
  14. Set a query-delay-time parameter, specified in seconds, that allows the SRX Series device to wait for a period of time before sending the query.
  15. Set a query-delay-time parameter, specified in seconds, that allows the SRX Series device to wait for a period of time before sending the query.

Results

From configuration mode, confirm your configuration by entering the show system services webapi, command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

From configuration mode, confirm your configuration by entering the show services user-identification authentication-source aruba-clearpass command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

From configuration mode, confirm your configuration by entering the show services user-identification identity-management command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the devices, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying JIMS Authentication Entries

Purpose

Verify that the device identity authentication table for JIMS is updated.

Action

Enter the show services user-identification authentication-table authentication-source identity-management source-name "JIMS - Active Directory" node 0 command.

show services user-identification authentication-table authentication-source identity-management source-name "JIMS - Active Directory" node 0

Meaning

The output displays the authentication entries are updated.

Verifying ClearPass Authentication Entries

Purpose

Verify that the device identity authentication table for ClearPass is updated.

Action

Enter the show services user-identification authentication-table authentication-source aruba-clearpass node 0 command to verify that entries are updated.

show services user-identification authentication-table authentication-source aruba-clearpass node 0

Meaning

The output displays the authentication entries are getting updated for ClearPass.

Verifying Device Entries by Domain

Purpose

Verify that all authenticated devices belong to the domain.

Action

Enter the show services user-identification device-information table all domain juniper.net node 0 command.

show services user-identification device-information table all domain juniper.net node 0

Meaning

The output displays all authenticated devices that belong to the domain.

Verifying ClearPass Webserver Is Online

Purpose

Verify that the ClearPass webserver is online.

Action

Enter the show services user-identification authentication-source aruba-clearpass user-query status command.

show services user-identification authentication-source aruba-clearpass user-query status

Meaning

The output displays the ClearPass webserver is online.

Verifying JIMS Server Is Online

Purpose

Verify that the JIMS server is online.

Action

Enter the show services user-identification identity-management status command.

show services user-identification identity-management status

Meaning

The output displays the JIMS server is online.

Release History Table
Release
Description
Starting in Junos OS Release 18.2R1, you can configure JIMS, ClearPass, and Web API at the same time in UserFW. Prior to Junos OS Release 18.2R1, you can either configure ClearPass Policy Manager (CPPM) or JIMS.