Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configure Juniper Identity Management Service to Obtain User Identity Information

 

Juniper Identity Management Service (JIMS) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains. JIMS enables the device to rapidly identify thousands of users in a large, distributed enterprise.

Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS

Overview

Juniper Identity Management Service (JIMS) is a software agent and repository that collects user name, device identity, and group information from various sources. JIMS supports Microsoft active directory and Microsoft Exchange Server.

The SRX Series or NFX Series device relies on JIMS to obtain user identity information much in the same way that it does LDAP.

If you configure the advanced user query feature, the device:

  • Can query JIMS for identity information.

  • Populate identity management authentication table with the information that is obtained from JIMS.

  • Use the populated identity management authentication table to authenticate a user or a device requesting access to a protected resource.

If JIMS does not contain information for a user, you can push that information to the device. The user must first authenticate to the device through captive portal.

The advanced query feature also allows you to push authentication entries to the JIMS server for users for whom there are no entries in JIMS but who have successfully authenticated to the device through captive portal.

User identity information that JIMS sends in response to the device queries includes:

  • IP address of the user’s device.

  • User name.

  • Domain that the user’s device belongs to.

  • Roles that the user belongs to, such mycompany-pc. CEO. user-authenticated.

  • If the device is online and the state of the device, such as “Healthy”.

  • End-user-attributes, such as device-identity, value (device name), and groups that the device belongs to.

Establishing a Connection to JIMS to Obtain User Identity Information

The device obtains user identity information by querying JIMS either in batch mode to obtain information for groups of users or through queries for individual users. For the device to query JIMS, you must establish an HTTPS connection between the device and the JIMS server.

HTTP connections are used only for debugging purposes.

Defining the connection entails configuring the following information:

  • Connection parameters.

  • Authentication information that allows the device to authenticate to JIMS.

    The device obtains an access token after it authenticates to the JIMS server. The device must use this token to query JIMS for user information.

  • You can also configure this information for connection to a secondary, backup server.

Starting in Junos OS Release 18.3R1, IPv6 addresses are supported to connect JIMS primary server and secondary server, in addition to existing IPv4 address support.

The device attempts to connect to the primary server first and in case of failed attempt, it switches to the secondary server. Even after connecting to the secondary server, the device periodically probes the failed primary server and reverts to the primary server when it is available again.

Starting with Junos OS Release 18.1R1, you can configure an IPv6 address for Web API function to allow the JIMS to initiate and establish a secure connection. The Web API supports the IPv6 user or device entries obtained from JIMS. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.

Querying JIMS for User Identity Information

There are three ways to obtain user identity information from JIMS:

  • Initial batch query at startup—When the device is started, it sends a batch query message to JIMS to obtain all available user identity information for active directory users that it expects at that time, if you have configured the device connection to the JIMS server.

  • Follow-on batch queries—Following its initial receipt of user identity information, the device queries JIMS periodically for batches of newly generated user identity information. For this to occur, you configure an interval for the periodic queries and specify the number of user identity records to be sent in return per batch. Starting with Junos OS Release 18.1R1, the device can query JIMS for IPv6 user or device information. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.

  • Query for individual user information—You can configure the advanced query feature to allow you to query the JIMS server for identity information for an individual user based on the IP address of the user’s device, if that information is missing from a batch response. Starting with Junos OS Release 18.1R1, the device can query JIMS for IPv6 user or device information when IPv6 traffic arrives on the device.

    If an entry for the specified IP address does not exist, JIMS returns an HTTP 404 “Not Found” message.

When the device requests user information from JIMS initially, it specifies a timestamp. JIMS sends user information in response going back to the timestamp specification, and it includes a cookie to the device in the response to indicate the context. The device sends that cookie with its next query instead of a timestamp.

You can refresh the user identity information in your identity management authentication table obtained from JIMS. You can obtain everything that was received automatically when you started the device and from subsequent batch queries and individual IP queries up to the present.

For this purpose, you clear the authentication table by disabling the advanced query feature configuration. Afterward, you can reconfigure the advanced query feature to retrieve all available user identities.

Starting with Junos OS Release 18.1R1, devices can search the identity management authentication table for information based on IPv6 addresses. Prior to Junos OS Release 18.1R1, the devices read only IPv4 addresses. The device supports the use of IPv6 addresses associated with source identities in security policies. If an IPv4 or IPv6 entry exists, policies matching that entry are applied to the traffic and access is either allowed or denied.

Starting in Junos OS Release 20.2R1, you can search and view user identity information such as logged users, connected devices and group list from Juniper Identity Management Service (JIMS) and Active Directory (AD) domain. The SRX Series device relies on JIMS to obtain user identity information.

You can search the user identity information and validate the authentication source to provide access to the device. You can request JIMS to retrieve the group list for the Active Directory domain for identity information of an individual user.

Filters

The advanced query feature provides an optional filter function that you can use to control at a granular level the user information records that you want to receive in response to queries. You can configure filters based on IP addresses and domains. Filters allow you to define specifically users whose information you want JIMS to return to you in response to queries.

You can configure filters composed of:

  • A range of IP addresses. You can specify a range of IP addresses for:

    • Users whose information you want to receive.

    • Users for whom you do not want information.

    Starting in Junos OS Release 18.3R1, SRX Series devices support IPv6 addresses to configure the filters based on IP addresses, in addition to existing IPv4 addresses.

    You use address books to create the IP address filters. You configure address sets, each of which must not contain more than twenty IP addresses to be included in the address book.

  • Domain names.

    You can specify the names of up to twenty-five active directory domains.

You can configure a filter that includes all three specifications: a range of IP addresses to include, a range of IP addresses to be excluded, and the names of one or more domains.

Filters are contextual. That is, you can use a different filter configuration for different requests. If you change the filter configuration, the new filter applies to subsequent queries exclusively. It has no bearing on prior query requests

Caveats and Limitations

The following warnings and caveats apply to the advanced query feature:

  • Before you use this feature, you must disable active-directory-access and authentication-source options under the user-identification hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and Web API functions are configured and committed.

  • The CPU usage and resource consumption is affected by the device’s reading and processing of user identity records. The impact might last several minutes.

  • If user identity information is cleared from JIMS or it is missing for other reasons or delayed, the device could receive inaccurate IP address and user mapping information.

  • When the device firewall authentication function pushes to JIMS entries for users successfully authenticated through captive portal, it does not update the authentication entry time-out state for the Juniper Identity Management Service server.

The following limitations apply to the advanced query feature:

  • Generation of authentication entries in the identity management authentication table can be affected by a delay in the JIMS server’s response time or the number of user identity records to be retrieved.

  • As noted, if configuration of a filter is changed, the new filter is used only in subsequent retrievals of user identities.

  • You can configure only IPv4 addresses for configuring the address ranges.

Understanding User Principal Name as User Identity in SRX Series Devices

Starting in Junos OS Release 20.1R1, you can use User Principal Name (UPN) as logon name in firewall-authentication, which is working as a captive portal for JIMS or user-firewall.

You can use UPN as logon name along with cn or sAMAccountName at the same time. UPN can be used instead of sAMAccountName to authenticate a user.

Even if user uses UPN as logon name, firewall authentication pushes sAMAccountName (mapping to the UPN) to user ID rather than pushing the UPN.

Firewall-authentication pushes both UPN and sAMAccountName (mapping to the UPN) to JIMS.

User Principal Name (UPN) attribute is the logon name from Windows Active Directory to log on to a domain. A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). UPN is an indexed string that is single-valued. UPN is used as a logon name in firewall-authentication when LDAP type access profile is being used.

A UPN is an Internet-style login name for a user based on the Internet standard. UPN is the name of a system user in an e-mail address format, for example, username@domainname.com. UPN is shorter than a distinguished name and easier to remember. A UPN is a unique among all security principal objects with a directory forest.

The sAMAccountName attribute is a logon name used to support clients and servers from previous versions of Windows, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. The logon name should be lesser than 20 characters and unique among all security principal objects within the domain. You will have access when the firewall-authentication retrieves sAMAccountName from the Active Directory.

UPN is one of the identities of an Active Directory user in a domain. In organizations, most users use UPN as logon name along with cn or sAMAccountName attribute at the same time. The UPN attribute configuration access profile cannot handle UPN and cn or sAMAccountName at the same time. See Configure Integrated User Firewall.

User firewall-authentication by captive portal has two ways, such as Active Directory and JIMS.

  • If source is Active Directory, Active Directory must be configured on SRX Series devices, when user uses UPN as logon name. Firewall-authentication pushes sAMAccountName to SRX Series devices, the user authentication entry is sAMAccountName, but not UPN.

  • If source is JIMS, JIMS must be configured on SRX Series devices, when user uses UPN as logon name. Firewall-authentication pushes both UPN and sAMAccountName to JIMS. When you configure the SRX Series device to the JIMS server, SRX Series devices sends the batch query to JIMS to obtain the available user information.

Caveats and Limitations

The following warnings and caveats apply to the UPN support feature:

  • sAMAccountName should be configured in search-filter option for access profile. This option can avoid name conflict between cn and UPN of another user.

  • UPN suffix might be different from the domain name that the user belongs to. In this case, additional security policy source-identity must be added in domain name. For example, there is a user with sAMAccountName as ndu123 in domain ad03.net, and UPN is bob@ad03-upn.net.

  • UPN supports only when LDAP access profile is configured for firewall-authentication.

Configuring Advanced Query Feature for Obtaining User Identity Information from JIMS

This configuration shows how to configure the advanced query feature for obtaining user identity information from Juniper Identity Management Service (JIMS) and to configure security policy to match the source identity.

This topic describes:

Configuring the Web API Process

Configuring the Web API allows JIMS to initialize a connection to the device.

Use the following steps to configure the Web API process:

  1. Configure the Web API process (webapi) username and password for the account.
  2. Configure the Web API client address–that is, the IP address of the JIMS webserver’s data port.

    Starting with Junos OS Release 18.1R1, SRX Series devices support IPv6 addresses to configure the Web API client address, in addition to existing IPv4 addresses.

  3. Configure the Web API process HTTPS service port. If you enable the Web API service on the default TCP port 8080 or 8443, you must enable host inbound traffic on that port.
  4. Configure the Web API process to use the HTTPS default certificate.
  5. Configure the trace level for the Web API process. The supported trace levels are notice, warn, error, crit, alert, and emerg. The default value is error.

Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS

By configuring the advanced user query feature, the device can query JIMS and add identity information in the local active directory authentication table.

Use the following steps to configure the advanced query feature:

  1. Configure the IP address of the primary JIMS server.
  2. Configure the client ID that the SRX Series device provides to the JIMS primary server as part of its authentication.
  3. Configure the client secret that the device provides to the JIMS primary server as part of its authentication.
  4. Configure the IP address for the secondary JIMS server.
  5. Configure the client ID that the device provides to the JIMS secondary server as part of its authentication to it.
  6. Configure the client secret that the device provides to the JIMS secondary server as part of its authentication to it.
  7. Configure the maximum number of user identity items that the device accepts in one batch in response to the query.
  8. Configure the interval in seconds after which the device issues a query request for newly generated user identities.
  9. Configure active directory domains of interest to the SRX Series device. You can specify up to twenty domain names for the filter.
  10. Configure the address book name to include the IP filter.
  11. Configure the referenced address set.
  12. Configure the trace option file name.
  13. Configure trace file size.
  14. Configure the level of debugging output.
  15. Configure the trace identity management for all modules.

Configuring Device Identity Authentication Source, and Security Policy to Match the User Identity Information Obtained from JIMS

Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.

Use the following steps to configure device identity authentication source:

  1. Specify the device identity authentication source.
  2. Configure the device identity profile.
  3. Configure the domain name to which the device belongs.

Use the following steps to configure the security policy:

  1. Create a source address for a security policy.
  2. Create a destination address for a security policy.
  3. Configure the port-based application to match the policy.
  4. Define a username or a role (group) name that the JIMS sends to the device. Example: "jims-dom1.local\user1".
  5. Permit the packet if policy matches.
  6. Configure the session initiation time.
  7. Configure the session close time.

Example: Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS

Summary

This example shows how to configure the advanced query feature on the SRX Series device to connect automatically to Juniper Identity Management Service (JIMS). You can make requests using advanced query to obtain the authentication information through batch query.

JIMS provides a robust and scalable user identification and IP address mapping implementation that includes endpoint context and machine ID. JIMS collects user identity information from different authentication sources, for SRX Series devices. With advanced query feature, the SRX Series device works as the HTTPS client and sends HTTPS requests to JIMS on port 591.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

This example uses the following hardware and software components:

  • Junos Software Release 15.1x49-D100 and JIMS Software Release v1.1 and v1.2.

Before you begin, you need the following information:

  • The IP address of the JIMS server.

  • The port number on the JIMS server for receiving HTTPS requests.

  • The client ID from the JIMS server for advanced queries.

  • The client secret from the JIMS server for advanced queries.

  • The traceoptions from the JIMS server for advanced queries.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

To configure the advanced query feature on SRX Series device:

  1. Configure JIMS as the authentication source for advanced query requests. The SRX Series device requires this information to contact the server.
  2. Configure the port number of the JIMS server to which the SRX Series device sends HTTPS requests.
  3. Configure the primary address of the JIMS server.
  4. Configure the client ID and client secret to obtain access token.
  5. Configure the secondary address of the JIMS server.
  6. Configure the client ID and client secret to obtain access token.
  7. Configure the batch query interval to periodically query JIMS for user identity information.
  8. Configure the delay time in seconds before the SRX Series device sends the individual user query. In this example, there is no delay.
  9. Configure the traceoptions for debugging and trimming output.
  10. Configure the device to connect with JIMS server. If you don’t specify a port number, the default port 591 is used for JIMS. SRX Series device uses the same JIMS configuration to connect with both JIMS port 443 and JIMS server (validator) port 591.

Results

From configuration mode, confirm your configuration by entering the show services user-identification command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. To disable the ip-query use configuration set services user-identification identity-management ip-query no-ip-query.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the user-identification identity-management status

Purpose

Verify that the JIMS server is online and which server is responding to queries from the SRX Series device.

Action

From operational mode, enter the show services user-identification identity-management status command.

Meaning

The output provides data about the JIMS server status.

Verifying the user-identification identity-management counters

Purpose

Display counters for batch and IP queries sent to the JIMS device and responses received from the JIMS server. The batch query is displayed separately for the primary server and the secondary server, if more than one is configured.

Action

From operational mode, enter the show services user-identification identity-management counters command.

From operational mode, enter the clear services user-identification identity-management counters command to clear the counter.

Meaning

The output provides the batch and IP queries data from JIMS server.

Example: Configuring Filter for Advanced Query Feature

An SRX Series device supports IP filters and domain filters when querying Juniper Identity Management Service (JIMS). The advanced query feature provides an optional filter function to receive the user information in response to queries.

This example shows how to configure the filters for obtaining the user information.

Requirements

Before you begin:

Overview

You can configure filters to query JIMS server at a more granular level to obtain user identity information based on IP addresses. You can set filters to include the IP address ranges, which SRX Series devices require or exclude the IP address ranges that they do not require when collecting the user identity information. You can also filter domains.

A filter can include and exclude up to twenty IP address ranges. Therefore, an address set that contains more than twenty address ranges causes the filter configuration to fail. To specify the ranges, specify the name of a predefined address set which includes them, and also which is included in an existing address book.

A domain can include up to 20 domain names for a filter.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

In this example, define an address book, and specify the security address for the address book. Specify an IP address with a prefix. Define an address set name and specify the address. Include and exclude the IP addresses in the address book. Add the address set to include and exclude the IP addresses. Add a domain name to filter the domain.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a filter for advanced query feature:

  1. Define an address book name, specify security address for the address book, and add an IPv4 address with a prefix.
  2. Specify an address set name and specify the address.
  3. Configure the address book to include and exclude the IP address.
  4. Define the address set to include or exclude the IP address.
  5. Specify a domain name to filter the domain.

Results

From configuration mode, confirm your configuration by entering the show services user-identification and show security address-book commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

Verifying Filter for Advanced Query Feature

Purpose

Verify that the authentication table displays the user information that you want to receive in response to queries.

Action

From operational mode, enter show services user-identification authentication-table authentication-source all command.

show services user-identification authentication-table authentication-source all

Meaning

The output displays the user information in response to queries.

Release History Table
Release
Description
Starting in Junos OS Release 18.3R1, IPv6 addresses are supported to connect JIMS primary server and secondary server, in addition to existing IPv4 address support.
Starting in Junos OS Release 18.3R1, SRX Series devices support IPv6 addresses to configure the filters based on IP addresses, in addition to existing IPv4 addresses.
Starting with Junos OS Release 18.1R1, you can configure an IPv6 address for Web API function to allow the JIMS to initiate and establish a secure connection. The Web API supports the IPv6 user or device entries obtained from JIMS. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.
Starting with Junos OS Release 18.1R1, the device can query JIMS for IPv6 user or device information. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.
Starting with Junos OS Release 18.1R1, devices can search the identity management authentication table for information based on IPv6 addresses. Prior to Junos OS Release 18.1R1, the devices read only IPv4 addresses. The device supports the use of IPv6 addresses associated with source identities in security policies. If an IPv4 or IPv6 entry exists, policies matching that entry are applied to the traffic and access is either allowed or denied.