Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configure Juniper Identity Management Service to Obtain User Identity Information

Juniper Identity Management Service (JIMS) is a standalone Windows service application designed to collect and manage a comprehensive database of user, device, and group information from Active Directory domains. JIMS is specifically developed to facilitate efficient user identification in large, distributed enterprises.

Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS

Overview

Juniper Identity Management Service (JIMS) serves as both a software agent and repository for gathering user names, device identities, and group information from various sources. JIMS seamlessly integrates with Microsoft Active Directory and Microsoft Exchange Server.

For the SRX Series or NFX Series devices, JIMS plays a crucial role in obtaining user identity information, like LDAP. By configuring the advanced user query feature, the device gains the ability to:

If you configure the advanced user query feature, the device:

  • Query JIMS for identity information.

  • Populate the identity management authentication table with the acquired information from JIMS.

  • Utilize the populated identity management authentication table to authenticate users or devices seeking access to protected resources.

In cases where JIMS lacks information for a specific user, you can push that information to the device. However, to do so, the user must first authenticate through the device's captive portal.

Additionally, the advanced query feature enables the device to push authentication entries to the JIMS server for users who do not have existing entries in JIMS but have successfully authenticated through the captive portal.

The user identity information provided by JIMS in response to device queries includes:

  • IP address of the user’s device.

  • User name.

  • Domain that the user’s device belongs.

  • Roles that the user belongs to, such mycompany-pc, CEO, user-authenticated.

  • Device online status and it's state, such as “Healthy”.

  • End-user-attributes, such as device-identity, value (device name), and groups that the device belongs to.

Establishing a Connection to JIMS to Obtain User Identity Information

To obtain user identity information from JIMS, the device can query JIMS either in batch mode for groups of users or individually for specific users. Establishing an HTTPS connection between the device and the JIMS server is necessary for querying JIMS. It's important to note that HTTP connections are only used for debugging purposes.

Defining the connection involves configuring the following information:

  • Connection parameters.

  • Authentication information for the device to authenticate with JIMS.

    The device obtains an access token after it authenticates to the JIMS server. The device must use this token to query JIMS for user information.

After successful authentication with the JIMS server, the device receives an access token, which it must use to query JIMS for user information. You can also configure this connection information for a secondary backup server.

Starting from Junos OS Release 18.3R1, JIMS primary and secondary servers support IPv6 addresses in addition to the existing IPv4 address support. The device first attempts to connect to the primary server and switches to the secondary server if the attempt fails. Even when connected to the secondary server, the device periodically probes the failed primary server and reverts to it once it becomes available again.

Starting with Junos OS Release 18.1R1, you can configure an IPv6 address for the Web API function, allowing JIMS to initiate and establish a secure connection. The Web API now supports IPv6 user or device entries obtained from JIMS. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.

Querying JIMS for User Identity Information

There are three ways to obtain user identity information from JIMS:

  • Initial batch query at startup—When the device starts, it sends a batch query message to JIMS to obtain all available user identity information for active directory users based on the configured device connection to the JIMS server.

  • Follow-on batch queries—After receiving the initial user identity information, the device periodically queries JIMS for newly generated user identity information. You can configure the interval between these queries and specify the number of user identity records to be included in each batch. Starting from Junos OS Release 18.1R1, the device can also query JIMS for IPv6 user or device information.

  • Query for individual user information—After receiving the initial user identity information, the device periodically queries JIMS for newly generated user identity information. You can configure the interval between these queries and specify the number of user identity records to be included in each batch. Starting from Junos OS Release 18.1R1, the device can also query JIMS for IPv6 user or device information.

    If JIMS does not contain an entry for the specified IP address, it responds with an HTTP 404 "Not Found" message.

When the device initially requests user information from JIMS, it includes a timestamp. In response, JIMS sends user information going back to the specified timestamp and includes a cookie in the response to indicate the context. The device includes this cookie with subsequent queries instead of a timestamp.

You can refresh the user identity information in your identity management authentication table obtained from JIMS. This includes everything received automatically at device start-up and from subsequent batch queries and individual IP queries up to the present.

To achieve this, you can clear the authentication table by disabling the advanced query feature configuration. Afterward, you can reconfigure the advanced query feature to retrieve all available user identities.

Starting from Junos OS Release 18.1R1, devices can search the identity management authentication table for information based on IPv6 addresses, expanding on the previous support for IPv4 addresses. The device also supports the use of IPv6 addresses associated with source identities in security policies. Traffic matching an IPv4 or IPv6 entry in the table is subject to policies allowing or denying access accordingly.

Starting with Junos OS Release 20.2R1, you can search and view user identity information such as logged-in users, connected devices, and group lists from both Juniper Identity Management Service (JIMS) and Active Directory (AD) domains. The SRX Series Firewall relies on JIMS to obtain user identity information. You can search user identity information and validate the authentication source to grant access to the device. Additionally, you can request JIMS to retrieve the group list for an individual user from the Active Directory domain.

Filters

The advanced query feature offers an optional filter function that allows granular control over the user information records returned in response to queries. You can configure filters based on IP addresses and domains. Filters enable you to specifically define which user information you want JIMS to include in the query responses.

Filters can be configured with:

  • A range of IP addresses. You can specify a range of IP addresses for:

    • Users whose information you want to receive.

    • Users for whom you do not want information.

    Starting in Junos OS Release 18.3R1, SRX Series Firewalls support IPv6 addresses to configure the filters based on IP addresses, in addition to existing IPv4 addresses.

    You use address books to create the IP address filters. You configure address sets, each of which must not contain more than twenty IP addresses to be included in the address book.

  • Domain names.

    You can specify the names of up to twenty-five active directory domains.

You can create filters that include all three specifications: IP address ranges to include, IP address ranges to exclude, and one or more domain names.

Filters are context-specific, allowing different filter configurations for different requests. If you modify the filter configuration, the new filter applies exclusively to subsequent queries and does not affect prior query requests.

Caveats and Limitations

The following warnings, caveats, and limitations are associated with the advanced query feature:

  • Before using this feature, it is necessary to disable the active-directory-access and authentication-source options under the user-identification hierarchy. If active directory authentication or the ClearPass query and Web API functions are configured and committed, this configuration cannot be applied.

  • Reading and processing user identity records can impact CPU usage and resource consumption on the device. This impact may persist for several minutes.

  • If user identity information is cleared from JIMS or is missing for other reasons or delayed, the device may receive inaccurate IP address and user mapping information.

  • When the device's firewall authentication function pushes entries to JIMS for users successfully authenticated through the captive portal, it does not update the authentication entry time-out state for the Juniper Identity Management Service server.

  • The generation of authentication entries in the identity management authentication table can be affected by the response time of the JIMS server or the number of user identity records to be retrieved.

  • Changing the configuration of a filter will only apply to subsequent retrievals of user identities. It does not affect previously retrieved identities.

  • The address ranges in the filters can only be configured with IPv4 addresses. Starting from Junos OS Release 18.3R1, SRX Series Firewall also support IPv6 addresses for filter configuration.

These details provide a comprehensive understanding of the Juniper Identity Management Service (JIMS) and it's capabilities for obtaining user identity information, including the use of advanced query features, connection establishment, and the application of filters.

Understanding User Principal Name as User Identity in SRX Series Firewall

Starting from Junos OS Release 20.1R1, SRX Series Firewall support using User Principal Name (UPN) as a logon name in firewall-authentication, which functions as a captive portal for Juniper Identity Management Service (JIMS) or user-firewall. You can use UPN as a logon name in combination with can or sAMAccountName. UPN can be used instead of sAMAccountName for user authentication.

When a user uses UPN as the logon name, the firewall-authentication feature pushes the corresponding sAMAccountName (mapped to the UPN) to the user ID, rather than pushing the UPN itself. Both the UPN and sAMAccountName (mapped to the UPN) are pushed to JIMS.

The User Principal Name (UPN) attribute is the logon name used in Windows Active Directory to authenticate users within a domain. A UPN consists of a prefix (the user account name) and a suffix (a DNS domain name). It is an indexed string that is single-valued. When using an LDAP-type access profile, UPN can be used as the logon name in firewall-authentication.

UPN is an Internet-style login name for a user, following the Internet standard. It takes the form of an e-mail address, such as mailto:username@domainname.com. UPN is shorter than a distinguished name and easier to remember. Each UPN is unique among all security principal objects within a directory forest.

The sAMAccountName attribute is a logon name used to support clients and servers from previous versions of Windows, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. The logon name should be less than 20 characters and unique among all security principal objects within the domain. Access is granted when the firewall-authentication retrieves the sAMAccountName from the Active Directory.

In organizations, most users use UPN as their logon name along with the cn or sAMAccountName attribute simultaneously. However, the UPN attribute configuration in the access profile cannot handle UPN and cn or sAMAccountName at the same time. You can refer to the "Configure Integrated User Firewall" documentation for more information.

The user firewall-authentication using the captive portal has two sources: Active Directory and JIMS.

  • If the source is Active Directory, Active Directory must be configured on SRX Series Firewall when users use UPN as the logon name. The firewall-authentication feature pushes the sAMAccountName to the SRX Series Firewall, and the user authentication entry is based on sAMAccountName, not UPN.

  • If the source is JIMS, JIMS must be configured on SRX Series Firewall when users use UPN as the logon name. The firewall-authentication feature pushes both UPN and sAMAccountName to JIMS. When configuring the SRX Series Firewall with the JIMS server, the device sends a batch query to JIMS to retrieve available user information.

Caveats and Limitations

The following warnings and caveats apply to the UPN support feature:

  • The sAMAccountName should be configured in the search-filter option for the access profile to avoid name conflicts between cn and UPN of another user.

  • The UPN suffix may differ from the domain name to which the user belongs. In such cases, an additional security policy source-identity must be added for the domain name.

  • UPN support is only available when configuring an LDAP access profile for firewall-authentication.

Configuring Advanced Query Feature for Obtaining User Identity Information from JIMS

This configuration shows how to configure the advanced query feature for obtaining user identity information from Juniper Identity Management Service (JIMS) and to configure security policy to match the source identity.

This topic describes:

Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS

By configuring the advanced user query feature, the device can query JIMS and add identity information in the local active directory authentication table.

Use the following steps to configure the advanced query feature:

  1. Configure the IP address of the primary JIMS server.
  2. Configure the client ID that the SRX Series Firewall provides to the JIMS primary server as part of its authentication.
  3. Configure the client secret that the device provides to the JIMS primary server as part of its authentication.
  4. Configure the IP address for the secondary JIMS server.
  5. Configure the client ID that the device provides to the JIMS secondary server as part of its authentication to it.
  6. Configure the client secret that the device provides to the JIMS secondary server as part of its authentication to it.
  7. Configure the maximum number of user identity items that the device accepts in one batch in response to the query.
  8. Configure the interval in seconds after which the device issues a query request for newly generated user identities.
  9. Configure active directory domains of interest to the SRX Series Firewall. You can specify up to twenty domain names for the filter.
  10. Configure the address book name to include the IP filter.
  11. Configure the referenced address set.
  12. Configure the trace option file name.
  13. Configure trace file size.
  14. Configure the level of debugging output.
  15. Configure the trace identity management for all modules.

Configuring Device Identity Authentication Source, and Security Policy to Match the User Identity Information Obtained from JIMS

Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.

Use the following steps to configure device identity authentication source:

  1. Specify the device identity authentication source.
  2. Configure the device identity profile.
  3. Configure the domain name to which the device belongs.

Use the following steps to configure the security policy:

  1. Create a source address for a security policy.

  2. Create a destination address for a security policy.

  3. Configure the port-based application to match the policy.

  4. Define a username or a role (group) name that the JIMS sends to the device. Example: "jims-dom1.local\user1".

  5. Permit the packet if policy matches.

  6. Configure the session initiation time.

  7. Configure the session close time.

Example: Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS

SUMMARY This example shows how to configure the advanced query feature on the SRX Series Firewall to connect automatically to Juniper Identity Management Service (JIMS). You can make requests using advanced query to obtain the authentication information through batch query.

JIMS provides a robust and scalable user identification and IP address mapping implementation that includes endpoint context and machine ID. JIMS collects user identity information from different authentication sources, for SRX Series Firewalls. With advanced query feature, the SRX Series Firewall works as the HTTPS client and sends HTTPS requests to JIMS on port 591.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

This example uses the following hardware and software components:

  • Junos Software Release 15.1x49-D100 and JIMS Software Release v1.1 and v1.2.

Before you begin, you need the following information:

  • The IP address of the JIMS server.

  • The port number on the JIMS server for receiving HTTPS requests.

  • The client ID from the JIMS server for advanced queries.

  • The client secret from the JIMS server for advanced queries.

  • The traceoptions from the JIMS server for advanced queries.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

To configure the advanced query feature on SRX Series Firewall:

  1. Configure JIMS as the authentication source for advanced query requests. The SRX Series Firewall requires this information to contact the server.

  2. Configure the port number of the JIMS server to which the SRX Series Firewall sends HTTPS requests.

  3. Configure the primary address of the JIMS server.

  4. Configure the client ID and client secret to obtain access token.

  5. Configure the secondary address of the JIMS server.

  6. Configure the client ID and client secret to obtain access token.

  7. Configure the batch query interval to periodically query JIMS for user identity information.

  8. Configure the delay time in seconds before the SRX Series Firewall sends the individual user query. In this example, there is no delay.

  9. Configure the traceoptions for debugging and trimming output.

  10. Configure the device to connect with JIMS server. If you don’t specify a port number, the default port 591 is used for JIMS. SRX Series Firewall uses the same JIMS configuration to connect with both JIMS port 443 and JIMS server (validator) port 591.

Results

From configuration mode, confirm your configuration by entering the show services user-identification command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it. To disable the ip-query use configuration set services user-identification identity-management ip-query no-ip-query.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the user-identification identity-management status

Purpose

Verify that the JIMS server is online and which server is responding to queries from the SRX Series Firewall.

Action

From operational mode, enter the show services user-identification identity-management status command.

Meaning

The output provides data about the JIMS server status.

Verifying the user-identification identity-management counters

Purpose

Display counters for batch and IP queries sent to the JIMS device and responses received from the JIMS server. The batch query is displayed separately for the primary server and the secondary server, if more than one is configured.

Action

From operational mode, enter the show services user-identification identity-management counters command.

From operational mode, enter the clear services user-identification identity-management counters command to clear the counter.

Meaning

The output provides the batch and IP queries data from JIMS server.

Example: Configuring Filter for Advanced Query Feature

An SRX Series Firewall supports IP filters and domain filters when querying Juniper Identity Management Service (JIMS). The advanced query feature provides an optional filter function to receive the user information in response to queries.

This example shows how to configure the filters for obtaining the user information.

Requirements

Before you begin:

  • Configure the advanced query feature. See Configuring Advanced Query Feature for Obtaining User Identity Information from JIMS.

Overview

You can configure filters to query JIMS server at a more granular level to obtain user identity information based on IP addresses. You can set filters to include the IP address ranges, which SRX Series Firewalls require or exclude the IP address ranges that they do not require when collecting the user identity information. You can also filter domains.

A filter can include and exclude up to twenty IP address ranges. Therefore, an address set that contains more than twenty address ranges causes the filter configuration to fail. To specify the ranges, specify the name of a predefined address set which includes them, and also which is included in an existing address book.

A domain can include up to 20 domain names for a filter.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

In this example, define an address book, and specify the security address for the address book. Specify an IP address with a prefix. Define an address set name and specify the address. Include and exclude the IP addresses in the address book. Add the address set to include and exclude the IP addresses. Add a domain name to filter the domain.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a filter for advanced query feature:

  1. Define an address book name, specify security address for the address book, and add an IPv4 address with a prefix.

  2. Specify an address set name and specify the address.

  3. Configure the address book to include and exclude the IP address.

  4. Define the address set to include or exclude the IP address.

  5. Specify a domain name to filter the domain.

Results

From configuration mode, confirm your configuration by entering the show services user-identification and show security address-book commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

Verifying Filter for Advanced Query Feature

Purpose

Verify that the authentication table displays the user information that you want to receive in response to queries.

Action

From operational mode, enter show services user-identification authentication-table authentication-source all command.

Meaning

The output displays the user information in response to queries.