JIMS with SRX Series Firewall
JIMS with SRX Series Firewall
Juniper Identity Management Service (JIMS) is a Windows service application designed to collect and manage the database of user, device, and group information from Active Directory domains.
Before you install and configure Juniper Identity Management Service, prepare the SRX Series Firewalls (including the vSRX Virtual Firewall Virtual Firewall) in your network to work with the JIMS server by performing a series of configuration tasks.
For the SRX Series or NFX Series devices, JIMS plays a crucial role in obtaining user identity information, like LDAP.
SRX first attempts to connect to the primary server and switches to the secondary server if the connection fails. Even when connected to the secondary server, the device periodically probes the failed primary server and reverts to it once it becomes available again.
Connection to JIMS server should only be used with HTTPS connections which is currently available only for testing purpose.
After successful authentication with the JIMS server, the device receives an access token, which it must use to query JIMS for identity information.
There are two methods for obtaining user identity information from JIMS:
-
Batch queries:
SRX sends a batch query message to JIMS every 5 seconds by default to obtain available identity information.
-
IP queries:
When SRX is missing information about a specific IP-address, it can send an ip-query to JIMS which then returns its status for that specific ip-address. If JIMS does not contain an entry for the specified IP address, SRX will threat this IP as it is an unknown-user.
In the SRX, it’s possible to define filters which can be used to filter out identity information known to JIMS. You can either subscribe to certain domains and or include or exclude information related to certain ip-prefixes defined by address-book entries or address-sets. Changes to these filters will only take place during the next batch query.
You can select up to xxx address-book/sets entries for include or exclude filters, and the total number of xxx address-book entries is combined by both sets and books.
You can add a maximum of 25 domains to the filter list. Each address-set can include
x number of address book entries, if address-sets are included in an address-set,
set services user-identification identity-management filter
You can refresh the user identity information in your identity management
authentication table obtained from JIMS. Identity information will be update during
the next batch query, clear services user-identification
authentication-table authentication-source identity-management
To search user identity information and validate the authentication source to grant
access to the device, use run show services user-identification
authentication-table authentication-source all
The following configuration illustrates a basic JIMS server configuration on an SRX Series Firewall:
root@srx1# show services user-identification
identity-management
authentication-entry-timeout 120; invalid-authentication-entry-timeout 10; connection { connect-method https; port 443; primary { address 70.0.0.250; client-id abcd; client-secret "$9$86jLdsaJDkmTUj"; ## SECRET-DATA } secondary { address 70.0.0.251; client-id otest; client-secret "$9$W0K8-woaUH.5GD"; ## SECRET-DATA } } batch-query { items-per-batch 500; query-interval 5; }
- Configuration of JIMS with SRX Series Firewall
- Configuration of the Device Identity Authentication Source (End-User-Profile)
- Configuration of the Security Policy to Match the Source Identity.
Configuration of JIMS with SRX Series Firewall
To configure a connection to an SRX Series Firewall, see Configuring the Connection to an SRX Series Device.
Use the following steps to configure JIMS with SRX Series Firewall:
-
Configure the IP/FQDN address of the primary/secondary JIMS server.
[edit services user-identification] user@host# set identity-management connection primary address ip-address user@host# set identity-management connection secondary address ip-address
-
Configure the client ID and client secret that the SRX Series device provides to the JIMS primary/secondary server as part of its authentication.
[edit services user-identification] user@host# set identity-management connection primary client-id client-id user@host# set identity-management connection primary client-secret client-secret user@host# set identity-management connection secondary client-id client-id user@host# set identity-management connection secondary client-secret client-secret
-
Configure the maximum number of user identity items that the device accepts in one batch in response to the query.
[edit services user-identification] user@host# set identity-management batch-query items-per-batch items-per-batch
-
Configure the interval in seconds after which the device issues a query request for newly generated user identities.
[edit services user-identification] user@host# set identity-management batch-query query-interval query-interval
-
Configure active directory domains of interest to the SRX Series Firewall. You can specify up to twenty domain names for the filter.
[edit services user-identification] user@host# set identity-management filter domain domain
-
Configure the address book name to include the IP filter.
[edit services user-identification] user@host# set identity-management filter include-ip address-book address-book
-
To configure the referenced address set, trace option file name, trace file size, level of debugging output, and the trace identity management for all modules, use the below commands appropriately:
[edit services user-identification] user@host# set identity-management filter include-ip address-set address-set user@host# set identity-management traceoptions file file name user@host# set identity-management traceoptions file file size user@host# set identity-management traceoptions level all user@host# set identity-management traceoptions flag all
Configuration of the Device Identity Authentication Source (End-User-Profile)
Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.
Use the following steps to configure device identity authentication source:
-
Specify the device identity authentication source.
[edit services user-identification ] user@host# set device-information authentication-source network-access-controller
-
Configure the device identity profile.
[edit services user-identification ] user@host# set device-information end-user-profile profile-name profile-name domain-name domain-name
-
Configure the domain name to which the device belongs.
[edit services user-identification ] user@host# set device-information end-user-profile profile-name profile-name attribute device-identity string string-value
Configuration of the Security Policy to Match the Source Identity.
Use the following steps to configure the security policy to match the source identity:
-
1. Create a source or destination address for a security policy.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match source-address any user@host# set policies from-zone untrust to-zone trust policy name match destination-address any
-
Configure the port-based application to match the policy.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match application any
-
Define a username or a role (group) name that the JIMS sends to the device. For Example: "jims-dom1.local\user1".
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match source-identity username or group
-
Permit the packet if the policy matches.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name then permit
-
To configure the session initiation time and session close time use the below commands:
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name then log session-init user@host# set policies from-zone untrust to-zone trust policy name then log session-close