Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Use Case # 1: Configuring JIMS to Receive Remote Syslog Messages and Verifying the Syslog Messages from SRX Series Device

This configuration example provides step-by-step instructions on receiving the ClearPass messages on Juniper Identity Management Service, how to configure the Juniper Identity Management Service to receive and parse ClearPass syslog messages, and verifying syslog messages on SRX Series device.

Requirements

This example uses the following hardware and software components:

  • SRX5600 Series device running Junos OS Release 18.3R3 or later.

  • SRX5600 Series device must be configured as a client.

  • Syslog source: ClearPass on C3000V platform, IP address: 192.0.2.1

  • Juniper Identity Management Service, Release 1.2.0 or later

Overview and Topology

Juniper Identity Management Service support the ability to receive remote system log (also called syslog) event and user information data from an event source such as a ClearPass server. JIMS uses port 514 for both tcp and udp to receive syslog messages. JIMS server collects data from syslog messages and transmits the information to each SRX Series device for it to use in making policy decisions in the user firewall.

Figure 1: Juniper Identity Management Service Syslog Configuration Juniper Identity Management Service Syslog Configuration

Logon and Logoff messages from ClearPass Server to Juniper Identity Management Service

For more information on ClearPass configuration, see ClearPass Configuration Manual

Configuration

Configure Juniper Identity Management Service to Receive and Parse ClearPass Syslog Messages

Step-by-Step Procedure

The tasks required to configure Juniper Identity Management Service include:

  1. In the navigation pane, select Data Sources and then select the Syslog Sources tab.

  2. In the upper Syslog Configured Sources pane, click Add. The Syslog Server Configuration page appears.

  3. In the Syslog Server Configuration box, type the remote syslog server IP address as 192.0.2.1

  4. Click Add to parse the received syslog messages by using a regex to define a search pattern. The Add Syslog Regular Expression Builder dialog appears.

  5. Define the syslog regex for this source for logon messages:

    • Specify the type of the regex processing.as Create and Begin

    • Specify which actions the trigger match will tell the JIMS server to do as .*Endpoint.IP-Address=.*

    • To create a regex that defines how to extract a specific attribute from the string, click Add. The Regex Attribute Editor appears. Specify the attributes as:

      • IP-address: Endpoint.IP-Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

      • username: Endpoint.Username=([^ ]+?)\t

      • groups: Auth.Roles=(\[.*\])!!!\[(.*?)\]

      • domain: default: cppm.com

      • devicename: Endpoint.Hostname=([^ ]+?)\t

      • devicegroups:Endpoint.Roles=(\[.*\])!!!\[(.*?)\]

      • timestamp: <.+>(.*)\s+CST format: -8%b %d %Y %H:%M:%S

  6. Repeat step 4 to define the syslog regex for this source for logoff messages:

    • Specify the type of the regex processing.as End Session

    • Specify which actions the trigger match will tell the JIMS server to do as .*RADIUS.Acct-Status-Type=Stop.*

    • Click Add to create a regex that defines how to extract a specific attribute from the string. The Regex Attribute Editor appears. Specify the attributes as:

      • IP-Address: Acct-Framed-IP-Address=(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\t

      • Timestamp: RADIUS.Acct-Timestamp=(\d{4}-\d{2}-\d{2}\s+\d{2}:\d{2}:\d{2}\.\d+[+-]\d\d) format: %Y-%m-%d %H:%M:%S

Verification

Verify the User or Device Entries are Generated Along with Logon Syslog Message on SRX5600 Series Device

Purpose

Verify the user or device entries are generated along with logon syslog message on SRX5600 Series device

Action

On the SRX5600 device, use the show services user-identification authentication-table ip-address 60.0.13.201 CLI command.

On the SRX5600 device, use the show services user-identification device-information table ip-address 60.0.13.201 CLI command.

Meaning

The output displays that user and device entry are generated along with the logon message.

Verify the User or Device Entries are Removed Along with Logoff Syslog Message on SRX5600 Series Device

Purpose

Verify the user or device entries are removed along with logoff syslog message on SRX5600 Series device

Action

On the SRX5600 device, use the show services user-identification authentication-table ip-address 60.0.13.201 CLI command.

On the SRX5600 device, use the show services user-identification device-information table ip-address 60.0.13.201 CLI command.

Meaning

The output displays that SRX5600 Series device user and device entries are removed along with the logoff message.