Before you begin, you need the following information:
The HTTPS port number (default value is 8443) or HTTP
port number (default value is 8080) on the SRX Series device
The username and password that the HTTPS or HTTP server
on the SRX Series device uses to authenticate incoming connections
To verify that the Web API connection and data communications
between an SRX Series device and Juniper Identity Management Service
are working properly:
- Verify that users are in the Valid state by checking the
user authentication tables on the SRX Series device:
user@host>show services user-identification authentication-table authentication-source aruba-clearpass all
user@host>show services user-identification authentication-table authentication-source aruba-clearpass all extensive
These commands display the entire ClearPass authentication table
contents. In this scenario, the ClearPass authentication table’s
user entries include authentication and identity information that
the SRX Series device obtains from Juniper Identity Management Service.
- If there are no entries in the authentication table and
the status of the Web API connection on Juniper Identity Management
Service is Connect Failed, do the following:
Check if traffic is allowed between Juniper Identity Management
Service and the SRX Series device on the configured ports (by default,
HTTPS port 8443 and HTTP port 8080).
Check the configured user credentials.
Perform a packet capture on Juniper Identity Management
Server.
Switch to the HTTP protocol to view cleartext messages.
- If the status of the Web API connection on the JIMS server
is Connected, enable debugging by using the following commands:
[edit services user-identification]
user@host#set system services webapi debug-log api-log
user@host#set system services webapi debug-level info
The SRX Series device creates a new log named api_log under /var/log. Check for an XML post similar to the
following:
2017/05/12 18:39:08 [info] 99992#0: 99992#0: <?xml version=”1.0” encoding=”UTF-8”>
<userfw-entries>
<userfw-entry>
<source>Aruba ClearPass</source>
<timestamp>2017-05-12T01:38:38.850000Z</timestamp>
<operation>logon</logon>
<IP>192.168.8.29></IP>
<domain>domain_name</domain>
<user>pete</user>
<role-list>
<role>Domain Admins</role>
<role>Administrators</role>
<role>Denied RODC Password Replication Group</role>
<role>Domain Users</role>
<role>juniper</role>
</role-list>
<posture>Healthy</posture>
<end-user-attribute>
<device-identity>
<value>FGU-TMEWIN7-06$</value>
</device-identity>
</end-user-attibute>
</userfw-entry>
</userfw-entries>
This is the HTTPS POST message from Juniper Identity Management
Service to the SRX Series device. Following this post is the parsing
of XML data by the SRX Series device. Look for any error messages
in the data.
- When you are done, disable debug logging.