user-identification (Services)
Syntax
user-identification { active-directory-access { domain domain-name { user username; password password; domain-controller domain-controller-name { address domain-controller-address; } ip-user-mapping { discovery-method { wmi { event-log-scanning-interval seconds; initial-event-log-timespan hours; } } } user-group-mapping { ldap { address ip-address { port port; } authentication-algorithm { simple; } base base; ssl; user username { password password; } } } } authentication-entry-timeout minutes; filter { include address; exclude address; } no-on-demand-probe; wmi-timeout seconds; traceoptions { file file; flag { active-directory-authentication; all; configuration; db; ip-user-mapping; ip-user-probe; ipc; user-group-mapping; wmic; } level { all; error; info; notice; verbose; warning; } no-remote-trace; } logical-domain-identity-management { active { authentication-entry-timeout minutes; filter { domain name; exclude-ip { address-book book-name; address-set address-set; } include-ip { address-book book-name; address-set address-set; } } invalid-authentication-entry-timeout minutes; ip-query { query-delay-time seconds; } query-server name { batch-query { items-per-batch items-per-batch; query-interval seconds; } connection { connect-method (http | https); port port; primary { address address; ca-certificate ca-certificate; client-id client-id; client-secret client-secret; } query-api query-api; secondary { address address; ca-certificate ca-certificate; client-id client-id; client-secret client-secret; } token-api token-api; } } } traceoptions { file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>; flag name; level (all | error | info | notice | verbose | warning); no-remote-trace; } } }
Hierarchy Level
[edit services]
Description
Configure the integrated user firewall feature, including access to the Active Directory domain and domain controller, IP address-to-user mapping, and user-to-group mapping. One or two Active Directories are allowed under one domain. The IP address-to-user mapping and user-to-group mapping are configured per domain.
Options
authentication-entry-timeout minutes | Timeout interval starting from the Active Directory/domain controller login time, the last active session, or the last successful probe. A setting of 0 means the authentication does not need a timeout. We recommend that you configure a setting of 0 when you disable on-demand-probe to prevent someone from accessing the Internet without logging in again.
|
||||
filter | Optional. Range of IP addresses that needs to be monitored or not monitored.
|
||||
no-on-demand-probe | Do not use traffic to discover user. Default is disabled. |
||||
wmi-timeout seconds | (Optional) Configures the number of seconds that the domain PC has to respond to the SRX Series device’s query through WMI/DCOM.
|
||||
logical-domain-identity-management | Configures the logical domain identity management. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X47-D10.
logical-domain-identity-management
option introduced
in Junos OS Release 19.3R1.