Configure ClearPass and JIMS at the Same Time
You can configure ClearPass and Juniper Identity Management Service (JIMS) at the same time. By configuring the ClearPass and JIMS at the same time, the SRX Series or NFX Series devices can query JIMS for user identification entries, and ClearPass can push these entries to the devices through the Web API.
Understanding How ClearPass and JIMS Works at the Same Time
The device relies on Juniper Identity Management Service (JIMS) and ClearPass for user identity information. Starting in Junos OS Release 18.2R1, you can configure JIMS, ClearPass, and Web API at the same time in UserFW. Prior to Junos OS Release 18.2R1, you can either configure ClearPass Policy Manager (CPPM) or JIMS. By configuring ClearPass and JIMS at the same time, the device can query JIMS to obtain user identity information from Active Directory and the exchange servers, and ClearPass can push the user authentication and identity information to the device through Web API.
- How ClearPass and JIMS Works at the Same Time?
- Different Scenarios of How ClearPass and JIMS Works at the Same TIme
How ClearPass and JIMS Works at the Same Time?
When a user gets authenticated by CPPM, the CPPM uses a Web API to push user or device information to a device. The device builds up the authentication entry or device information for the user, and the user traffic can pass-through the device based on security policy. When windows Active Directory client log on to domain, device obtains client’s user or device information from JIMS via batch query. The authentication table gets updated with entry provided by JIMS. The user traffic can pass-through the device based on security policy.
When both JIMS IP query and ClearPass user query are enabled, device always queries ClearPass first. If CPPM returns with IP-user mapping information, then the information is subsequently added to authentication table. If CPPM does not return the IP-user mapping information or if a device receives a response from CPPM without IP-user mapping, then the device queries JIMS to obtain IP-user or group mapping.
When the IP-user or group mapping is received from both JIMS and CPPM, device considers the latest authentication entries and overwrites the existing authentication entries.
You can set a delay-query-time
parameter, specified
in seconds, that allows the device to wait for a period of time before
sending the query. The delay time should be the same value for ClearPass
and JIMS. Otherwise, an error message is displayed and the commit
check fails.
When the IP-user or group mapping is received from both JIMS and CPPM, the device considers the latest authentication entries and overwrites the existing authentication entries.
Different Scenarios of How ClearPass and JIMS Works at the Same TIme
A more detailed explanation with scenarios of how ClearPass and JIMS works is as follows:
- Scenario 1: What an SRX Series Firewall Does If CPPM Responds with IP-User or Group Mapping Information?
- Scenario 2: What an SRX Series Firewall Does If CPPM Does Not Respond or CPPM Responds with No IP-User or Group Mapping Information?
Scenario 1: What an SRX Series Firewall Does If CPPM Responds with IP-User or Group Mapping Information?
Figure 1 shows when an SRX Series Firewall queries
CPPM for IP-user or group mapping information and adds to the authentication table.
-
A user attempts to access a resource. When the SRX Series Firewall receives the traffic request, it searches for an entry for the user in its ClearPass authentication table and the local Active Directory authentication table, but the user information is not found.
-
The SRX Series Firewall queries ClearPass for user identity.
-
The ClearPass sends the IP-user or group mapping information to the SRX Series Firewall.
-
The SRX Series Firewall adds the information to the authentication table.
Scenario 2: What an SRX Series Firewall Does If CPPM Does Not Respond or CPPM Responds with No IP-User or Group Mapping Information?
Figure-2 shows when an SRX Series Firewall queries JIMS if there is no response or no IP-user or group mapping information received from CPPM.
-
A user attempts to access a resource. When the SRX Series Firewall receives the traffic request, it searches for an entry for the user in its ClearPass authentication table and JIMS authentication table, but the user information is not found.
-
The SRX Series Firewall queries ClearPass for user identity.
-
If the SRX Series does not receive a response from ClearPass, the SRX Series Firewall queries JIMS.
-
The JIMS sends IP-user or group mapping information to the SRX Series Firewall.
-
The SRX Series Firewall adds the information received from JIMS to the authentication table.
Example: Configure ClearPass and JIMS at the Same Time
This example shows how to enable Juniper Identity Management Service (JIMS) and ClearPass at the same time for user identity information, and verify how JIMS and ClearPass works at the same time. Also, this example explains which authentication entries are given first preference and how the timeouts behave for JIMS and ClearPass.
Requirements
This example uses the following hardware and software components:
An SRX Series Firewall.
An IP address of the JIMS server.
ClearPass client IP address.
Aruba ClearPass Policy Manager (CPPM). The CPPM is configured to use its local authentication source to authenticate users.
Note:It is assumed that the CPPM is configured to provide the SRX Series Firewall with user authentication and identity information, including the username, a list of the names of any groups that the user belongs to, the IP addresses of the devices used, and the device posture token.
Overview
An SRX Series Firewall obtains the user or device identity information from different authentication sources. After the SRX Series Firewall obtains the device identity information, it creates an entry in the device identity authentication table. The SRX Series Firewall relies on JIMS and ClearPass for user identity information. By enabling JIMS and ClearPass at the same time, an SRX Series Firewall queries JIMS to obtain user identity information from Active Directory and the exchange servers, and CPPM pushes the user authentication and identity information to the SRX Series Firewall through Web API.
When both JIMS IP query and ClearPass user query are enabled, SRX Series Firewall always queries
ClearPass first. When the IP-user or group mapping is received from both JIMS and
CPPM, an SRX Series Firewall considers the latest authentication entries and
overwrites the existing authentication entries. You can set a
delay-query-time
parameter, specified in seconds, that allows
the SRX Series Firewall to wait for a period of time before sending the query. When
JIMS and ClearPass are enabled, the delay time should be the same value for each
other. Otherwise, an error message is displayed and the commit check fails.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
and then copy and paste the commands into the CLI at the [edit]
hierarchy level.
set services user-identification identity-management connection primary address 192.0.2.0 set services user-identification identity-management connection primary client-id otest set services user-identification identity-management connection primary client-secret test set services user-identification authentication-source aruba-clearpass user-query web-server cp-server set services user-identification authentication-source aruba-clearpass user-query address 198.51.100.0 set services user-identification authentication-source aruba-clearpass user-query client-id otest set services user-identification authentication-source aruba-clearpass user-query client-secret test set services user-identification authentication-source aruba-clearpass user-query token-api oauth_token/oauth set services user-identification authentication-source aruba-clearpass user-query query-api "user_query/v1/ip/$IP$" set system services webapi user root set system services webapi user password “$ABC123" set system services webapi client 203.0.113.0 set system services webapi https port 8443 set system services webapi https default-certificate set services user-identification authentication-source aruba-clearpass authentication-entry-timeout 30 set services user-identification authentication-source aruba-clearpass invalid-authentication-entry-timeout 30 set services user-identification identity-management authentication-entry-timeout 30 set services user-identification identity-management invalid-authentication-entry-timeout 30 set services user-identification identity-management ip-query query-delay-time 15 set services user-identification authentication-source aruba-clearpass user-query delay-query-time 15
Procedure
Step-by-Step Procedure
To configure JIMS and ClearPass at the same time, use the following configurations:
Configure the IP address of the primary JIMS server.
[edit services] user@host# set user-identification identity-management connection primary address 192.0.2.0
Configure the client ID that the SRX Series provides to the JIMS primary server as part of its authentication.
[edit services] user@host# set user-identification identity-management connection primary client-id otest
Configure the client secret that the SRX Series provides to the JIMS primary server as part of its authentication.
[edit services] user@host# set user-identification identity-management connection primary client-secret test
-
Configure Aruba ClearPass as the authentication source for user query requests, and configure the ClearPass webserver name and its IP address. The SRX Series Firewall requires this information to contact the ClearPass webserver.
[edit services] user@host# set user-identification authentication-source aruba-clearpass user-query web-server cp-server address 198.51.100.0
-
Configure the client ID and the client secret that the SRX Series Firewall requires obtaining an access token required for user queries.
[edit services] user@host# set user-identification authentication-source aruba-clearpass user-query client-id otest user@host# set user-identification authentication-source aruba-clearpass user-query client-secret test
Configure the token API that is used in generating the URL for acquiring an access token.
[edit services] user@host# set user-identification authentication-source aruba-clearpass user-query token-api oauth_token/oauth
Configure the query API to use for querying individual user authentication and identity information.
[edit services] user@host# set user-identification authentication-source aruba-clearpass user-query query-api "user_query/v1/ip/$IP$"
Configure the Web API daemon username and password for the account.
[edit system services] user@host# set webapi user user password “$ABC123"
Configure the Web API client address–that is, the IP address of the ClearPass webserver’s data port.
[edit system services] user@host# set webapi client 203.0.113.0
Configure the Web API process HTTPS service port.
[edit system services] user@host# set webapi https port 8443 user@host# set webapi https default-certificate
Configure an authentication entry timeout value for Aruba ClearPass.
[edit services] user@host# set user-identification authentication-source aruba-clearpass invalid-authentication-entry-timeout 30
Configure an independent timeout value to be assigned to invalid user authentication entries in the SRX Series authentication table for Aruba ClearPass.
[edit services] user@host# set user-identification identity-management authentication-entry-timeout 30
Configure an independent timeout value to be assigned to invalid user authentication entries in the SRX Series authentication table for JIMS.
[edit services] user@host# set user-identification identity-management invalid-authentication-entry-timeout 30
-
Set a
query-delay-time
parameter, specified in seconds, that allows the SRX Series Firewall to wait for a period of time before sending the query.[edit services] user@host# set user-identification identity-management ip-query query-delay-time 15
-
Set a
query-delay-time
parameter, specified in seconds, that allows the SRX Series Firewall to wait for a period of time before sending the query.[edit services] user@host# set user-identification authentication-source aruba-clearpass user-query delay-query-time 15
Results
From configuration mode, confirm your configuration
by entering the show system services webapi
, command. If
the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
[edit ] user@host# show system services webapi user { device; password "$ABC123"; ## SECRET-DATA } client { 203.0.113.0; } https { port 8443; default-certificate; }
From configuration mode, confirm your configuration by entering
the show services user-identification authentication-source aruba-clearpass
command. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
[edit ] user@host# show services user-identification authentication-source aruba-clearpass authentication-entry-timeout 30; invalid-authentication-entry-timeout 30; user-query { web-server { cp-server; address 10.208.164.31; } client-id otest; client-secret "$ABC123"; ## SECRET-DATA token-api oauth_token/oauth; query-api "user_query/v1/ip/$IP$"; delay-query-time 15; }
From configuration mode, confirm your configuration by entering
the show services user-identification identity-management
command. If the output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
[edit ] user@host# show services user-identification identity-management authentication-entry-timeout 30; invalid-authentication-entry-timeout 30; connection { primary { address 10.208.164.137; client-id otest; client-secret "$ABC123"; ## SECRET-DATA } } ip-query { query-delay-time 15; }
If you are done configuring the devices, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying JIMS Authentication Entries
- Verifying ClearPass Authentication Entries
- Verifying Device Entries by Domain
- Verifying ClearPass Webserver Is Online
- Verifying JIMS Server Is Online
Verifying JIMS Authentication Entries
Purpose
Verify that the device identity authentication table for JIMS is updated.
Action
Enter the show services user-identification authentication-table
authentication-source identity-management source-name "JIMS - Active
Directory" node 0
command.
show services user-identification authentication-table authentication-source identity-management source-name "JIMS - Active Directory" node 0 node0: -------------------------------------------------------------------------- Logical System: root-logical-system Domain: ad-jims-2008.com Total entries: 5 Source IP Username groups(Ref by policy) state 192.0.2.2 administrator dow_group_00001,dow_group_0000 Valid 192.0.2.4 administrator dow_group_00001,dow_group_0000 Valid 192.0.2.5 administrator dow_group_00001,dow_group_0000 Valid 192.0.2.7 administrator dow_group_00001,dow_group_0000 Valid 192.0.2.11 administrator dow_group_00001,dow_group_0000 Valid
Meaning
The output displays the authentication entries are updated.
Verifying ClearPass Authentication Entries
Purpose
Verify that the device identity authentication table for ClearPass is updated.
Action
Enter the show services user-identification authentication-table
authentication-source aruba-clearpass node 0
command to verify
that entries are updated.
show services user-identification authentication-table authentication-source aruba-clearpass node 0 node0: -------------------------------------------------------------------------- Logical System: root-logical-system Domain: juniper.net Total entries: 1 Source IP Username groups(Ref by policy) state 2001:db8::::63bf:3fff:fdd2 ipv6_user01 ipv6_group1 Valid
Meaning
The output displays the authentication entries are getting updated for ClearPass.
Verifying Device Entries by Domain
Purpose
Verify that all authenticated devices belong to the domain.
Action
Enter the show services user-identification device-information
table all domain juniper.net node 0
command.
show services user-identification device-information table all domain juniper.net node 0 node0: -------------------------------------------------------------------------- Domain: juniper.net Total entries: 1 Source IP Device ID Device-Groups 2001:db8:4136:e378:8000:63bf:3fff:fdd2 dev01 device_group1
Meaning
The output displays all authenticated devices that belong to the domain.
Verifying ClearPass Webserver Is Online
Purpose
Verify that the ClearPass webserver is online.
Action
Enter the show services user-identification authentication-source
aruba-clearpass user-query status
command.
show services user-identification authentication-source aruba-clearpass user-query status node1: -------------------------------------------------------------------------- Authentication source: aruba-clearpass Web server Address: 198.51.100.0 Status: Online Current connections: 0
Meaning
The output displays the ClearPass webserver is online.
Verifying JIMS Server Is Online
Purpose
Verify that the JIMS server is online.
Action
Enter the show services user-identification identity-management
status
command.
show services user-identification identity-management status node1: -------------------------------------------------------------------------- Primary server : Address : 192.0.2.0 Port : 443 Connection method : HTTPS Connection status : Online Secondary server : Address : 192.0.2.1 Port : 443 Connection method : HTTPS Connection status : Offline Last received status message : OK (200) Access token : P1kAlMiG2Kb7FzP5tM1QBI6DSS92c31Apgjk9lV Token expire time : 2018-04-12 06:57:37
Meaning
The output displays the JIMS server is online.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.