user-query (Services User Identification)
Syntax
user-query {
ca-certificate ca-certificate;
client-id client-id;
client-secret client-secret;
delay-query-time seconds;
query-api query-api;
token-api token-api;
web-server (Services) {
server-name;
address address;
connect-method (http | https);
port port;
}
}
Hierarchy Level
[edit services user-identification authentication-source (Services User Identification ClearPass) aruba-clearpass]
Description
ca-certificate- Configures the Integrated ClearPass Authentication and Enforcement feature user query function configuration. User query enables the SRX Series Firewall to query the ClearPass Policy Manager (CPPM) for authentication and identity information for an individual user under certain circumstance when it does not receive that information from the CPPM though the Web API POST requests.
client-id- Configures the client ID that the SRX Series Firewall requires to obtain an access token for the Integrated ClearPass Authentication and Enforcement user query function. The client ID must be consistent with the API client configured on the CPPM.
client-secret- Configures the client secret used with the client ID that the SRX Series Firewall requires to obtain an access token for the Integrated ClearPass Authentication and Enforcement user query function. The client secret must be consistent with the client secret configured on the CPPM.
delay-query-time- If the CPPM does not send to the SRX Series Firewall authentication and identity information for a particular user, then the SRX Series Firewall can request that information for the user if you configure the user query function.
query-api - Configure query-api to specify the path of
the URL that the SRX Series Firewall uses to query the ClearPass Policy Manager
(CPPM) webserver for authentication and identity information for an individual user.
For the SRX Series Firewall to be able to make a request, you must have configured
it to obtain an access token.
token-api - Configure the token API that is used in generating the URL for acquiring an access token. The token API is combined with the connection method and the IP address of the ClearPass webserver to produce the complete URL used for acquiring an access token.
Options
| ca-certificate | Specify the certificate file that the SRX Series Firewall uses to verify the Clearpass server’s certificate for the SSL connection that is used for the user query function. As the ClearPass administrator, you must export the server’s certificate from the CPPM and import it to the SRX Series Firewall. Afterward, you must configure the ca-certificate path and the certificate filename on the SRX Series Firewall. Here is an example: ’/var/tmp/RADIUSServerCertificate.crt’ |
| client-id | The ClearPass endpoint API requires use of OAuth (RFC 6749) to authenticate and authorize the SRX Series Firewall access. The SRX Series Firewall uses the Client Credentials grant type access token, which is one of the two types that ClearPass supports. If it is configured, the user query function allows the SRX Series Firewall to query the CPPM for authentication and identity information about individual users when it does not receive this information from the CPPM through the SRX Series Web API process (webapi). |
| client-secret | Client secret for OAuth2 grant. |
| delay-query-time | Delay time to send user query (0~60sec) (seconds). The amount of time for the SRX Series Firewall to delay before sending queries to the Aruba ClearPass Policy Manager (CPPM) for authentication and identity information for individual users. Delays can occur from when the CPPM initially posts user authentication information to the SRX Series Firewall to when the SRX Series Firewall updates its ClearPass authentication table with that information. In its transit, the user identity information must first pass through the CPPM device’s control plane and the control plane of the SRX Series Firewall. During that period, traffic might arrive at the SRX Series Firewall that is generated by an access request from a user whose authentication and identity information is in transit from the CPPM to the SRX Series Firewall. Rather than allow the SRX Series Firewall to respond automatically by sending a user query request immediately, you can set the delay time parameter specifying in seconds how long the SRX Series Firewall should wait before sending the request. After the delay timeout expires, the SRX Series Firewall sends the query to the CPPM and creates a pending entry for the user in the Routing Engine authentication table. During this period, any arriving traffic matches the default policy whose action on the traffic you can configure.
|
| query-api | The integrated ClearPass authentication and enforcement user query function supplements the Web API process (webapi) by allowing the SRX Series Firewall to obtain from the CPPM authentication information for an individual user whose information does not already exist in the SRX Series ClearPass authentication table. Consider the following api/v1/insight/endpoint/ip/$IP$ The SRX Series Firewall generates the complete URL for the user query request by combining the query-api string with the connection method (HTTPS) and the CPPM webserver IP address ({$server}). https://{$server}/api/v1/insight/endpoint/ip/$IP$
In this example, the SRX Series Firewall replaces the variables with the following values resulting in a specific URL request for the individual user: https://203.0.113.76/api/v1/insight/endpoint/ip/192.0.2.98 Under normal circumstances, the ClearPass webserver sends user authentication information to the SRX Series Firewall in POST request messages and the SRX Series Firewall writes that information to its ClearPass authentication table. When the SRX Series Firewall receives an access request from a user, it searches its ClearPass authentication table for an entry for that user. It can happen that the SRX Series Firewall might not have received authentication for a user from the CPPM because the user has not yet been authenticated by the CPPM. For example, the user might have joined the network through an access layer not on a managed switch or WLAN. When the CPPM receives the user query from the SRX Series Firewall, it authenticates the user and returns the authentication information to the device. |
| token-api | API of acquiring token for OAuth2 authentication. For example, if the token API is oauth, the connection method is HTTPS, and the IP address of the ClearPass webserver is 192.0.2.199, the complete URL for acquiring an access token would be https://192.0.2.199/api/oauth. This is a required parameter. There is no default value. The SRX Series Firewall user query function requires an access token to be able to query the ClearPass webserver. If the user query function is configured, the SRX Series Firewall can request from the ClearPass webserver user authentication and identity information for an individual user. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
| services | To view this statement in the configuration. |
| services-control | To add this statement to the configuration. |
Release Information
Statement introduced in Junos OS Release 12.3X48-D30.