Syntax
primary {
address address;
ca-profile ca-profile;
client-id client-id;
client-secret client-secret;
interface interface-name;
routing-instance routing-instance -name;
source source-address;
}
primary connection (Identity Management Advanced Query)
Hierarchy Level
[edit services user-identification identity-management connection]
Description
Configure parameters that the SRX Series Firewall uses to connect to the Juniper Identity Management Service (JIMS) primary server and authenticate to it to obtain an access token. JIMS requires that the SRX Series Firewall use OAuth2 to authenticate to it before the SRX Series Firewall can query the JIMS server for user identity information. The SRX Series Firewall must provide the JIMS server with credentials, including a client ID and a client secret. If the client is authenticated-in this case the SRX Series Firewall—it is granted an access token. (See RFC 6749.) Both the client ID and the client secret must be consistent with the API client configured on the JIMS primary server.
In addition to configuring the client ID and the client secret, you configure the filename of the JIMS’s ca-certificate. The certificate enables the SRX Series Firewall to verify the identity of JIMS and that it is trusted for the SSL connection.
If the deployment configuration consists of more than one JIMS server, a primary and secondary relationship is established. The SRX Series Firewall always attempts to connect to the primary server. When one or more queries to the primary server fails, the system falls back to the secondary server.
address- Configure the IP address for the primary Juniper Identity Management Service (JIMS) server. The SRX Series Firewall requires the server IP address to connect to the server to obtain an access code that allows it to query the server for user identity information. The IP address is configured as part of a collection of information which includes the SRX Series Firewall’s client ID, client secret, and ca-certificate information.
The SRX Series Firewall sends a unique set of identification information to the primary server and the secondary server. The feature supports only IPV4 addresses.
client-id- Client ID that the SRX Series provides to the JIMS primary server as part of its authentication to it. The SRX Series Firewall must authenticate to the server to obtain an access token that allows the SRX Series Firewall to query the server for user identity information The client ID must be consistent with the API client configured on the JIMS primary server.
client-secret- Client secret that the SRX Series provides to the JIMS primary server as part of its authentication to it. The client secret must be consistent with the API client configured on the JIMS primary server.
Warning:
Before you use this feature, you must disable any other actively used options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication and the ClearPass query and webapi functions are configured and committed.
Options
| address | IP address of the primary server. |
| ca-profile | CA profile name |
| client-id | Client ID for OAuth2 grant |
| client-secret | Client secret for OAuth2 grant |
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
The remaining statements are explained separately. See CLI Explorer.
Release Information
Statement introduced in Junos OS Release 15.1X49-D100.
IPv6 address support introduced in Junos OS Release 18.3R1.
Source, interface, and routing-instance options are introduced in Junos OS Release 21.1R1.
Option ca-profile introduced in Junos OS Release 23.2R1.