user-identification (Services)
Syntax
user-identification {
active-directory-access {
domain domain-name {
user username;
password password;
domain-controller domain-controller-name {
address domain-controller-address;
}
ip-user-mapping {
discovery-method {
wmi {
event-log-scanning-interval seconds;
initial-event-log-timespan hours;
}
}
}
user-group-mapping {
ldap {
address ip-address {
port port;
}
authentication-algorithm {
simple;
}
base base;
ssl;
user username {
password password;
}
}
}
}
authentication-entry-timeout minutes;
filter {
include address;
exclude address;
}
no-on-demand-probe;
wmi-timeout seconds;
traceoptions {
file file;
flag {
active-directory-authentication;
all;
configuration;
db;
ip-user-mapping;
ip-user-probe;
ipc;
user-group-mapping;
wmic;
}
level {
all;
error;
info;
notice;
verbose;
warning;
}
no-remote-trace;
}
device-information {
authentication-source;
end-user-profile profile-name profile-name {
domain-name domain-name {
attribute device-category {
string string-value;
}
attribute device-identity {
string string-value;
}
attribute device-vendor {
string string-value;
}
attribute device-type {
string string-value;
}
attribute device-os {
string string-value;
}
attribute device-os-version {
string string-value;
}
}
}
identity-context-profile profile-name profile-name {
domain-name domain-name {
attribute device-category {
string string-value;
}
attribute device-identity {
string string-value;
}
attribute device-os {
string string-value;
}
attribute device-os-version {
string string-value;
}
attribute device-type {
string string-value;
}
attribute device-vendor {
string string-value;
}
}
}
traceoptions;
}
identity-management {
authentication-entry-timeout minutes;
batch-query {
items-per-batch items-per-batch;
query-interval seconds;
}
connection {
connect-method (http | https);
port port;
primary {
address address;
ca-profile ca-profile;
client-id client-id;
client-secret client-secret;
interface interface-name;
routing-instance routing-instance -name;
source source-address;
}
query-api query-api;
secondary {
address address;
ca-profile ca-profile;
client-id client-id;
client-secret client-secret;
interface interface-name;
routing-instance routing-instance -name;
source source-address;
}
server-validity-check-interval;
token-api token-api;
}
filter {
domain name;
exclude-ip {
address-book book-name;
address-set address-set;
}
include-ip {
address-book book-name;
address-set address-set;
}
}
invalid-authentication-entry-timeout minutes;
ip-query {
no-ip-query;
query-delay-time seconds;
}
jims-validator {
port port;
}
session-batch-query {
items-per-batch;
query-interval seconds;
}
session-query {
no-session-query;
query-delay-time seconds;
}
traceoptions {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
logical-domain-identity-management {
active {
authentication-entry-timeout minutes;
filter {
domain name;
exclude-ip {
address-book book-name;
address-set address-set;
}
include-ip {
address-book book-name;
address-set address-set;
}
}
invalid-authentication-entry-timeout minutes;
ip-query {
query-delay-time seconds;
}
query-server name {
batch-query {
items-per-batch items-per-batch;
query-interval seconds;
}
connection {
connect-method (http | https);
port port;
primary {
address address;
ca-certificate ca-certificate;
client-id client-id;
client-secret client-secret;
}
query-api query-api;
secondary {
address address;
ca-certificate ca-certificate;
client-id client-id;
client-secret client-secret;
}
token-api token-api;
}
}
}
traceoptions {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
}
Hierarchy Level
[edit services]
Description
Enabling tracing can adversely impact scale and performance and may increase security risk. We strongly recommend using the trace, tracing, or traceoptions commands only under the guidance of a JTAC support engineer. After collecting the debug information, immediately disable tracing to minimize risk and restore normal system performance.
Configure the integrated user firewall feature, including access to the Active Directory domain and domain controller, IP address-to-user mapping, and user-to-group mapping. One or two Active Directories are allowed under one domain. The IP address-to-user mapping and user-to-group mapping are configured per domain.
Options
| authentication-entry-timeout minutes |
Timeout interval starting from the Active Directory/domain controller login time, the last active session, or the last successful probe. A setting of 0 means the authentication does not need a timeout. We recommend that you configure a setting of 0 when you disable on-demand-probe to prevent someone from accessing the Internet without logging in again.
|
||||
| filter |
Optional. Range of IP addresses that needs to be monitored or not monitored.
|
||||
| no-on-demand-probe |
Do not use traffic to discover user. Default is disabled. |
||||
| wmi-timeout seconds |
(Optional) Configures the number of seconds that the domain PC has to respond to the SRX Series device’s query through WMI/DCOM.
|
||||
| identity-context-profile | Configure identity context profile in firewall policy to control network access. | ||||
| identity-management | Configure identity management to collect identity information. | ||||
| logical-domain-identity-management |
Configures the logical domain identity management. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X47-D10.
logical-domain-identity-management option introduced
in Junos OS Release 19.3R1.