user-identification (Services)
Syntax
user-identification {
active-directory-access {
domain domain-name {
user username;
password password;
domain-controller domain-controller-name {
address domain-controller-address;
}
ip-user-mapping {
discovery-method {
wmi {
event-log-scanning-interval seconds;
initial-event-log-timespan hours;
}
}
}
user-group-mapping {
ldap {
address ip-address {
port port;
}
authentication-algorithm {
simple;
}
base base;
ssl;
user username {
password password;
}
}
}
}
authentication-entry-timeout minutes;
filter {
include address;
exclude address;
}
no-on-demand-probe;
wmi-timeout seconds;
traceoptions {
file file;
flag {
active-directory-authentication;
all;
configuration;
db;
ip-user-mapping;
ip-user-probe;
ipc;
user-group-mapping;
wmic;
}
level {
all;
error;
info;
notice;
verbose;
warning;
}
no-remote-trace;
}
device-information {
authentication-source;
end-user-profile profile-name profile-name {
domain-name domain-name {
attribute device-category {
string string-value;
}
attribute device-identity {
string string-value;
}
attribute device-vendor {
string string-value;
}
attribute device-type {
string string-value;
}
attribute device-os {
string string-value;
}
attribute device-os-version {
string string-value;
}
}
}
identity-context-profile profile-name profile-name {
domain-name domain-name {
attribute device-category {
string string-value;
}
attribute device-identity {
string string-value;
}
attribute device-os {
string string-value;
}
attribute device-os-version {
string string-value;
}
attribute device-type {
string string-value;
}
attribute device-vendor {
string string-value;
}
}
}
traceoptions;
}
identity-management {
authentication-entry-timeout minutes;
batch-query {
items-per-batch items-per-batch;
query-interval seconds;
}
connection {
connect-method (http | https);
port port;
primary {
address address;
ca-profile ca-profile;
client-id client-id;
client-secret client-secret;
interface interface-name;
routing-instance routing-instance -name;
source source-address;
}
query-api query-api;
secondary {
address address;
ca-profile ca-profile;
client-id client-id;
client-secret client-secret;
interface interface-name;
routing-instance routing-instance -name;
source source-address;
}
server-validity-check-interval;
token-api token-api;
}
filter {
domain name;
exclude-ip {
address-book book-name;
address-set address-set;
}
include-ip {
address-book book-name;
address-set address-set;
}
}
invalid-authentication-entry-timeout minutes;
ip-query {
no-ip-query;
query-delay-time seconds;
}
jims-validator {
port port;
}
session-batch-query {
items-per-batch;
query-interval seconds;
}
session-query {
no-session-query;
query-delay-time seconds;
}
traceoptions {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
logical-domain-identity-management {
active {
authentication-entry-timeout minutes;
filter {
domain name;
exclude-ip {
address-book book-name;
address-set address-set;
}
include-ip {
address-book book-name;
address-set address-set;
}
}
invalid-authentication-entry-timeout minutes;
ip-query {
query-delay-time seconds;
}
query-server name {
batch-query {
items-per-batch items-per-batch;
query-interval seconds;
}
connection {
connect-method (http | https);
port port;
primary {
address address;
ca-certificate ca-certificate;
client-id client-id;
client-secret client-secret;
}
query-api query-api;
secondary {
address address;
ca-certificate ca-certificate;
client-id client-id;
client-secret client-secret;
}
token-api token-api;
}
}
}
traceoptions {
file <filename> <files files> <match match> <size size> <(world-readable | no-world-readable)>;
flag name;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
}
Hierarchy Level
[edit services]
Description
Configure the integrated user firewall feature, including access to the Active Directory domain and domain controller, IP address-to-user mapping, and user-to-group mapping. One or two Active Directories are allowed under one domain. The IP address-to-user mapping and user-to-group mapping are configured per domain.
Options
| authentication-entry-timeout minutes |
Timeout interval starting from the Active Directory/domain controller login time, the last active session, or the last successful probe. A setting of 0 means the authentication does not need a timeout. We recommend that you configure a setting of 0 when you disable on-demand-probe to prevent someone from accessing the Internet without logging in again.
|
||||
| filter |
Optional. Range of IP addresses that needs to be monitored or not monitored.
|
||||
| no-on-demand-probe |
Do not use traffic to discover user. Default is disabled. |
||||
| wmi-timeout seconds |
(Optional) Configures the number of seconds that the domain PC has to respond to the SRX Series device’s query through WMI/DCOM.
|
||||
| identity-context-profile | Configure identity context profile in firewall policy to control network access. | ||||
| identity-management | Configure identity management to collect identity information. | ||||
| logical-domain-identity-management |
Configures the logical domain identity management. |
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 12.1X47-D10.
logical-domain-identity-management option introduced
in Junos OS Release 19.3R1.