default-client-identity (NETCONF TLS)

Syntax

Hierarchy Level

Description

For NETCONF sessions over Transport Layer Security (TLS), configure the default method to derive the NETCONF username for clients that do not match any configured clients.

If the fingerprint of a client’s presented certificate does not match the fingerprint for a client configured at the [edit system services netconf tls client-identity] hierarchy level, then Junos OS uses the default-client-identity map type to derive the NETCONF username for the client.

Junos OS supports local users and LDAP remote users for NETCONF sessions over TLS. The username must either have a user account defined locally on the device, or it must be authenticated by an LDAP server, which then maps it to a local user template account that is defined locally on the device.

Default

If you do not include the default-client-identity statement, and a NETCONF-over-TLS client does match any clients configured at the [edit system services netconf tls client-identity] hierarchy level, then Junos OS does not establish the NETCONF session.

Options

map-type type

Map type that defines how to derive the NETCONF username.

Values:
- san-dirname-cn—Use the common name (CN) defined for the SubjectAltName’s (SAN) DirName field (DirName:/CN) in the client certificate as the NETCONF username.
  
  If you specify san-dirname-cn as the map type, but the client certificate does not have a username in this field, the connection fails.
- specified—Use the NETCONF username defined in the username statement at the same hierarchy level.

username username

Username under whose access privileges the NETCONF operations are executed when map-type specified is configured.

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 20.2R1.

ON THIS PAGE