Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

user-identification (Services)

Syntax

user-identification {active-directory-access {domain domain-name {user username;password password;domain-controller domain-controller-name {address domain-controller-address;}ip-user-mapping {discovery-method {wmi {event-log-scanning-interval seconds;initial-event-log-timespan hours;}}}user-group-mapping {ldap {address ip-address {port port;}authentication-algorithm {simple;}base base;ssl;user username {password password;}}}}authentication-entry-timeout minutes;filter {include address;exclude address;}no-on-demand-probe;wmi-timeout seconds;traceoptions {file file;flag {active-directory-authentication;all;configuration;db;ip-user-mapping;ip-user-probe;ipc;user-group-mapping;wmic;}level {all;error;info;notice;verbose;warning;}no-remote-trace;}}

Hierarchy Level

[edit services]

Release Information

Statement introduced in Junos OS Release 12.1X47-D10.

Description

Configure the integrated user firewall feature, including access to the Active Directory domain and domain controller, IP address-to-user mapping, and user-to-group mapping. One or two Active Directories are allowed under one domain. The IP address-to-user mapping and user-to-group mapping are configured per domain.

Options

authentication-entry-timeout minutes

Timeout interval starting from the Active Directory/domain controller login time, the last active session, or the last successful probe. A setting of 0 means the authentication does not need a timeout. We recommend that you configure a setting of 0 when you disable on-demand-probe to prevent someone from accessing the Internet without logging in again.

Range: 10 through 1440 minutes

Default: 30 minutes

filter

Optional. Range of IP addresses that needs to be monitored or not monitored.

include address

Include IP address or range. Maximum of 20 addresses.

exclude address

Exclude IP address or range. Maximum of 20 addresses.

no-on-demand-probe

Do not use traffic to discover user. Default is disabled.

wmi-timeout seconds

Optional. Configures the number of seconds that the domain PC has to respond to the SRX Series device’s query through WMI/DCOM.

  • If the PC responds within that timeframe to the WMI query, the SRX creates an authentication entry for this PC.
  • If the PC does not respond within that timeframe, the WMI query failed. In the case of a failed query, if the SRX had an authentication entry about the queried PC before the WMI query, that authentication entry is deleted. If the SRX had no authentication entry before the WMI query, the SRX does not create an authentication entry.

Range: 3 through 120 seconds

Default: 10 seconds

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

 

Related Documentation

 

Modified: 2015-10-06

Supported Platforms

 

Related Documentation

 

Modified: 2015-10-06

Previous Page Next Page