Configure Juniper Identity Management Service to Obtain User Identity Information

Overview

Juniper Identity Management Service (JIMS) serves as both a software agent and repository for gathering user names, device identities, and group information from various sources. JIMS seamlessly integrates with Microsoft Active Directory and Microsoft Exchange Server.

For the SRX Series or NFX Series devices, JIMS plays a crucial role in obtaining user identity information, like LDAP. By configuring the advanced user query feature, the device gains the ability to:

If you configure the advanced user query feature, the device:

• Query JIMS for identity information.

• Populate the identity management authentication table with the acquired information from JIMS.

• Utilize the populated identity management authentication table to authenticate users or devices seeking access to protected resources.

In cases where JIMS lacks information for a specific user, you can push that information to the device. However, to do so, the user must first authenticate through the device's captive portal.

Additionally, the advanced query feature enables the device to push authentication entries to the JIMS server for users who do not have existing entries in JIMS but have successfully authenticated through the captive portal.

The user identity information provided by JIMS in response to device queries includes:

• IP address of the user’s device.

• User name.

• Domain that the user’s device belongs.

• Roles that the user belongs to, such mycompany-pc, CEO, user-authenticated.

• Device online status and it's state, such as “Healthy”.

• End-user-attributes, such as device-identity, value (device name), and groups that the device belongs to.

Establishing a Connection to JIMS to Obtain User Identity Information

To obtain user identity information from JIMS, the device can query JIMS either in batch mode for groups of users or individually for specific users. Establishing an HTTPS connection between the device and the JIMS server is necessary for querying JIMS. It's important to note that HTTP connections are only used for debugging purposes.

Defining the connection involves configuring the following information:

• Connection parameters.

• Authentication information for the device to authenticate with JIMS.

  The device obtains an access token after it authenticates to the JIMS server. The device must use this token to query JIMS for user information.

After successful authentication with the JIMS server, the device receives an access token, which it must use to query JIMS for user information. You can also configure this connection information for a secondary backup server.

Starting from Junos OS Release 18.3R1, JIMS primary and secondary servers support IPv6 addresses in addition to the existing IPv4 address support. The device first attempts to connect to the primary server and switches to the secondary server if the attempt fails. Even when connected to the secondary server, the device periodically probes the failed primary server and reverts to it once it becomes available again.

Starting with Junos OS Release 18.1R1, you can configure an IPv6 address for the Web API function, allowing JIMS to initiate and establish a secure connection. The Web API now supports IPv6 user or device entries obtained from JIMS. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.

Querying JIMS for User Identity Information

There are three ways to obtain user identity information from JIMS:

• Initial batch query at startup—When the device starts, it sends a batch query message to JIMS to obtain all available user identity information for active directory users based on the configured device connection to the JIMS server.

• Follow-on batch queries—After receiving the initial user identity information, the device periodically queries JIMS for newly generated user identity information. You can configure the interval between these queries and specify the number of user identity records to be included in each batch. Starting from Junos OS Release 18.1R1, the device can also query JIMS for IPv6 user or device information.

• Query for individual user information—After receiving the initial user identity information, the device periodically queries JIMS for newly generated user identity information. You can configure the interval between these queries and specify the number of user identity records to be included in each batch. Starting from Junos OS Release 18.1R1, the device can also query JIMS for IPv6 user or device information.

  If JIMS does not contain an entry for the specified IP address, it responds with an HTTP 404 "Not Found" message.

When the device initially requests user information from JIMS, it includes a timestamp. In response, JIMS sends user information going back to the specified timestamp and includes a cookie in the response to indicate the context. The device includes this cookie with subsequent queries instead of a timestamp.

You can refresh the user identity information in your identity management authentication table obtained from JIMS. This includes everything received automatically at device start-up and from subsequent batch queries and individual IP queries up to the present.

To achieve this, you can clear the authentication table by disabling the advanced query feature configuration. Afterward, you can reconfigure the advanced query feature to retrieve all available user identities.

Starting from Junos OS Release 18.1R1, devices can search the identity management authentication table for information based on IPv6 addresses, expanding on the previous support for IPv4 addresses. The device also supports the use of IPv6 addresses associated with source identities in security policies. Traffic matching an IPv4 or IPv6 entry in the table is subject to policies allowing or denying access accordingly.

Starting with Junos OS Release 20.2R1, you can search and view user identity information such as logged-in users, connected devices, and group lists from both Juniper Identity Management Service (JIMS) and Active Directory (AD) domains. The SRX Series Firewall relies on JIMS to obtain user identity information. You can search user identity information and validate the authentication source to grant access to the device. Additionally, you can request JIMS to retrieve the group list for an individual user from the Active Directory domain.

Filters

The advanced query feature offers an optional filter function that allows granular control over the user information records returned in response to queries. You can configure filters based on IP addresses and domains. Filters enable you to specifically define which user information you want JIMS to include in the query responses.

Filters can be configured with:

• A range of IP addresses. You can specify a range of IP addresses for:

  • Users whose information you want to receive.

  • Users for whom you do not want information.

  Starting in Junos OS Release 18.3R1, SRX Series Firewalls support IPv6 addresses to configure the filters based on IP addresses, in addition to existing IPv4 addresses.

  You use address books to create the IP address filters. You configure address sets, each of which must not contain more than twenty IP addresses to be included in the address book.

• Domain names.

  You can specify the names of up to twenty-five active directory domains.

You can create filters that include all three specifications: IP address ranges to include, IP address ranges to exclude, and one or more domain names.

Filters are context-specific, allowing different filter configurations for different requests. If you modify the filter configuration, the new filter applies exclusively to subsequent queries and does not affect prior query requests.

Caveats and Limitations

The following warnings, caveats, and limitations are associated with the advanced query feature:

• Before using this feature, it is necessary to disable the active-directory-access and authentication-source options under the user-identification hierarchy. If active directory authentication or the ClearPass query and Web API functions are configured and committed, this configuration cannot be applied.

• Reading and processing user identity records can impact CPU usage and resource consumption on the device. This impact may persist for several minutes.

• If user identity information is cleared from JIMS or is missing for other reasons or delayed, the device may receive inaccurate IP address and user mapping information.

• When the device's firewall authentication function pushes entries to JIMS for users successfully authenticated through the captive portal, it does not update the authentication entry time-out state for the Juniper Identity Management Service server.

• The generation of authentication entries in the identity management authentication table can be affected by the response time of the JIMS server or the number of user identity records to be retrieved.

• Changing the configuration of a filter will only apply to subsequent retrievals of user identities. It does not affect previously retrieved identities.

• The address ranges in the filters can only be configured with IPv4 addresses. Starting from Junos OS Release 18.3R1, SRX Series Firewall also support IPv6 addresses for filter configuration.

These details provide a comprehensive understanding of the Juniper Identity Management Service (JIMS) and it's capabilities for obtaining user identity information, including the use of advanced query features, connection establishment, and the application of filters.

Caveats and Limitations

The following warnings and caveats apply to the UPN support feature:

• The sAMAccountName should be configured in the search-filter option for the access profile to avoid name conflicts between cn and UPN of another user.

• The UPN suffix may differ from the domain name to which the user belongs. In such cases, an additional security policy source-identity must be added for the domain name.

• UPN support is only available when configuring an LDAP access profile for firewall-authentication.