ON THIS PAGE
Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS
Understanding User Principal Name as User Identity in SRX Series Devices
Configuring Advanced Query Feature for Obtaining User Identity Information from JIMS
Example: Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS
Configure Juniper Identity Management Service to Obtain User Identity Information
Juniper Identity Management Service (JIMS) is a standalone Windows service application that collects and maintains a large database of user, device, and group information from Active Directory domains. JIMS enables the device to rapidly identify thousands of users in a large, distributed enterprise.
Understanding Advanced Query Feature for Obtaining User Identity Information from JIMS
- Overview
- Establishing a Connection to JIMS to Obtain User Identity Information
- Querying JIMS for User Identity Information
- Filters
- Caveats and Limitations
Overview
Juniper Identity Management Service (JIMS) is a software agent and repository that collects user name, device identity, and group information from various sources. JIMS supports Microsoft active directory and Microsoft Exchange Server.
The SRX Series Firewalls or NFX Series device relies on JIMS to obtain user identity information much in the same way that it does LDAP.
If you configure the advanced user query feature, the device:
Can query JIMS for identity information.
Populate identity management authentication table with the information that is obtained from JIMS.
Use the populated identity management authentication table to authenticate a user or a device requesting access to a protected resource.
If JIMS does not contain information for a user, you can push that information to the device. The user must first authenticate to the device through captive portal.
The advanced query feature also allows you to push authentication entries to the JIMS server for users for whom there are no entries in JIMS but who have successfully authenticated to the device through captive portal.
User identity information that JIMS sends in response to the device queries includes:
IP address of the user’s device.
User name.
Domain that the user’s device belongs to.
Roles that the user belongs to, such mycompany-pc. CEO. user-authenticated.
If the device is online and the state of the device, such as “Healthy”.
End-user-attributes, such as device-identity, value (device name), and groups that the device belongs to.
Establishing a Connection to JIMS to Obtain User Identity Information
The device obtains user identity information by querying JIMS either in batch mode to obtain information for groups of users or through queries for individual users. For the device to query JIMS, you must establish an HTTPS connection between the device and the JIMS server.
HTTP connections are used only for debugging purposes.
Defining the connection entails configuring the following information:
Connection parameters.
Authentication information that allows the device to authenticate to JIMS.
The device obtains an access token after it authenticates to the JIMS server. The device must use this token to query JIMS for user information.
You can also configure this information for connection to a secondary, backup server.
Starting in Junos OS Release 18.3R1, IPv6 addresses are supported to connect JIMS primary server and secondary server, in addition to existing IPv4 address support.
The device attempts to connect to the primary server first and in case of failed attempt, it switches to the secondary server. Even after connecting to the secondary server, the device periodically probes the failed primary server and reverts to the primary server when it is available again.
Starting with Junos OS Release 18.1R1, you can configure an IPv6 address for Web API function to allow the JIMS to initiate and establish a secure connection. The Web API supports the IPv6 user or device entries obtained from JIMS. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.
Querying JIMS for User Identity Information
There are three ways to obtain user identity information from JIMS:
Initial batch query at startup—When the device is started, it sends a batch query message to JIMS to obtain all available user identity information for active directory users that it expects at that time, if you have configured the device connection to the JIMS server.
Follow-on batch queries—Following its initial receipt of user identity information, the device queries JIMS periodically for batches of newly generated user identity information. For this to occur, you configure an interval for the periodic queries and specify the number of user identity records to be sent in return per batch. Starting with Junos OS Release 18.1R1, the device can query JIMS for IPv6 user or device information. Prior to Junos OS Release 18.1R1, only IPv4 addresses were supported.
Query for individual user information—You can configure the advanced query feature to allow you to query the JIMS server for identity information for an individual user based on the IP address of the user’s device, if that information is missing from a batch response. Starting with Junos OS Release 18.1R1, the device can query JIMS for IPv6 user or device information when IPv6 traffic arrives on the device.
If an entry for the specified IP address does not exist, JIMS returns an HTTP 404 “Not Found” message.
When the device requests user information from JIMS initially, it specifies a timestamp. JIMS sends user information in response going back to the timestamp specification, and it includes a cookie to the device in the response to indicate the context. The device sends that cookie with its next query instead of a timestamp.
You can refresh the user identity information in your identity management authentication table obtained from JIMS. You can obtain everything that was received automatically when you started the device and from subsequent batch queries and individual IP queries up to the present.
For this purpose, you clear the authentication table by disabling the advanced query feature configuration. Afterward, you can reconfigure the advanced query feature to retrieve all available user identities.
Starting with Junos OS Release 18.1R1, devices can search the identity management authentication table for information based on IPv6 addresses. Prior to Junos OS Release 18.1R1, the devices read only IPv4 addresses. The device supports the use of IPv6 addresses associated with source identities in security policies. If an IPv4 or IPv6 entry exists, policies matching that entry are applied to the traffic and access is either allowed or denied.
Starting in Junos OS Release 20.2R1, you can search and view user identity information such as logged users, connected devices and group list from Juniper Identity Management Service (JIMS) and Active Directory (AD) domain. The SRX Series Firewall relies on JIMS to obtain user identity information.
You can search the user identity information and validate the authentication source to provide access to the device. You can request JIMS to retrieve the group list for the Active Directory domain for identity information of an individual user.
Filters
The advanced query feature provides an optional filter function that you can use to control at a granular level the user information records that you want to receive in response to queries. You can configure filters based on IP addresses and domains. Filters allow you to define specifically users whose information you want JIMS to return to you in response to queries.
You can configure filters composed of:
A range of IP addresses. You can specify a range of IP addresses for:
Users whose information you want to receive.
Users for whom you do not want information.
Starting in Junos OS Release 18.3R1, SRX Series Firewalls support IPv6 addresses to configure the filters based on IP addresses, in addition to existing IPv4 addresses.
You use address books to create the IP address filters. You configure address sets, each of which must not contain more than twenty IP addresses to be included in the address book.
Domain names.
You can specify the names of up to twenty-five active directory domains.
You can configure a filter that includes all three specifications: a range of IP addresses to include, a range of IP addresses to be excluded, and the names of one or more domains.
Filters are contextual. That is, you can use a different filter configuration for different requests. If you change the filter configuration, the new filter applies to subsequent queries exclusively. It has no bearing on prior query requests
Caveats and Limitations
The following warnings and caveats apply to the advanced query feature:
Before you use this feature, you must disable
active-directory-access
andauthentication-source
options under theuser-identification
hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and Web API functions are configured and committed.The CPU usage and resource consumption is affected by the device’s reading and processing of user identity records. The impact might last several minutes.
If user identity information is cleared from JIMS or it is missing for other reasons or delayed, the device could receive inaccurate IP address and user mapping information.
When the device firewall authentication function pushes to JIMS entries for users successfully authenticated through captive portal, it does not update the authentication entry time-out state for the Juniper Identity Management Service server.
The following limitations apply to the advanced query feature:
Generation of authentication entries in the identity management authentication table can be affected by a delay in the JIMS server’s response time or the number of user identity records to be retrieved.
As noted, if configuration of a filter is changed, the new filter is used only in subsequent retrievals of user identities.
You can configure only IPv4 addresses for configuring the address ranges.
See Also
Understanding User Principal Name as User Identity in SRX Series Devices
Starting in Junos OS Release 20.1R1, you can use User Principal Name (UPN) as logon name in firewall-authentication, which is working as a captive portal for JIMS or user-firewall.
You can use UPN as logon name along with cn or sAMAccountName at the same time. UPN can be used instead of sAMAccountName to authenticate a user.
Even if user uses UPN as logon name, firewall authentication pushes sAMAccountName (mapping to the UPN) to user ID rather than pushing the UPN.
Firewall-authentication pushes both UPN and sAMAccountName (mapping to the UPN) to JIMS.
User Principal Name (UPN) attribute is the logon name from Windows Active Directory to log on to a domain. A UPN consists of a UPN prefix (the user account name) and a UPN suffix (a DNS domain name). UPN is an indexed string that is single-valued. UPN is used as a logon name in firewall-authentication when LDAP type access profile is being used.
A UPN is an Internet-style login name for a user based on the Internet standard. UPN is the name of a system user in an e-mail address format, for example, mailto:username@domainname.com. UPN is shorter than a distinguished name and easier to remember. A UPN is a unique among all security principal objects with a directory forest.
The sAMAccountName attribute is a logon name used to support clients and servers from previous versions of Windows, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. The logon name should be lesser than 20 characters and unique among all security principal objects within the domain. You will have access when the firewall-authentication retrieves sAMAccountName from the Active Directory.
UPN is one of the identities of an Active Directory user in a domain. In organizations, most users use UPN as logon name along with cn or sAMAccountName attribute at the same time. The UPN attribute configuration access profile cannot handle UPN and cn or sAMAccountName at the same time. See Configure Integrated User Firewall.
User firewall-authentication by captive portal has two ways, such as Active Directory and JIMS.
If source is Active Directory, Active Directory must be configured on SRX Series Firewalls, when user uses UPN as logon name. Firewall-authentication pushes sAMAccountName to SRX Series Firewalls, the user authentication entry is sAMAccountName, but not UPN.
If source is JIMS, JIMS must be configured on SRX Series Firewalls, when user uses UPN as logon name. Firewall-authentication pushes both UPN and sAMAccountName to JIMS. When you configure the SRX Series Firewall to the JIMS server, SRX Series Firewalls sends the batch query to JIMS to obtain the available user information.
Caveats and Limitations
The following warnings and caveats apply to the UPN support feature:
sAMAccountName should be configured in search-filter option for access profile. This option can avoid name conflict between cn and UPN of another user.
UPN suffix might be different from the domain name that the user belongs to. In this case, additional security policy source-identity must be added in domain name. For example, there is a user with sAMAccountName as ndu123 in domain ad03.net, and UPN is mailto:bob@ad03-upn.net.
UPN supports only when LDAP access profile is configured for firewall-authentication.
Configuring Advanced Query Feature for Obtaining User Identity Information from JIMS
This configuration shows how to configure the advanced query feature for obtaining user identity information from Juniper Identity Management Service (JIMS) and to configure security policy to match the source identity.
This topic describes:
- Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS
- Configuring Device Identity Authentication Source, and Security Policy to Match the User Identity Information Obtained from JIMS
Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS
By configuring the advanced user query feature, the device can query JIMS and add identity information in the local active directory authentication table.
Use the following steps to configure the advanced query feature:
Configuring Device Identity Authentication Source, and Security Policy to Match the User Identity Information Obtained from JIMS
Specify the device identity authentication source and the security policy. The device obtains the device identity information for authenticated devices from the authentication source. The device searches the device identity authentication table for a device match when traffic issuing from a user’s device arrives at the device. If it finds a match, the device searches for a matching security policy. If it finds a matching security policy, the security policy’s action is applied to the traffic.
Use the following steps to configure device identity authentication source:
Use the following steps to configure the security policy:
Create a source address for a security policy.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match source-address any
Create a destination address for a security policy.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match destination-address any
Configure the port-based application to match the policy.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match application any
Define a username or a role (group) name that the JIMS sends to the device. Example: "jims-dom1.local\user1".
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name match source-identity username or group
Permit the packet if policy matches.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name then permit
Configure the session initiation time.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name then log session-init
Configure the session close time.
[edit security ] user@host# set policies from-zone untrust to-zone trust policy name then log session-close
Example: Configuring the Advanced Query Feature for Obtaining User Identity Information from JIMS
This example shows how to configure the advanced query feature on the SRX Series Firewall to connect automatically to Juniper Identity Management Service (JIMS). You can make requests using advanced query to obtain the authentication information through batch query.
JIMS provides a robust and scalable user identification and IP address mapping implementation that includes endpoint context and machine ID. JIMS collects user identity information from different authentication sources, for SRX Series Firewalls. With advanced query feature, the SRX Series Firewall works as the HTTPS client and sends HTTPS requests to JIMS on port 591.
Requirements
No special configuration beyond device initialization is required before configuring this feature.
Overview
This example uses the following hardware and software components:
Junos Software Release 15.1x49-D100 and JIMS Software Release v1.1 and v1.2.
Before you begin, you need the following information:
The IP address of the JIMS server.
The port number on the JIMS server for receiving HTTPS requests.
The client ID from the JIMS server for advanced queries.
The client secret from the JIMS server for advanced queries.
The traceoptions from the JIMS server for advanced queries.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
set services user-identification identity-management connection connect-method https set services user-identification identity-management connection port 443 set services user-identification identity-management connection primary address 192.0.2.15 set services user-identification identity-management connection primary client-id client1 set services user-identification identity-management connection primary client-secret "$ABC123" set services user-identification identity-management connection secondary address 192.0.2.2 set services user-identification identity-management connection secondary client-id client2 set services user-identification identity-management connection secondary client-secret "$ABC123" set services user-identification identity-management batch-query query-interval 60 set services user-identification identity-management ip-query query-delay-time 0 set services user-identification identity-management traceoptions file jimslog set services user-identification identity-management traceoptions file size 10m set services user-identification identity-management traceoptions level all set services user-identification identity-management traceoptions flag all set services user-identification identity-management traceoptions flag jims-validator-query
Procedure
Step-by-Step Procedure
To configure the advanced query feature on SRX Series Firewall:
-
Configure JIMS as the authentication source for advanced query requests. The SRX Series Firewall requires this information to contact the server.
[edit services user-identification] user@host# set identity-management connection connect-method https
-
Configure the port number of the JIMS server to which the SRX Series Firewall sends HTTPS requests.
[edit services user-identification] user@host# set identity-management connection port 443
Configure the primary address of the JIMS server.
[edit services user-identification] user@host# set identity-management connection primary address 192.0.2.15
Configure the client ID and client secret to obtain access token.
[edit services user-identification] user@host# set identity-management connection primary client-id client1 user@host# set identity-management connection primary client-secret "$ABC123"
Configure the secondary address of the JIMS server.
[edit services user-identification] user@host# set identity-management connection secondary address 192.0.2.2
Configure the client ID and client secret to obtain access token.
[edit services user-identification] user@host# set identity-management connection secondary client-id client2 user@host# set identity-management connection secondary client-secret "$ABC123"
Configure the batch query interval to periodically query JIMS for user identity information.
[edit services user-identification] user@host# set identity-management batch-query query-interval 60
-
Configure the delay time in seconds before the SRX Series Firewall sends the individual user query. In this example, there is no delay.
[edit services user-identification] user@host# set identity-management ip-query query-delay-time 0
Configure the traceoptions for debugging and trimming output.
[edit services user-identification] user@host# set identity-management traceoptions file jimslog user@host# set identity-management traceoptions file size 10m user@host# set identity-management traceoptions level all user@host# set identity-management traceoptions flag all user@host# set services user-identification identity-management traceoptions flag jims-validator-query
-
Configure the device to connect with JIMS server. If you don’t specify a port number, the default port 591 is used for JIMS. SRX Series Firewall uses the same JIMS configuration to connect with both JIMS port 443 and JIMS server (validator) port 591.
set services user-identification identity-management jims-validator port 591
Results
From configuration mode, confirm your configuration
by entering the show services user-identification
command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it. To disable
the ip-query use configuration set services user-identification
identity-management ip-query no-ip-query
.
[edit]
user@host# show services user-identification
identity-management {
connection {
connect-method https;
port 443;
primary {
address 192.0.2.15;
client-id client1;
client-secret "$ABC123";
}
secondary {
address 192.0.2.2;
client-id client2;
client-secret "$ABC123";
}
}
jims-validator {
port 591;
}
batch-query {
query-interval 60;
}
ip-query {
query-delay-time 0;
}
traceoptions {
file jimslog size 10m;
level all;
flag all;
flag jims-validator-query;
}
}
}
If you are done configuring the device, enter commit
from configuration mode.
Verification
Confirm that the configuration is working properly.
- Verifying the user-identification identity-management status
- Verifying the user-identification identity-management counters
Verifying the user-identification identity-management status
Purpose
Verify that the JIMS server is online and which server is responding to queries from the SRX Series Firewall.
Action
From operational mode, enter the show services
user-identification identity-management status
command.
Primary server : Address : 192.0.2.15 Port : 443 Connection method : HTTPS Connection status : Online Last received status message : OK (200) Access token : jjrOS4unS5d6KOTAvN8VlTsflhZBQmOm9jVsrwS Token expire time : 2017-12-22 08:51:38 Secondary server : Address : 192.0.2.2 Port : 443 Connection method : HTTPS Connection status : Online Last received status message : OK (200) Access token : MLefNf00jG503D7H95neF1ip59JOC3jPgcl4oWQ Token expire time : 2017-12-22 08:51:28
Meaning
The output provides data about the JIMS server status.
Verifying the user-identification identity-management counters
Purpose
Display counters for batch and IP queries sent to the JIMS device and responses received from the JIMS server. The batch query is displayed separately for the primary server and the secondary server, if more than one is configured.
Action
From operational mode, enter the show services
user-identification identity-management counters
command.
From operational mode, enter the clear services user-identification
identity-management counters
command to clear the counter.
Primary server : Address : 192.0.2.15 Batch query sent number : 8 Batch query total response number : 8 Batch query error response number : 0 Batch query last response time : 2017-12-22 01:04:34 IP query sent number : 4 IP query total response number : 4 IP query error response number : 0 IP query last response time : 2017-12-22 01:02:25 Secondary server : Address : 192.0.2.2 Batch query sent number : 0 Batch query total response number : 0 Batch query error response number : 0 Batch query last response time : 0 IP query sent number : 0 IP query total response number : 0 IP query error response number : 0 IP query last response time : 0
Meaning
The output provides the batch and IP queries data from JIMS server.
Example: Configuring Filter for Advanced Query Feature
An SRX Series Firewall supports IP filters and domain filters when querying Juniper Identity Management Service (JIMS). The advanced query feature provides an optional filter function to receive the user information in response to queries.
This example shows how to configure the filters for obtaining the user information.
Requirements
Before you begin:
Configure the advanced query feature. See Configuring Advanced Query Feature for Obtaining User Identity Information from JIMS.
Overview
You can configure filters to query JIMS server at a more granular level to obtain user identity information based on IP addresses. You can set filters to include the IP address ranges, which SRX Series Firewalls require or exclude the IP address ranges that they do not require when collecting the user identity information. You can also filter domains.
A filter can include and exclude up to twenty IP address ranges. Therefore, an address set that contains more than twenty address ranges causes the filter configuration to fail. To specify the ranges, specify the name of a predefined address set which includes them, and also which is included in an existing address book.
A domain can include up to 20 domain names for a filter.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit]
hierarchy
level, and then enter commit
from configuration mode.
In this example, define an address book, and specify the security address for the address book. Specify an IP address with a prefix. Define an address set name and specify the address. Include and exclude the IP addresses in the address book. Add the address set to include and exclude the IP addresses. Add a domain name to filter the domain.
set security address-book mybook address addr1 192.0.2.0/24 set security address-book mybook address-set myset address addr1 set services user-identification identity-management filter include-ip address-book mybook set services user-identification identity-management filter include-ip address-set myset set security address-book mybook2 address addr2 198.51.100.0/24 set security address-book mybook2 address-set myset2 address addr2 set services user-identification identity-management filter exclude-ip address-book mybook2 set services user-identification identity-management filter exclude-ip address-set myset2 set services user-identification identity-management filter domain host.example.com
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure a filter for advanced query feature:
Define an address book name, specify security address for the address book, and add an IPv4 address with a prefix.
[edit ] user@host# set security address-book mybook address addr1 192.0.2.0/24 user@host# set security address-book mybook2 address addr2 198.51.100.0/24
Specify an address set name and specify the address.
[edit ] user@host# set security address-book mybook address-set myset address addr1 user@host# set security address-book mybook2 address-set myset2 address addr2
Configure the address book to include and exclude the IP address.
[edit ] user@host# set services user-identification identity-management filter include-ip address-book mybook user@host# set services user-identification identity-management filter exclude-ip address-book mybook2
Define the address set to include or exclude the IP address.
[edit ] user@host# set services user-identification identity-management filter include-ip address-set myset user@host# set services user-identification identity-management filter exclude-ip address-set myset2
Specify a domain name to filter the domain.
[edit ] user@host# set services user-identification identity-management filter domain host.example.com
Results
From configuration mode, confirm your configuration
by entering the show services user-identification
and show security address-book
commands. If the output does not
display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
user@host# show services user-identification
identity-management {
filter {
domain {
host.example.com;
}
include-ip {
address-book mybook;
address-set myset;
}
exclude-ip {
address-book mybook2;
address-set myset2;
}
}
}
[edit]
user@host# show security address-book
mybook {
address addr1 192.0.2.0/24;
address-set myset {
address addr1;
}
}
mybook2 {
address addr2 198.51.100.0/24;
address-set myset2 {
address addr2;
}
}
Verification
Verifying Filter for Advanced Query Feature
Purpose
Verify that the authentication table displays the user information that you want to receive in response to queries.
Action
From operational mode, enter show services user-identification
authentication-table authentication-source all
command.
show services user-identification authentication-table authentication-source all node0: -------------------------------------------------------------------------- Logical System: root-logical-system Domain: host.example.com Total entries: 10 Source IP Username groups(Ref by policy) state 192.0.2.10 jasonlee Valid 192.0.2.9 jasonlee Valid 192.0.2.8 jasonlee Valid 192.0.2.7 jasonlee Valid 192.0.2.6 jasonlee Valid 192.0.2.5 jasonlee Valid 192.0.2.4 jasonlee Valid 192.0.2.3 jasonlee Valid 192.0.2.2 jasonlee Valid 192.0.2.1 jasonlee Valid node1: -------------------------------------------------------------------------- Logical System: root-logical-system Domain: host.example.com Total entries: 10 Source IP Username groups(Ref by policy) state 192.0.2.10 jasonlee Valid 192.0.2.9 jasonlee Valid 192.0.2.8 jasonlee Valid 192.0.2.7 jasonlee Valid 192.0.2.6 jasonlee Valid 192.0.2.5 jasonlee Valid 192.0.2.4 jasonlee Valid 192.0.2.3 jasonlee Valid 192.0.2.2 jasonlee Valid 192.0.2.1 jasonlee Valid
Meaning
The output displays the user information in response to queries.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.