batch query
Syntax
batch-query { items-per-batch items-per-batch; query-interval seconds; }
Hierarchy Level
[edit services user-identification identity-management]
Description
Configure the SRX Series Firewall to communicate with the Juniper Identity Management Service server to obtain an access token to use to query the server for identity information for an individual user (IP query and user query) or a group of users (batch query). The access token allows the SRX Series Firewall to connect to the Juniper Identity Management Service server to query it for this information.
The batch-query statement allows the SRX Series Firewall to periodically query the Juniper Identity Management Service server automatically for user identity information. When you start the SRX Series Firewall, it automatically sends a batch query request to the Juniper Identity Management Service server to obtain all of the user identity information that it expects. After it receives the user identity information, the SRX Series Firewall periodically issues a query to the Juniper Identity Management Service server requesting that a new report be generated to include any newly available user identity items so as to keep its authentication table entries up-to-date.
You can configure an interval for when the batch query request is to be issued and the maximum number of user identity items to be sent in response to the query in one batch. Only remaining available user identity items are sent if their number is fewer than the configured maximum.
If you need to refresh the user identities in the authentication table—that is, everything that was received automatically when you started the system and from subsequent batch queries or IP queries—you can clear the authentication table by disabling the user-identification feature configuration. Afterward, you can reconfigure the advanced-query feature to retrieve all available user identities. To accomplish this, you use the following sequence of CLI statements: deactivate services user-identification, commit, activate services user-identification, commit.
Before you use this feature, you must disable active-directory-access and authentication-source options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication or the ClearPass query and webapi functions are configured and committed.
The advanced query feature queries the Juniper Identity Management Service for user identification information that the SRX Series stores in its authentication table and uses to authenticate users. Use of the Juniper Identity Management Service allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.
To obtain device information, such as device identity, groups, and the operating system, from the Juniper Identity Management Service server using either the batch-query or ip-query configuration, you must set the device authentication source, as follows.
user@host# set services user-identification device-information authentication-source network-access-controller
Options
items-per-batch | The maximum number of user identity items that the SRX Series Firewall will accept in one batch in response to the query.
|
query-interval. | Interval in seconds after which the SRX Series Firewall will issue a query request for newly generated user identities.
|
Required Privilege Level
services—To view this statement in the configuration.
services-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 15.1X49-D100.