Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

primary connection (Identity Management Advanced Query)

Syntax

Hierarchy Level

Description

Configure parameters that the SRX Series Firewall uses to connect to the Juniper Identity Management Service (JIMS) primary server and authenticate to it to obtain an access token. JIMS requires that the SRX Series Firewall use OAuth2 to authenticate to it before the SRX Series Firewall can query the JIMS server for user identity information. The SRX Series Firewall must provide the JIMS server with credentials, including a client ID and a client secret. If the client is authenticated-in this case the SRX Series Firewall—it is granted an access token. (See RFC 6749.) Both the client ID and the client secret must be consistent with the API client configured on the JIMS primary server.

In addition to configuring the client ID and the client secret, you configure the filename of the JIMS’s ca-certificate. The certificate enables the SRX Series Firewall to verify the identity of JIMS and that it is trusted for the SSL connection.

If the deployment configuration consists of more than one JIMS server, a primary and secondary relationship is established. The SRX Series Firewall always attempts to connect to the primary server. When one or more queries to the primary server fails, the system falls back to the secondary server.

address- Configure the IP address for the primary Juniper Identity Management Service (JIMS) server. The SRX Series Firewall requires the server IP address to connect to the server to obtain an access code that allows it to query the server for user identity information. The IP address is configured as part of a collection of information which includes the SRX Series Firewall’s client ID, client secret, and ca-certificate information.

The SRX Series Firewall sends a unique set of identification information to the primary server and the secondary server. The feature supports only IPV4 addresses.

client-id- Client ID that the SRX Series provides to the JIMS primary server as part of its authentication to it. The SRX Series Firewall must authenticate to the server to obtain an access token that allows the SRX Series Firewall to query the server for user identity information The client ID must be consistent with the API client configured on the JIMS primary server.

client-secret- Client secret that the SRX Series provides to the JIMS primary server as part of its authentication to it. The client secret must be consistent with the API client configured on the JIMS primary server.

Warning:

Before you use this feature, you must disable any other actively used options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication and the ClearPass query and webapi functions are configured and committed.

Options

address

IP address of the primary server.

ca-profile CA profile name
client-id

Client ID for OAuth2 grant

client-secret

Client secret for OAuth2 grant

Required Privilege Level

  1. services—To view this statement in the configuration.

  2. services-control—To add this statement to the configuration.

The remaining statements are explained separately. See CLI Explorer.

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

IPv6 address support introduced in Junos OS Release 18.3R1.

Source, interface, and routing-instance options are introduced in Junos OS Release 21.1R1.

Option ca-profile introduced in Junos OS Release 23.2R1.