Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

connection (Identity Management Advanced Query)

Syntax

Hierarchy Level

Description

Configure parameters for connecting the SRX Series to the Juniper Identity Management Service (JIMS) server to obtain user identity and device information.

For the SRX Series Firewall to obtain user identity information, you must first establish a connection to the JIMSserver. The parameters to specify for the connection include the protocol, the IP address of the JIMS server, and the information to authenticate the SRX Series Firewall to the JIMS server.

If you are using more than one JIMS server, you must configure each server separately. The SRX Series Firewall always attempts to connect to the primary server first. If the primary server fails, the SRX Series Firewall falls back to the secondary server. The SRX Series Firewall periodically probes the failed primary server and reverts to it when it is available.

Only configuration of the primary server is mandatory. You are not required to use a secondary server.

The SRX Series advanced user identity query feature queries the JIMS for user identity information that the SRX Series stores in its authentication table and uses to authenticate users. Use of the JIMS allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.

Warning:

Before you use this feature, you must disable any other actively used options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication and the ClearPass query and webapi functions are configured and committed.

To obtain device information, such as device identity, groups, and the operating system, from the JIMS server using either the batch-query or ip-query configuration, you must set the device authentication source, as follows.

connect-method- Configure the protocol to be used for the SRX Series Firewall connection to JIMS. The SRX Series Firewall connects to the JIMS to obtain user identity information.

port- Configure the port on the JIMS server that the SRX Series Firewall uses to connect to the server.

query-api- Configure the prefix of the URL path for querying user identities. This value is used to construct the prefix of the path for queries for individual users, as well as for ip-query and batch-query requests, each of which has a unique suffix:

  • For IP query, query-api/ip/

  • For batch query, query-api/users/

  • For user-query query-api/user

The default value for query-api is user-query/v2.

For example, for a batch query, assume that the query API is configured as user-query/v2. To generate the complete URL, the prefix is combined with the connection method, which is HTTPS, the IP address of the JIMS server, expressed as a variable in this example (JIMS), the beginning timestamp, begintime={timestamp}, and the number of user identity information items to be provided in the record that the JIMS server returns, entry_count={count}.

'https://JIMS/user_query/v2/users/endpoints?begintime={timestamp}&entry_count={count}’

token-api- The path of the URL for acquiring the access token for OAuth2 authentication (RFC 6749). The JIMS server requires that the SRX Series Firewall authenticate to it using OAuth2. The SRX Series Firewall uses the Client Credentials grant type for this purpose.

The following example shows the default tokenAPI, oauth_token/oauth, combined with the connection method, https, and the JIMS server IP address placeholder to create the complete URL:

https://JIMS/oauth_token/oauth.

The advanced user identity query feature, to which this statement belongs, allows you to obtain user identity information from the JIMS through queries. It allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.

Options

connect-method

Method of connection

  • Values:

    • http—HTTP connection

    • https—HTTPS connection

port

Server port

  • Default: 443

  • Range: 1 through 65535

query-api

Query API

token-api

API of acquiring token for OAuth2 authentication

The remaining statements are described separately.

Required Privilege Level

  1. services—To view this statement in the configuration.

  2. services-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

Source, interface, and routing-instance options are introduced in Junos OS Release 21.1R1.