Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

show services user-identification authentication-table

Syntax

Description

Display the user identity information authentication table entries for the specified authentication source. You can display the entire contents of the specified authentication source’s authentication table, or you can constrain the displayed information to a specific domain, group, or user based on the user name. You can also display identity information for a user based on the IP address of the user’s device. You can show brief or extensive information for all of these instances.

authentication-source

User authentication source whose authentication table or identity management server entries are to be displayed.

Authentication sources include:

active-directory

Display the SRX Series active-directory table contents. You can display all of the table’s contents or you can delimit the display of user identity information by domain, group, or user name. You can display brief or extensive information for each of these categories.

  • domain—Display the entries in the authentication table for the specified domain. You can display summary, group, or user entries for the specified domain.

  • group—Display the entries from the authentication table for the specified group.

  • user—Display the entries from the authentication table for the specified user based on the user name.

aruba-clearpass

Display the SRX Series Aruba ClearPass authentication table contents. You can display all of the table’s contents or you can delimit the display of user information by domain, group, or user name. You can display brief or extensive information for each of these categories.

  • domain—Display the entries in the authentication table for the specified domain. You can display summary, group, or user entries for the specified domain.

  • group—Display the entries from the authentication table for the specified group.

  • user—Display the entries from the authentication table for the specified user based on the user name.

identity-management

Display user identity entries contained in the identity-management authentication system.

  • source-name—Name of the identity -management source. This could be the Juniper Identity Management Service (JIMS) or any third-party authentication source.

    • If you specify a source, such as “JIMS – Active Directory” for Juniper Identity Management Service, the SRX Series Firewall will show entries only for that authentication source.

      Possible values include:

      • For JIMS: “JIMS – Active Directory”, “JIMS – Exchange”

      • For ClearPass: “Aruba ClearPass”

  • domain—Display the entries in the identity management system for the specified domain. You can display summary, group, or user entries for the specified domain.

  • group—Display the entries in the identity management system for the specified group.

  • user—Display the entries in the identity management system for the specified user based on the user name.

  • tenant—Display the entries in the identity management system for the specified tenant system.

Options

  • all—Summary of the authentication entry information for all entries.

  • group group-name—Entries from the authentication table or identity management system for the specified group.

  • ip-address ip-address—Entries from the authentication table or identity management system for the specified IP address.

  • user name—Entries from the authentication table for the specified username.

  • domain name—Summary, group, or user entries for the specified domain.

  • node—(Optional) For chassis cluster configurations, the summary, IP address, or user entries for a specific node.

    • node-id—Identification number of the node. It can be 0 or 1.

    • all—Display information about all nodes.

    • local—Display information about the local node.

    • primary—Display information about the primary node.

  • brief | extensive—Display the specified level of output (the default is brief).

  • logical-system—Display the authentication entries based on the logical system name.

  • root-logical-system—Display the authentication entries based on the root logical system.

  • tenant tanant-name—Display the authentication entries based on the specified tenant system name.

Required Privilege Level

view

Output Fields

Field Name

Field Description

Domain

Name of the domain that the users belong to. User identity and authentication information is display for all users who belong to the domain and for whom there are entries in the specified authentication source table or repository.

Total entries

Number of user entries in the authentication table, by domain.

For each entry:

Source IP

The IP address of the user’s device. If a user is logged in to the network with more than one device, a separate entry is created for the user for each device. It showing the devices IP address.

Username

The name by which the user is logged in to the network.

Groups

A list of the groups that the user belongs to. The list can include a group that identifies the device posture.

State

The state of the entry. There are four states for an authentication entry: initial, valid, invalid, and pending.

  • An initial state is a temporary state, and it can be created from either a valid or an invalid entry.

    The entry had not been pushed to the Packet Forwarding Engine.

  • A valid state indicates that the authentication entry has a valid IP address, domain, and username.

    The authentication entry is pushed to the Packet Forwarding Engine.

  • An invalid state indicates that the entry does not have a valid IP address, domain, and username. If the entry is invalid, it is put in the null domain.

  • A pending state indicates that the entry was created after the user query was sent and before the response was received. The IP address is being probed.

Source

Authentication source.

Access start date

The date when the authentication entry was created by the SRX Series Firewall.

Access start time

The time when the authentication entry was created by the SRX Series Firewall. The time value is in device local time zone.

Last updated timestamp

The time when the user information was created. This value is taken from the timestamp field in the user information. The time value is in device local time zone.

Age time

The time, in minutes, after which the entry expires, as configured by the authentication-entry-timeout statement. If a value of 0 was specified, the entry never expires.

Forced Age time

The rest value and the forced value.

This information is made available if you configure the firewall-authentication-forced-timeout statement for active directory.

Active Directory

show services user-identification active-directory-access active-directory-authentication-table ip-address

Output of this command displays authentication and identity information for a specific user based on the IP address of the user’s device.

show services user-identification authentication-table ip-address

Output of this command displays authentication and identity information for a specific user based on the IP address of the user’s device.

show services user-identification active-directory-access active-directory-authentication-table all

Output of this command displays user authentication and identity information for all users for whom there are entries in the active directory authentication table.

show services user-identification active-directory-access active-directory-authentication-table all extensive

Output of this command, which specifies the extensive option, shows state and access information for all entries in the active directory authentication table, in addition to basic information displayed when the brief option is used and by default.

show services user-identification active-directory-access active-directory-authentication-table all domain

Output of this command shows by default brief user identity and authentication information for all users for whom there are entries in the active directory authentication table and whose devices belong to the specified domain.

Capacity of User-Identification Authentication Table

There is a certain limit for maximum number of authentication entries in user-identification authentication table. For example, the maximum capacity in user-identification authentication table is set at 5000 auth-entries for vSRX3 firewall and 2,56,000 auth-entries for SRX5000 line firewalls.

When the user-identification authentication table has maximum number of authentication entries, ip-probe will be disabled and ip-query cannot be sent for any new incoming sessions. The ip-probe gets enabled only after authentication table entry count reduces to 90 % of the the total capacity. When SRX user-identification authentication table has reached its capacity, the new authentication entries gets added only through batch response from JIMS or event log from Active Directory. When new authentication entry gets added, the LRU (last recently used) authentication entry with similar state gets deleted only if there are no active sessions associated with the LRU. The new authentication entry is then added in the authentication table. When no such LRU is found, the new authentication entry gets discarded.

All Authentication Sources

Output of this command shows extensive user identity and authentication information for all users with entries in authentication tables of any authentication source. This example shows only one entry to illustrate the content that is displayed with the extensive option.

command-name

command-name

command-name

command-name

show services user-identification authentication-table authentication-source all all-logical-systems-tenants

Output of this command displays brief user authentication and identity information for all users for whom there are entries in the identity-management authentication source.

Aruba ClearPass

show services user-identification authentication-table authentication-source aruba-clearpass domain extensive

Output of this command shows extensive user identity and authentication information, when Aruba ClearPass is used as the authentication source, for all users whose devices belong to the GLOBAL domain.

show services user-identification authentication-table authentication-source aruba-clearpass domain brief

Output of this command shows brief user identity and authentication information for users whose devices belong to the GLOBAL domain.

If you do not specify brief, the same information would be displayed. The default behavior is to show brief output.

show services user-identification authentication-table authentication-source aruba-clearpass extensive

Output of the following command shows extensive user identity and authentication information for all users authenticated by Aruba ClearPass for whom entries exist in the aruba-clearpass authentication table.

Identity Management

show services user-identification authentication-table authentication-source identity-management brief

Output of this command displays brief user authentication and identity information for all users for whom there are entries in the identity-management authentication source.

show services user-identification authentication-table authentication-source identity-management extensive

Output of this command displays extensive user authentication and identity information for all users for whom there are entries in the identity-management authentication source.

show services user-identification authentication-table authentication-source all extensive

Output of this command, which specifies the extensive option, shows state and access information for all entries.

Identity Management

show services user-identification authentication-table authentication-source identity-management brief

Output of this command displays brief user authentication and identity information for all users for whom there are entries in the identity-management authentication source.

show services user-identification authentication-table authentication-source identity-management extensive

Output of this command displays extensive user authentication and identity information for all users for whom there are entries in the identity-management authentication source.

show services user-identification authentication-table authentication-source identity-management tenant tn1 extensive

Output of this command, which specifies the extensive option, shows state and access information for all entries.

Firewall Authentication Forced Age Timeout

Output shows the “Forced Age timeout” value is displayed when the firewall authentication forced timeout function is configured, but only for when the extensive option is used. The value shows the remaining time left based on the forced timeout setting.

show services user-identification authentication-table authentication-source all extensive

Release Information

Command introduced in Junos OS Release 12.

Support for Aruba ClearPass added in Junos OS release 12.3X48-D30.

Support added for identity-management as an authentication source in Junos OS Release 15.1X49-D100.

Support added for logical-system for authentication-source all in Junos OS Release 18.2R1.

Support added for tenant system for authentication-source identity management in Junos OS Release 19.1R1.