Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Logical Systems and Tenant Systems User Guide for Security Devices Logical Systems

Logical Systems and Tenant Systems User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Logical Systems and Tenant Systems User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

User Authentication for Logical Systems

date_range 28-Nov-23
arrow_backward
arrow_forward

User authentication for logical systems enables you to define firewall users and create policies that require the users to authenticate themselves through one of two authentication schemes: pass-through authentication or web authentication. For more information, see the following topics:

Example: Configuring Access Profiles (Primary Administrators Only)

The primary administrator is responsible for configuring access profiles in the primary logical system. This example shows how to configure access profiles.

Requirements

Before you begin:

Overview

This example configures an access profile for LDAP authentication for logical system users. This example creates the access profile described in Table 1.

Note:

The primary administrator creates the access profile.

Table 1: Access Profile Configuration

Name

Configuration Parameters

ldap1

  • LDAP is used as the first (and only) authentication method.

  • Base distinguished name:

    • Organizational unit name (OU): people

    • Domain components (DC): example, com

  • A user’s LDAP distinguished name is assembled through the use of a common name identifier, username, and base distinguished name. The common name identifier is user ID (UID).

  • The LDAP server address is 10.155.26.104 and is reached through port 389.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Note:

You must be logged in as the primary administrator.

content_copy zoom_out_map
set access profile ldap1 authentication-order ldap 
set access profile ldap1 ldap-options base-distinguished-name ou=people,dc=example,dc=com 
set access profile ldap1 ldap-options assemble common-name uid 
set access profile ldap1 ldap-server 10.155.26.104 port 389
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure an access profile in the primary logical system:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

    content_copy zoom_out_map
    admin@host> configure
admin@host#

  2. Configure an access profile and set the authentication order.

    content_copy zoom_out_map
    [edit access profile ldap1]
admin@host# set authentication-order ldap

  3. Configure LDAP options.

    content_copy zoom_out_map
    [edit access profile ldap1]
admin@host# set ldap-options base-distinguished-name ou=people,dc=example,dc=com
admin@host# set ldap-options assemble common-name uid

  4. Configure the LDAP server.

    content_copy zoom_out_map
    [edit access profile ldap1]
admin@host# set ldap-server 10.155.26.104 port 389
Results

From configuration mode, confirm your configuration by entering the show access profile profile-name command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
admin@host# show access profile ldap1
authentication-order ldap;
ldap-options {
    base-distinguished-name ou=people,dc=example,dc=com;
    assemble {
        common-name uid;
    }
}
    ldap-server {
        10.155.26.104 port 389;
    }

If you are done configuring the device, enter commit from configuration mode.

See Also

Example: Configuring Security Features for the Primary Logical Systems

This example shows how to configure security features, such as zones, policies, and firewall authentication, for the primary logical system.

Requirements

Before you begin:

Overview

In this example, you configure security features for the primary logical system, called root-logical-system, shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. This example configures the security features described in Table 2.

Table 2: root-logical-system Security Feature Configuration

Feature

Name

Configuration Parameter

Zones

ls-root-trust

Bind to interface ge-0/0/4.0.

ls-root-untrust

Bind to interface lt-0/0/0.1

Address books

root-internal

  • Address primaries: 10.12.12.0/24

  • Attach to zone ls-root-trust

root-external

  • Address design: 10.12.1.0/24

  • Address accounting: 10.14.1.0/24

  • Address marketing: 10.13.1.0/24

  • Address set userlsys: design, accounting, marketing

  • Attach to zone ls-root-untrust

Security policies

permit-to-userlsys

Permit the following traffic:

  • From zone: ls-root-trust

  • To zone: ls-root-untrust

  • Source address: primaries

  • Destination address: userlsys

  • Application: any

permit-authorized-users

Permit the following traffic:

  • From zone: ls-root-untrust

  • To zone: ls-root-trust

  • Source address: userlsys

  • Destination address: primaries

  • Application: junos-http, junos-https

Firewall authentication

  • Web authentication

  • Authentication success banner “WEB AUTH LOGIN SUCCESS”

  • Default access profile ldap1

HTTP daemon

Activate on interface ge-0/0/4.0

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security address-book root-internal address masters 10.12.12.0/24
set security address-book root-internal attach zone ls-root-trust 
set security address-book root-external address design 10.12.1.0/24
set security address-book root-external address accounting 10.14.1.0/24
set security address-book root-external address marketing 10.13.1.0/24
set security address-book root-external address-set userlsys address design 
set security address-book root-external address-set userlsys address accounting 
set security address-book root-external address-set userlsys address marketing 
set security address-book root-external attach zone ls-root-untrust 
set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match source-address masters 
set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match destination-address userlsys 
set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match application any 
set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys then permit 
set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match source-address userlsys 
set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match destination-address masters 
set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-http 
set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-https 
set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users then permit firewall-authentication web-authentication
set security zones security-zone ls-root-trust interfaces ge-0/0/4.0 
set security zones security-zone ls-root-untrust interfaces lt-0/0/0.1
set system services web-management http interface ge-0/0/4.0
set access firewall-authentication web-authentication default-profile ldap1 
set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure zones and policies for the primary logical system:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

    content_copy zoom_out_map
    admin@host> configure
admin@host#

  2. Create security zones and assign interfaces to each zone.

    content_copy zoom_out_map
    [edit security zones]
admin@host# set security-zone ls-root-trust interfaces ge-0/0/4.0
admin@host# set security-zone ls-root-untrust interfaces lt-0/0/0.1

  3. Create address book entries.

    content_copy zoom_out_map
    [edit security]
admin@host# set address-book root-internal address masters 10.12.12.0/24
admin@host# set address-book root-external address design 10.12.1.0/24
admin@host# set address-book root-external address accounting 10.14.1.0/24
admin@host# set address-book root-external address marketing 10.13.1.0/24
admin@host# set address-book root-external address-set userlsys address design
admin@host# set address-book root-external address-set userlsys address accounting
admin@host# set address-book root-external address-set userlsys address marketing

  4. Attach address books to zones.

    content_copy zoom_out_map
    [edit security]
admin@host# set address-book root-internal attach zone ls-root-trust
admin@host# set address-book root-external attach zone ls-root-untrust

  5. Configure a security policy that permits traffic from the ls-root-trust zone to the ls-root-untrust zone.

    content_copy zoom_out_map
    [edit security policies from-zone ls-root-trust to-zone ls-root-untrust]
admin@host# set policy permit-to-userlsys match source-address masters
admin@host# set policy permit-to-userlsys match destination-address userlsys
admin@host# set policy permit-to-userlsys match application any
admin@host# set policy permit-to-userlsys then permit

  6. Configure a security policy that authenticates traffic from the ls-root-untrust zone to the ls-root-trust zone.

    content_copy zoom_out_map
    [edit security policies from-zone ls-root-untrust to-zone ls-root-trust]
admin@host# set policy permit-authorized-users match source-address userlsys
admin@host# set policy permit-authorized-users match destination-address masters
admin@host# set policy permit-authorized-users match application junos-http
admin@host# set policy permit-authorized-users match application junos-https
admin@host# set policy permit-authorized-users then permit firewall-authentication web-authentication

  7. Configure the Web authentication access profile and define a success banner.

    content_copy zoom_out_map
    [edit access]
admin@host# set firewall-authentication web-authentication default-profile ldap1
admin@host# set firewall-authentication web-authentication banner success “WEB AUTH LOGIN SUCCESS”

  8. Activate the HTTP daemon on the device.

    content_copy zoom_out_map
    [edit system]
admin@host# set services web-management http interface ge-0/0/4.0
Results

From configuration mode, confirm your configuration by entering the show security, show access, and show system services commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

content_copy zoom_out_map
[edit]
admin@host# show security
...
address-book {
    root-internal {
        address masters 10.12.12.0/24;
        attach {
            zone ls-root-trust;
        }
    }
    root-external {
        address design 10.12.1.0/24;
        address accounting 10.14.1.0/24;
        address marketing 10.13.1.0/24;
        address-set userlsys {
            address design;
            address accounting;
            address marketing;
        }
        attach {
            zone ls-root-untrust;
        }
    }
}
    policies {
        from-zone ls-root-trust to-zone ls-root-untrust {
            policy permit-to-userlsys {
                match {
                    source-address masters;
                    destination-address userlsys;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone ls-root-untrust to-zone ls-root-trust {
            policy permit-authorized-users {
                match {
                    source-address userlsys;
                    destination-address masters;
                    application [ junos-http junos-https ];
                }
                then {
                    permit {
                        firewall-authentication {
                            web-authentication;
                        }
                    }
                }
            }
        }
    }
    zones {
        security-zone ls-root-trust {
            interfaces {
                ge-0/0/4.0;
            }
        }
        security-zone ls-root-untrust {
            interfaces {
                lt-0/0/0.1;
            }
        }
    }
[edit]
admin@host# show access
...
firewall-authentication {
    web-authentication {
        default-profile ldap1;
        banner {
            success "WEB AUTH LOGIN SUCCESS";
        }
    }
}
[edit]
admin@host# show system services
web-management {
    http {
        interface ge-0/0/4.0;
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Policy Configuration

Purpose

Verify information about policies and rules.

Action

From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.

See Also

Understanding Logical System Firewall Authentication

A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. Junos OS enables administrators to restrict and permit firewall users to access protected resources (different zones) behind a firewall based on their source IP address and other credentials.

The primary administrator is responsible for configuring access profiles in the primary logical system. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored. Access profiles configured at the primary logical system are available to all user logical systems.

The primary administrator configures the maximum and reserved numbers of firewall authentications for each user logical system. The user logical system administrator can then create firewall authentications in the user logical system. From a user logical system, the user logical system administrator can use the show system security-profile auth-entry command to view the number of authentication resources allocated to the user logical system.

To configure the access profile, the primary administrator uses the profile configuration statement at the [edit access] hierarchy level in the primary logical system. The access profile can also include the order of authentication methods, LDAP or RADIUS server options, and session options.

The user logical system administrator can then associate the access profile with a security policy in the user logical system. The user logical system administrator also specifies the type of authentication:

  • With pass-through authentication, a host or a user from one zone tries to access resources on another zone using an FTP, a telnet, or an HTTP client. The device uses FTP, Telnet, or HTTP to collect username and password information, and subsequent traffic from the user or host is allowed or denied based on the result of this authentication.

  • With Web authentication, users use HTTP to connect to an IP address on the device that is enabled for Web authentication and are prompted for the username and password. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the result of this authentication.

The user logical system administrator configures the following properties for firewall authentication in the user logical system:

  • Security policy that specifies firewall authentication for matching traffic. Firewall authentication is specified with the firewall-authentication configuration statement at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] hierarchy level.

    Users or user groups in an access profile who are allowed access by the policy can optionally be specified with the client-match configuration statement. (If no users or user groups are specified, any user who is successfully authenticated is allowed access.)

    For pass-through authentication, the access profile can optionally be specified and Web redirect (redirecting the client system to a webpage for authentication) can be enabled.

  • Type of authentication (pass-through or Web authentication), default access profile, and success banner for the FTP, Telnet, or HTTP session. These properties are configured with the firewall-authentication configuration statement at the [edit access] hierarchy level.

  • Host inbound traffic. Protocols, services, or both are allowed to access the logical system. The types of traffic are configured with the host-inbound-traffic configuration statement at the [edit security zones security-zone zone-name] or [edit security zones security-zone zone-name interfaces interface-name] hierarchy levels.

From a user logical system, the user logical system administrator can use the show security firewall-authentication users or show security firewall-authentication history commands to view the information about firewall users and history for the user logical system. From the primary logical system, the primary administrator can use the same commands to view information for the primary logical system, a specific user logical system, or all logical systems.

See Also

Example: Configuring Firewall Authentication for a User Logical System

This example shows how to configure firewall authentication for a user logical system.

Requirements

Before you begin:

  • Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.

  • Use the show system security-profiles auth-entry command to see the firewall authentication entries allocated to the logical system.

  • Access profiles must be configured in the primary logical system by the primary administrator.

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

In this example, users in the ls-marketing-dept and ls-accounting-dept logical systems are required to authenticate when initiating certain connections to the product designers subnet. This example configures the firewall authentication described in Table 3.

Note:

This example uses the access profile configured and address book entries configured in Example: Configuring Security Zones for a User Logical Systems.

Table 3: User Logical System Firewall Authentication Configuration

Feature

Name

Configuration Parameters

Security policy

permit-authorized-users

Note:

Policy lookup is performed in the order that the policies are configured. The first policy that matches the traffic is used. If you have previously configured a policy that permits traffic for the same from-zone, to-zone, source address, and destination address but with application any, the policy configured in this example would never be matched. (See Example: Configuring Security Policies in a User Logical Systems.) Therefore, this policy should be reordered so that it is checked first.

Permit firewall authentication for the following traffic:

  • From zone: ls-product-design-untrust

  • To zone: ls-product-design-trust

  • Source address: otherlsys

  • Destination address: product-engineers

  • Application: junos-h323

The ldap1 access profile is used for pass-through authentication.

Firewall authentication

  • Pass-through authentication

  • HTTP login prompt “welcome”

  • Default access profile ldap1

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match source-address otherlsys 
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match destination-address product-designers 
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match application junos-h323 
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users then permit firewall-authentication pass-through access-profile ldap1 
set access firewall-authentication pass-through default-profile ldap1 
set access firewall-authentication pass-through http banner login “welcome”
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure firewall authentication in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.

    content_copy zoom_out_map
    lsdesignadmin1@host:ls-product-design> configure
lsdesignadmin1@host:ls-product-design#

  2. Configure a security policy that permits firewall authentication.

    content_copy zoom_out_map
    [edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]
lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match source-address otherlsys
lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match destination -address product-designers
lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match application junos-h323
lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users then permit firewall-authentication pass-through access-profile ldap1

  3. Reorder the security policies.

    content_copy zoom_out_map
    [edit]
lsdesignadmin1@host:ls-product-design# insert security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users before policy permit-all-from-otherlsys

  4. Configure firewall authentication.

    content_copy zoom_out_map
    [edit access firewall-authentication]
lsdesignadmin1@host:ls-product-design#  set pass-through http banner login "welcome" 
lsdesignadmin1@host:ls-product-design#  set pass-through default-profile ldap1
Results

From configuration mode, confirm your configuration by entering the show security policies and show access firewall-authentication commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
lsdesignadmin1@host:ls-product-design# show security policies
from-zone ls-product-design-trust to-zone ls-product-design-untrust {
    policy permit-all-to-otherlsys {
        match {
            source-address product-designers;
            destination-address otherlsys;
            application any;
        }
        then {
            permit;
        }
    }
}
    from-zone ls-product-design-untrust to-zone ls-product-design-trust {
        policy permit-authorized-users {
            match {
                source-address otherlsys;
                destination-address product-designers;
                application junos-h323;
            }
            then {
                permit {
                    firewall-authentication {
                        pass-through {
                            access-profile ldap1;
                        }
                    }
                }
            }
        }
        policy permit-all-from-otherlsys {
            match {
                source-address otherlsys;
                destination-address product-designers;
                application any;
            }
            then {
                permit;
            }
        }
    }
lsdesignadmin1@host:ls-product-design# show access firewall-authentication
pass-through {
    default-profile ldap1;
    http {
        banner {
            login welcome;
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Firewall User Authentication and Monitoring Users and IP Addresses

Purpose

Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.

Action

From operational mode, enter these show commands.

content_copy zoom_out_map
lsdesignadmin1@host:ls-product-design> show security firewall-authentication history
lsdesignadmin1@host:ls-product-design> show security firewall-authentication history identifier id
lsdesignadmin1@host:ls-product-design> show security firewall-authentication users
lsdesignadmin1@host:ls-product-design> show security firewall-authentication users identifier id

See Also

Understanding Integrated User Firewall support in a Logical System

Starting in Junos OS Release 18.3R1, the support for authentication sources is extended to include Local authentication, Active Directory (AD) authentication, and firewall authentication in addition to the existing support for authentication sources Juniper Identity Management Service (JIMS) and ClearPass authentication.

Starting in Junos OS Release 18.2R1, the support for user firewall authentication is enhanced using a shared model. In this model, user logical systems share user firewall configuration and authentication entries with the primary logical system and the integrated user firewall authentication is supported in a user logical system.

In the shared model, user firewall related configuration is configured under the primary logical system, such as authentication source, authentication source priority, authentication entries timeout, and IP query or Individual query and so on. The user firewall provides user information service for an application in the SRX Series Firewall, such as policy and logging. Traffic from a user logical system queries authentication tables from the primary logical system.

The authentication tables are managed by a primary logical system. The user logical systems share the authentication tables. Traffic from the primary logical system and the user logical systems query the same authentication table. User logical systems enable the use of the source-identity in security policy.

For example, if the primary logical system is configured with employee and the user logical system is configured with the source-identity manager, then the reference group of this authentication entry includes employee and manager. This reference group contains the same authentication entries from primary logical system and user logical system.

Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode. In this model, the logical system extracts the authentication entries from the root level. The primary logical system is configured to the JIMS server based on the logical system and tenant system name. In active mode the SRX Series Firewall actively queries the authenticaton entries received from the JIMS server through HTTPs protocol. To reduce the data exchange, firewall filters are applied.

The user firewall uses the logical system name as a differentiator and is consistent between the JIMS server and SRX Series Firewall. The JIMS server sends the differentiator which is included in the authentication entry. The authentication entries are distributed into the root logical system, when the differentiator is set as default for primary logical system.

The user firewall supports In-service software upgrade (ISSU) for logical systems, as user firewall changes the internal database table format from Junos OS Release 19.2R1 onwards. Prior to Junos OS Release 19.2R1, ISSU is not supported for logical systems.

Limitation of Using User Firewall Authentication

Using user firewall authentication on tenant systems has the following limitation:

  • The authentication entries are collected by the JIMS server based on the IP address from the customer network. If the IP addresses overlap, then the authentication entry changes when users log in under different user logical systems.

Limitation of Using User Firewall Authentication in Customized Model on Logical Systems

Using user firewall authentication in customized model on logical systems has the following limitation:

  • The JIMS server configurations to be configured under the root logical systems.

  • The logical system name should be consistent and unique between the JIMS server and the SRX Series Firewall.

See Also

Example: Configuring Integrated User Firewall Identification Management for a User Logical System

This example shows how to configure the SRX Series Firewall's advanced query feature for obtaining user identity information from the Juniper Identity Management Service (JIMS) and the security policy to match the source identity for a user logical system. In the root logical system, user firewall is configured with JIMS, and then the root logical system manages all of authentication entries coming from JIMS. In this example, all of user logical systems share their authentication entries with the root logical system.

Requirements

This example uses the following hardware and software components:

  • SRX1500 devices operating in chassis clustering

  • JIMS server

  • Junos OS Release 18.2 R1

Before you begin:

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on primary logical system, policy p1 with source-identity "group1" of dc0 domain on logical system lsys1, policy p1 with source-identity "group1" of dc0 domain on logical system lsys2, and send traffic from and through logical system lsys1 to logical system lsys2. You can view the authentication entries on primary logical system and user logical systems (lsys1 and lsys2) even after rebooting the primary node.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-address any
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match destination-address any
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match application any
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 then permit
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-identity "example.com\group1"
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 then permit
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match source-address any
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match destination-address any
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match application any
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 then permit
set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match source-address any
set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match destination-address any
set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match application any
set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 then permit
set logical-systems lsys1 security policies policy-rematch
set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-address any
set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match destination-address any
set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match application any
set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-identity "example.com\group2"
set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 then permit
set logical-systems lsys2 security policies policy-rematch
set services user-identification identity-management connection connect-method https
set services user-identification identity-management connection port 443
set services user-identification identity-management connection primary address 192.0.2.5
set services user-identification identity-management connection primary client-id otest
set services user-identification identity-management connection primary client-secret "$ABC123"
set security policies from-zone root_trust to-zone root_trust policy root_policy1 match source-address any
set security policies from-zone root_trust to-zone root_trust policy root_policy1 match destination-address any
set security policies from-zone root_trust to-zone root_trust policy root_policy1 match application any
set security policies from-zone root_trust to-zone root_trust policy root_policy1 then permit
set security policies policy-rematch
set security zones security-zone root_trust interfaces reth1.0 host-inbound-traffic system-services all
set security zones security-zone root_trust interfaces reth1.0 host-inbound-traffic protocols all
set security zones security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic system-services all
set security zones security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic protocols all
set firewall family inet filter impair-ldap term allow_all then accept

Configuring user firewall identification management

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure user firewall identification management:

  1. Log in to the primary logical system as the primary administrator and enter configuration mode.

    content_copy zoom_out_map
    user@host> configure
user@host#

  2. Create logical systems.

    content_copy zoom_out_map
    [edit logical-systems]
user@host#set LSYS0
user@host#set LSYS1
user@host#set LSYS2

  3. Configure a security policy lsys1_policy1 with source-identity group1 on logical system lsys1 that permits traffic from lsys1_trust to lsys1_trust.

    content_copy zoom_out_map
    [edit security policies]
user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-address any
user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match destination-address any
user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match application any
user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-identity "example.com\group1"
user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 then permit

  4. Configure a security policy lsys1_policy2 that permits traffic from lsys1_trust to lsys1_untrust.

    content_copy zoom_out_map
    [edit security policies]
user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match source-address any
user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match destination-address any
user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match application any
user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 then permit

  5. Configure a security policy lsys1_policy3 that permits traffic from lsys1_untrust to lsys1_trust.

    content_copy zoom_out_map
    [edit security policies]
user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match source-address any
user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match destination-address any
user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match application any
user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 then permit
user@host#set policy-rematch

  6. Configure security zone and assign interfaces to each zone.

    content_copy zoom_out_map
    [edit security zones]
user@host#set security-zone lsys1_trust interfaces reth2.0 host-inbound-traffic system-services all
user@host#set security-zone lsys1_trust interfaces reth2.0 host-inbound-traffic protocols all
user@host#set security-zone lsys1_trust interfaces lt-0/0/0.11 host-inbound-traffic system-services all
user@host#set security-zone lsys1_trust interfaces lt-0/0/0.11 host-inbound-traffic protocols all
user@host#set security-zone lsys1_untrust interfaces reth3.0 host-inbound-traffic system-services all
user@host#set security-zone lsys1_untrust interfaces reth3.0 host-inbound-traffic protocols all

  7. Configure a security policy lsys2_policy1 with source-identity group1 that permits traffic from lsys2_untrust to lsys2_untrust on lsys2.

    content_copy zoom_out_map
    [edit security policies]
user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-address any
user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match destination-address any
user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match application any
user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-identity "example.com\group2"
user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 then permit
user@host#set policy-rematch

  8. Configure security zones and assign interfaces to each zone on lsys2.

    content_copy zoom_out_map
    [edit security zones]
user@host#set security-zone lsys2_untrust interfaces reth4.0 host-inbound-traffic system-services all
user@host#set security-zone lsys2_untrust interfaces reth4.0 host-inbound-traffic protocols all
user@host#set security-zone lsys2_untrust interfaces lt-0/0/0.21 host-inbound-traffic system-services all
user@host#set security-zone lsys2_untrust interfaces lt-0/0/0.21 host-inbound-traffic protocols all

  9. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series Firewall requires this information to contact the server.

    content_copy zoom_out_map
    [edit services user-identification identity-management]
user@host#set connection port 443
user@host#set connection connect-method https
user@host#set connection primary address 192.0.2.5 
user@host#set connection primary client-id otest
user@host#set connection primary client-secret test 
user@host#set authentication-entry-timeout 0

  10. Configure security policies and zones on primary logical system.

    content_copy zoom_out_map
    [edit security policies]
user@host#set from-zone root_trust to-zone root_trust policy root_policy1 match source-address any
user@host#set from-zone root_trust to-zone root_trust policy root_policy1 match destination-address any
user@host#set from-zone root_trust to-zone root_trust policy root_policy1 match application any
user@host#set from-zone root_trust to-zone root_trust policy root_policy1 then permit
user@host#set policy-rematch

  11. Configure security zones and assign interfaces to each zone on primary logical system.

    content_copy zoom_out_map
    [edit security zones]
user@host#set security-zone root_trust interfaces reth1.0 host-inbound-traffic system-services all
user@host#set security-zone root_trust interfaces reth1.0 host-inbound-traffic protocols all
user@host#set security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic system-services all
user@host#set security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic protocols all
user@host#set firewall family inet filter impair-ldap term allow_all then accept

Results

From configuration mode, confirm your configuration by entering the show services user-identification identity-management show chassis cluster command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host# show services user-identification identity-management
connection { 
    connect-method https; 
    port 443; 
    primary { 
        address 192.0.2.5; 
        client-id otest; 
        client-secret "$ABC123"; ## SECRET-DATA
    } 
}
content_copy zoom_out_map
user@host# show chassis cluster
reth-count 5; 
    control-ports { 
    fpc 3 port 0; 
    fpc 9 port 0; 
} 
redundancy-group 0 { 
    node 0 priority 200; 
    node 1 priority 1; 
} 
redundancy-group 1 { 
    node 0 priority 100; 
    node 1 priority 1; 
} 
redundancy-group 2 { 
    node 0 priority 100; 
    node 1 priority 1; 
} 
redundancy-group 3 { 
    node 0 priority 100; 
    node 1 priority 1; 
} 
redundancy-group 4 { 
    node 0 priority 100; 
    node 1 priority 1; 
}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform the below tasks:

Verifying chassis cluster status and authentication entries

Purpose

To verify authentication entries in a logical system.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source identity-management logical-system all command.

content_copy zoom_out_map
user@host> show services user-identification authentication-table authentication-source identity-management logical-system all 
node0:
--------------------------------------------------------------------------
Logical System: root-logical-system
Domain: ad2012.jims.com
Total entries: 3
Source IP       Username       groups(Ref by policy)          state
2001:db8:aaaa:  N/A                                           Valid
2001:db8:aaaa:  administrator                                 Valid
203.0.113.50    administrator                                 Valid
node1:
--------------------------------------------------------------------------
Logical System: root-logical-system
Domain: ad2012.jims.com
Total entries: 3
Source IP       Username       groups(Ref by policy)          state
2001:db8:aaaa:  N/A                                           Valid
2001:db8:aaaa:  administrator                                 Valid
203.0.113.50    administrator                                 Valid
Meaning

The output displays the authentication entries that are shared from user logical system to root logical system.

Verifying chassis cluster status

Purpose

Verify chassis cluster status after rebooting the primary node.

Action

To verify the configuration is working properly, enter the show chassis cluster status command.

content_copy zoom_out_map
user@host> show chassis cluster status
Monitor Failure codes:
CS  Cold Sync monitoring        FL  Fabric Connection monitoring
GR  GRES monitoring             HW  Hardware monitoring
IF  Interface monitoring        IP  IP monitoring
LB  Loopback monitoring         MB  Mbuf monitoring
NH  Nexthop monitoring          NP  NPC monitoring
SP  SPU monitoring              SM  Schedule monitoring
CF  Config Sync monitoring      RE  Relinquish monitoring
Cluster ID: 6
Node   Priority Status               Preempt Manual   Monitor-failures
Redundancy group: 0 , Failover count: 0
node0  200      hold                 no      no       None
node1  1        secondary            no      no       None
Redundancy group: 1 , Failover count: 0
node0  0        hold                 no      no       CS
node1  1        secondary            no      no       None
Redundancy group: 2 , Failover count: 0
node0  0        hold                 no      no       CS
node1  1        secondary            no      no       None
Redundancy group: 3 , Failover count: 0
node0  0        hold                 no      no       CS
node1  1        secondary            no      no       None
Redundancy group: 4 , Failover count: 0
node0  0        hold                 no      no       CS
node1  1        secondary            no      no       None
Meaning

The output displays user identification management session existing on lsys1 and lsys2 after rebooting the primary node.

See Also

Example: Configure Integrated User Firewall in Customized Model for Logical System

This example shows how to configure the integrated user firewall by using a customized model through the Juniper Identity Management Service (JIMS) server with active mode for a logical system. The primary logical systems does not share the authentication entries with the logical system. The SRX Series Firewall queries the authentication entries received from the JIMS server through HTTPs protocol in active mode.

In this example following configurations are performed:

  • Active JIMS Server Configuration

  • Logical System IP Query Configuration

  • Logical System Authentication Entry Configuration

  • Logical System Security Policy Configuration

Requirements

This example uses the following hardware and software components:

  • JIMS server version 2.0

  • Junos OS Release 19.3R1

Before you begin, be sure you have following information:

  • The IP address of the JIMS server.

  • The port number on the JIMS server for receiving HTTPs requests.

  • The client ID from the JIMS server for active query server.

  • The client secret from the JIMS server for active query server.

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on the primary logical system, policy p2 with source-identity group1 on logical system LSYS1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set services user-identification logical-domain-identity-management active query-server jims1 connection connect-method https
set services user-identification logical-domain-identity-management active query-server jims1 connection port 443
set services user-identification logical-domain-identity-management active query-server jims1 connection primary address 192.0.2.5
set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-id otest
set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-secret "$ABC123"
set logical-systems LSYS1 services user-identification logical-domain-identity-management active ip-query query-delay-time 30
set logical-systems LSYS1 services user-identification logical-domain-identity-management active invalid-authentication-entry-timeout 1
set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-address any
set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match destination-address any
set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match application any
set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-identity "example.com\group1"
set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 then permit

Configuring Integrated User Firewall in Customized Model:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configuring Integrated User Firewall in Customized Model:

  1. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series Firewall requires this information to contact the server.

    content_copy zoom_out_map
    user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection connect-method https
user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection port 443
user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection primary address 192.0.2.5
user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-id otest
user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-secret "$ABC123"

  2. Configure the IP query delay time for LSYS1.

    content_copy zoom_out_map
    user@host# set logical-systems LSYS1 services user-identification logical-domain-identity-management active ip-query query-delay-time 30

  3. Configure the authentication entry attributes for LSYS1.

    content_copy zoom_out_map
    user@host# set logical-systems LSYS1 services user-identification logical-domain-identity-management active invalid-authentication-entry-timeout 1

  4. Configure the security policy p2 that permits traffic from-zone untrust to-zone trust for LSYS1.

    content_copy zoom_out_map
    user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-address any
user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match destination-address any
user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match application any
user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-identity "example.com\group1"
user@host#set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 then permit

Results

From configuration mode, confirm your configuration by entering the show services user-identification logical-domain-identity-management and show logical-systems LSYS1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
user@host# show services user-identification logical-domain-identity-management
active {
    query-server jims1 {
        connection {
            connect-method https;
            port 443;
            primary {
                address 192.0.2.5;
                client-id otest;
                client-secret "$ABC123"; ## SECRET-DATA
            }
        }
    }
}
content_copy zoom_out_map
user@host# show logical-systems LSYS1
security {
    policies {
        from-zone untrust to-zone trust {
            policy p2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                    source-identity "example.com\group1";
                }
                then {
                    permit;
                }
            }
        }
    }
}
services {
    user-identification {
        logical-domain-identity-management {
            active {
                invalid-authentication-entry-timeout 1;
                ip-query {
                    query-delay-time 30;
                }
            }
        }
    }
}

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying the User Identification Identity Management status

Purpose

Verify the user identification status for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management status command.

content_copy zoom_out_map
user@host> show services user-identification logical-domain-identity-management status
node0:
--------------------------------------------------------------------------
      Query server name                 :jims1  
      Primary server :                         
     Address                      : 192.0.2.5
     Port                         : 443
     Connection method            : HTTPS
     Connection status            : Online
     Last received status message : OK (200)
     Access token                 : isdHIbl8BXwxFftMRubGVsELRukYXtW3rtKmHiL
     Token expire time            : 2017-11-27 23:45:22
     Secondary server :                         
     Address                      : Not configured
Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show status on the Juniper Identity Management Service servers.

Verifying the User Identification Identity Management status counters

Purpose

Verify the user identification counters for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management counters command.

content_copy zoom_out_map
user@host> show services user-identification logical-domain-identity-management counters
node0:
      --------------------------------------------------------------------------
   Query server name                      :jims1                      
    Primary server :                         
     Address                           : 192.0.2.5
     Batch query sent number           : 65381
     Batch query total response number : 64930
     Batch query error response number : 38
     Batch query last response time    : 2018-08-14 15:10:52
     IP query sent number              : 10
     IP query total response number    : 10
     IP query error response number    : 0
     IP query last response time       : 2018-08-13 12:41:56
  Secondary server :                         
 Address                           : Not configured
Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show counters on the Juniper Identity Management Service servers.

Verifying the User Identification Authentication Table

Purpose

Verify the user identity information authentication table entries for the specified authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source all logical-system LSYS1 command.

content_copy zoom_out_map
user@host> show services user-identification authentication-table authentication-source all logical-system LSYS1
node0:
      --------------------------------------------------------------------------
   Logical System: LSYS1
Domain: example.com
Total entries: 4
Source IP           Username       groups(Ref by policy)          state
10.12.0.2         administrator  posture-healthy                Valid         
10.12.0.15        administrator  posture-healthy                Valid         
2001:db8::5         N/A            posture-healthy                Valid         
2001:db8::342c:302b N/A            posture-healthy                Valid
Meaning

The output displays the entire content of the specified authentication source’s authentication table, or a specific domain, group, or user based on the user name. Display the identity information for a user based on the IP address of the user’s device.

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.3R1
Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode.
18.3R1
Starting in Junos OS Release 18.3R1, the support for authentication sources is extended to include Local authentication, Active Directory (AD) authentication, and firewall authentication in addition to the existing support for authentication sources Juniper Identity Management Service (JIMS) and ClearPass authentication.
18.2R1
Starting in Junos OS Release 18.2R1, the support for user firewall authentication is enhanced using a shared model. In this model, user logical systems share user firewall configuration and authentication entries with the primary logical system and the integrated user firewall authentication is supported in a user logical system.
arrow_backward PREVIOUS Security Zones in Logical Systems
NEXT arrow_forward Security Policies for Logical Systems
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top