Using Contextual Intelligence Publisher (CIP), Single Sign-On can be enabled for Juniper SRX and non-managed devices. Once configured, end users will no longer need to authenticate to Juniper SRX since the user credentials will be passed transparently from CIP. Integrating the two allows seamless identity-aware firewalling and greater ease of use for matching firewall traffic to individual users. The CIP integration currently provides the following values to Juniper SRX:
Machine IP Address
The purpose of this guide is to walk through the configuration requirements for sending identity information from CIP to Juniper SRX.
Prior to working through this document, Juniper SRX and SafeConnect must be installed and functional on the network. The Juniper SRX must be on firmware version 12.3X48 or newer. CIP must also be installed in the SafeConnect system.
Configure Juniper SRX
In the firewall, the following commands should be run from the cli to enable the webapi.
Enable the webapi:
set system services webapi user srx
set system services webapi user password
set system services webapi client
set system services webapi http port
set system services webapi https port
set system services webapi https
Note: The user and password values should be modified to be specific to your installation. These items will need to be used later. The client should be the IP address of the SafeConnect manager appliance.
Allow webapi access from a specific zone:
set security zones security-zone [zonename] host-inbound-traffic system-services webapi-clear-text
set security zones security-zone [zonename] host-inbound-traffic system-services webapi-ssl
Note: Replace [zonename] with the actual zone name of the SafeConnect manager appliance.
Verify the configurations are in place:
show configuration system services webapi
Configure Contextual Intelligence Publisher
Once Juniper SRX is configured, open the SafeConnect Configuration at https://portal.myweblogon.com:8443/ConnectUI (portal.myweblogon.com can be replaced by the manager IP or a branded URL) and choose “Contextual Intelligence Publisher.” Click on “Add” and enter the following information:
Publisher: Juniper SRX
Name: A name to describe where CIP is publishing Data.
Username: API username configured in the Juniper SRX
Password: API password configured in the Juniper SRX
IP: The IP of the Juniper SRX appliance
Port: https port configured for the Juniper SRX API
Once everything is entered, click “Submit”. Once save, data will start being published to Juniper SRX.
Once finished, click “Submit” and continue to the next section to verify the integration.
In the Juniper SRX cli, the following can be run to verify that it is receiving data from SafeConnect:
show services user-identification authentication-table authentication-source aruba-clearpass extensive