Hi,
I would like to set up this feature on my SRX550, the end goal is to map IP to usernames so we have more visibility on who is looking at what (not sure if this is achievable)
So far I have the following config
show services user-identification active-directory-access
domain mydomain.internal {
user {
srx_non_admin;
password "$9$ZxjH./9tpORregJUD.mcyrKX7"; ## SECRET-DATA
}
domain-controller dc-04 {
address 10.64.40.104;
}
user-group-mapping {
ldap {
base DC=mydomain,DC=internal;
}
}
}I can see users when I run the command
run show services user-identification active-directory-access active-directory-authentication-table all Domain: mydomain.internal Total entries: 78 Source IP Username groups(Ref by policy) state 10.0.5.38 user1 Valid
I am not sure how to proceed, I want it so that only authenticated users in AD can be authenticated to other zones such as untrust.
run show services user-identification active-directory-access user-group-mapping status Domain: mydomain.internal LDAP server Port Last-query-status Last-query-time 10.64.40.104 389 Idle 0
run show services user-identification active-directory-access statistics ip-user-mapping
Domain: mydomain.internal
Host: 10.64.40.104
Initial event log timespan(hour) : 1
Event log scan interval(sec) : 10
Total log query times : 7333
Failed log query times : 0
Number of records fetched : 107854
Latest timestamp :2017-04-25 09:59:28 run show services user-identification active-directory-access statistics ip-user-probe
Domain: mydomain.internal
Total user probe number : 1
Failed user probe number : 1run show services user-identification active-directory-access statistics user-group-mapping
Domain: mydomain.internal
Host: 10.64.40.104 Port: 389
Total query number : 0
Failed query number : 0