Supported Platforms
Related Documentation
- M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Overview of Template Accounts for RADIUS and TACACS+ Authentication
- Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication
- M, MX, PTX, T Series
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
- M, MX, T Series, QFabric System, QFX Series standalone switches
- Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication
- QFabric System, QFX Series standalone switches
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch.
If the authentication-order is remote-server then local, Junos OS will retry the local server if the remote-server is unreachable or has timed out. However; if the remote-server rejects the authentication, Junos OS will not retry the authentication.
If none of the configured authentication methods accept the login credentials and if a reject response is received, the login attempt fails. If no response is received from any configured authentication method, the Junos OS consults local password authentication as a last resort.
Using RADIUS or TACACS+ Authentication
You can configure the Junos OS to be both a RADIUS and TACACS+ authentication client.
If an authentication method included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, the Junos OS tries the next authentication method included in the authentication-order statement.
The RADIUS or TACACS+ server authentication might fail because of the following reasons:
- The authentication method is configured, but the corresponding authentication servers are not configured. For instance, the RADIUS and TACACS+ authentication methods are included in the authentication-order statement, but the corresponding RADIUS or TACACS+ servers are not configured at the respective [edit system radius-server] and [edit system tacplus-server] hierarchy levels.
- The RADIUS or TACACS+ server does not respond within the timeout period configured at the [edit system radius-server] or [edit system tacplus-server] hierarchy levels.
- The RADIUS or TACACS+ server is not reachable because of a network problem.
The RADIUS or TACACS+ server authentication might return a reject response because of the following reasons:
- The user profiles of users accessing a router or switch might not be configured on the RADIUS or TACACS+ server.
- The user enters incorrect logon credentials.
Using Local Password Authentication
You can explicitly configure the password authentication method or use this method as a fallback mechanism when remote authentication servers fail. The password authentication method consults the local user profiles configured at the [edit system login] hierarchy level. Users can log in to a router or switch using their local username and password in the following scenarios:
- The password authentication method (password) is explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication method is tried if no previous authentication accepts the logon credentials. This is true whether the previous authentication method fails to respond or returns a reject response because of an incorrect username or password.
- The password authentication method is not explicitly configured as one of the authentication methods in the authentication-order authentication-methods statement. In this case, the password authentication method is tried only if all configured authentication methods fail to respond. It is not consulted if any configured authentication method returns a reject response because of an incorrect username or password.
Order of Authentication Attempts
Table 1 describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that the Junos OS uses to authenticate users for access to a router or switch.
Table 1: Order of Authentication Attempts
Syntax | Order of Authentication Attempts |
|---|---|
authentication-order radius; |
|
authentication-order [ radius password ]; |
|
authentication-order [ radius tacplus ]; |
|
authentication-order [ radius tacplus password ]; |
|
authentication-order tacplus; |
|
authentication-order [ tacplus password ]; |
|
authentication-order [ tacplus radius ]; |
|
authentication-order [ tacplus radius password ]; |
|
authentication-order password; |
|
 | Note: If SSH public keys are configured, SSH user authentication first tries to perform public key authentication before using the authentication methods configured in the authentication-order statement. If you want SSH logins to use the authentication methods configured in the authentication-order statement without first trying to perform public key authentication, do not configure SSH public keys. In a routing matrix based on a TX Matrix router or a TX Matrix Plus router, the authentication order must be configured only at the configuration groups re0 and re1. The authentication order must not be configured at the [edit system] hierarchy on the TX Matrix or TX Matrix Plus router. This is because the authentication order for the routing matrix is controlled on the switch-card chassis (or TX Matrix router) or switch-fabric chassis (or TX Matrix Plus router) only. In Junos OS Release 10.0 and later, the superuser (belonging to the super-user login class) is also authenticated based on the authentication order that is configured for TACACS+, RADIUS, or password authentication using the authentication-order statement. For example, if the only configured authentication order is TACACS+, the superuser can only be authenticated by the TACACS+ server and password authentication cannot be used as an alternative. However, in Junos OS Release 9.6 and earlier, the superuser can use password authentication to login, even if password authentication is not configured explicitly using the authentication-order statement. |
Related Documentation
- M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Overview of Template Accounts for RADIUS and TACACS+ Authentication
- Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication
- M, MX, PTX, T Series
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
- M, MX, T Series, QFabric System, QFX Series standalone switches
- Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication
- QFabric System, QFX Series standalone switches
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
Modified: 2016-11-30
Supported Platforms
Related Documentation
- M, MX, PTX, T Series, QFabric System, QFX Series standalone switches
- Overview of Template Accounts for RADIUS and TACACS+ Authentication
- Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication
- M, MX, PTX, T Series
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
- M, MX, T Series, QFabric System, QFX Series standalone switches
- Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication
- QFabric System, QFX Series standalone switches
- Limiting the Number of User Login Attempts for SSH and Telnet Sessions
