Supported Platforms
Related Documentation
- EX, M, MX, PTX, SRX, T Series
- authentication-order
- M, MX, PTX, QFX, T Series
- Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
- M, PTX, QFX, T Series
- Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands
- M, MX, QFX, T Series
- Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication
Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication
Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch.
To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:
Specify one or more of the following authentication methods in the preferred order, from first tried to last tried:
- radius—Verify the user using RADIUS authentication services
- tacplus—Verify the user using TACACS+ authentication services.
- password—Verify the user using the username and password configured locally by including the authentication statement at the [edit system login user] hierarchy level.
The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer to authenticate a client, the authentication is abandoned and a new sequence is initiated.
For example, if you configure three RADIUS servers so that the router or switch attempts to contact each server three times, and with each retry the server times out after 3 seconds, then the maximum time given to the RADIUS authentication method before CHAP considers it a failure is 27 seconds. If you add more RADIUS servers to this configuration, they might not be contacted because the authentication process might be abandoned before these servers are tried.
The Junos OS enforces a limit on the number of standing authentication server requests that the CHAP authentication can have at one time. Thus, an authentication server method—RADIUS, for example—might fail to authenticate a client when this limit is exceeded. If it fails, the authentication sequence is reinitiated by the router or switch until authentication succeeds and the link is brought up. However, if the RADIUS servers are not available and if additional authentication methods such as tacplus or password are configured along with radius, the next authentication method is tried.
The following example shows how to configure radius and password authentication:
The following example shows how to delete the radius statement from the authentication order:
The following example shows how to insert the tacplus statement after the radius statement:
Related Documentation
- EX, M, MX, PTX, SRX, T Series
- authentication-order
- M, MX, PTX, QFX, T Series
- Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
- M, PTX, QFX, T Series
- Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands
- M, MX, QFX, T Series
- Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication
Published: 2013-01-23
Supported Platforms
Related Documentation
- EX, M, MX, PTX, SRX, T Series
- authentication-order
- M, MX, PTX, QFX, T Series
- Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication
- M, PTX, QFX, T Series
- Using Regular Expressions on a RADIUS or TACACS+ Server to Allow or Deny Access to Commands
- M, MX, QFX, T Series
- Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication
