Statement introduced before Junos OS Release 7.4.
none option added in Junos OS Release 11.2.
nasreq option added in Junos OS Release 16.1.
s6a option added in Junos OS Release 19.3R1.
Set the order in which AAA tries different authentication methods when verifying that a client can access the router or switch. For each login attempt, AAA tries the authentication methods in order, from first to last.
A given subscriber does not undergo both authentication and authorization as separate steps. When both authentication-order and authorization-order are specified, DHCP subscribers honor the configured authorization order, all other subscribers use the configured authentication-order.
Starting in Junos OS Release 18.2R1, the password option can also be used to specify that local authentication and local authorization is attempted for individual subscribers that are configured with the subscriber statement at the [edit access profile profile-name] hierarchy level.
nasreq—Verify subscribers using the Diameter-based Network Access Server Requirements (NASREQ) protocol.
none—No authentication is performed. Grants authentication without examining the client credentials. Can be used, for example, when the Diameter function Gx-Plus is employed for notification during subscriber provisioning.
Subscriber access management does not support the none option; authentication fails when this option is specified.
password—Verify the client using the information configured at the [edit access profile profile-name client client-name] hierarchy level.
Subscriber access management does not support the password option until Junos OS Release 18.2R1. Starting in Junos OS Release 18.2R1, this option is used to enable local authentication and optionally local authorization for individual subscribers. Local authentication is typically used when you do not have external authentication and authorization servers. The password itself must be configured with the subscriber statement in the same access profile. Local authentication is performed when a subscriber logs in with a matching username; it succeeds if the subscribers login password matches the password in the profile.
If you have external authentication and authorization servers, you can use local authentication as a backup authentication method. In this case, configure password other than first in the list of methods.
radius—Verify the client using RADIUS authentication services.
s6a—Verify subscribers using the Diameter-based s6a protocol.
Required Privilege Level
admin—To view this statement in the configuration.
admin-control—To add this statement to the configuration.