Authentication Order for RADIUS, TACACS+, and Local Password

 

Junos OS supports different methods such as local password authentication, RADIUS and TACACS+ to control access to the network. Authentication methods are used for validating users who attempt to access the router or switch using telnet. You can prioritize the methods to configure the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch or security device. For more information, read this topic.

Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication

Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch.

If RADIUS and/or TACACS+ servers are configured in the authentication order but there is no response from them to a request, the Junos OS always defaults to trying local password authentication as a last resort. If the authentication order is set to authentication-order password, that will be the only authentication method attempted.

Note

It is not possible and would make no sense to try to configure local password authentication ahead of RADIUS or TACACS+ in the order because “no response” cannot happen. A local authentication request will always either be accepted or rejected.

The handling of a rejected authentication request when RADIUS or TACACS+ are present is more complicated.

  • If password (local password authentication) is not in the authentication order, a RADIUS and/or TACACS+ rejection ends with the rejection.

  • If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the authentication, the Junos OS tries for a local authentication check.

In other words, including password as a final authentication order option is a means by which you can choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last chance for authentication locally.

Using RADIUS or TACACS+ Authentication

You can configure the Junos OS to be both a RADIUS and TACACS+ authentication client.

If an authentication method included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, the Junos OS tries the next authentication method included in the authentication-order statement.

The RADIUS or TACACS+ server authentication might fail because of the following reasons:

  • The authentication method is configured, but the corresponding authentication servers are not configured. For instance, the RADIUS and TACACS+ authentication methods are included in the authentication-order statement, but the corresponding RADIUS or TACACS+ servers are not configured at the respective [edit system radius-server] and [edit system tacplus-server] hierarchy levels.

  • The RADIUS or TACACS+ server does not respond within the timeout period configured at the [edit system radius-server] or [edit system tacplus-server] hierarchy levels.

  • The RADIUS or TACACS+ server is not reachable because of a network problem.

The RADIUS or TACACS+ server authentication might return a reject response because of the following reasons:

  • The user profiles of users accessing a router or switch might not be configured on the RADIUS or TACACS+ server.

  • The user enters incorrect logon credentials.

Using Local Password Authentication

You can explicitly configure the password authentication method or use this method as a fallback mechanism when remote authentication servers fail. The password authentication method consults the local user profiles configured at the [edit system login] hierarchy level. Users can log in to a router or switch using their local username and password in the following scenarios:

  • The password authentication method (password) is explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication method is tried if no previous authentication accepts the logon credentials. This is true whether the previous authentication method fails to respond or returns a reject response because of an incorrect username or password.

  • The password authentication method is not explicitly configured as one of the authentication methods in the authentication-order authentication-methods statement. In this case, the password authentication method is tried only if all configured authentication methods fail to respond. It is not consulted if any configured authentication method returns a reject response because of an incorrect username or password.

Order of Authentication Attempts

Table 1 describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that the Junos OS uses to authenticate users for access to a router or switch.

Table 1: Order of Authentication Attempts

Syntax

Order of Authentication Attempts

authentication-order radius;

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS server is available but authentication is rejected, deny access.
  4. If RADIUS servers are not available, try password authentication.

    Note: If a RADIUS server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ radius password ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ radius tacplus ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.
  4. If TACACS+ server is available and authentication is accepted, grant access.
  5. If TACACS+ server is available but authentication is rejected, deny access.
  6. If both RADIUS and TACACS+ servers are not available, try password authentication.

    Note: If either RADIUS or TACACS+ servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ radius tacplus password ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.
  4. If TACACS+ server is available and authentication is accepted, grant access.
  5. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order tacplus;

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ server is available but authentication is rejected, deny access.
  4. If TACACS+ servers are not available, try password authentication.

    Note: If a TACACS+ server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ tacplus password ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ tacplus radius ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.
  4. If RADIUS server is available and authentication is accepted, grant access.
  5. If RADIUS server is available but authentication is rejected, deny access.
  6. If both TACACS+ and RADIUS servers are not available, try password authentication.

    Note: If either TACACS+ or RADIUS servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ tacplus radius password ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.
  4. If RADIUS server is available and authentication is accepted, grant access.
  5. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.

authentication-order password;

  1. Try to authenticate the user, using the password configured at the [edit system login] hierarchy level.
  2. If the authentication is accepted, grant access.
  3. If the authentication is rejected, deny access.
Note

If SSH public keys are configured, SSH user authentication first tries to perform public key authentication before using the authentication methods configured in the authentication-order statement. If you want SSH logins to use the authentication methods configured in the authentication-order statement without first trying to perform public key authentication, do not configure SSH public keys.

In a routing matrix based on a TX Matrix router, the authentication order must be configured only at the configuration groups re0 and re1. The authentication order must not be configured at the [edit system] hierarchy. This is because the authentication order for the routing matrix is controlled on the switch-card chassis (or TX Matrix router) or switch-fabric chassis (for TX Matrix Plus router) only.

In Junos OS Release 10.0 and later, the superuser (belonging to the super-user login class) is also authenticated based on the authentication order that is configured for TACACS+, RADIUS, or password authentication using the authentication-order statement. For example, if the only configured authentication order is TACACS+, the superuser can only be authenticated by the TACACS+ server and password authentication cannot be used as an alternative. However, in Junos OS Release 9.6 and earlier, the superuser can use password authentication to login, even if password authentication is not configured explicitly using the authentication-order statement.

Configuring the Junos OS Authentication Order for RADIUS, TACACS+, and Local Password Authentication

Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch. If you do not set the authentication order, by default users are verified based on their configured passwords.

When configuring a password using plain text and relying on Junos OS to encrypt it, you are still sending the password over the internet in plain text. Using pre-encrypted passwords is more secure because it means that the plain text of the password never has to be sent over the internet. Also, with passwords, only one user can be assigned to a password at a time.

On the other hand, both RADIUS and TACACS+ pre-ecrypt passwords. Both let you assign a set of users at a time instead of one by one. But here are how these authentication systems differ:

  • RADIUS uses UDP, while TACACS+ uses TCP.

  • RADIUS encrypts only the password during transmission whereas TACACS+ encrypts the entire session.

  • RADIUS combines authentication (device) and authorization (user) whereas TACACS+ separates authentication, authorization, and accountability.

In short, TACACAS+ is the more secure of the two. However, RADIUS has better performance and is more interoperable. RADIUS is widely supported, whereas TACACS+ is a Cisco proprietary product and not widely supported outside of Cisco.

You can configure the authentication order based on your system, its restrictions, and your IT policy and operational preferences.

To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:

For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.

Following are the possible authentication order entry options:

  • radius—Verify the user using RADIUS authentication servers.

  • tacplus—Verify the user using TACACS+ authentication servers.

  • password—Verify the user using the username and password configured locally by including the authentication statement at the [edit system login user] hierarchy level.

If RADIUS and/or TACACS+ servers are configured in the authentication order but there is no response from them to a request, the Junos OS always defaults to trying local password authentication as a last resort. If the authentication order is set to authentication-order password, that will be the only authentication method attempted.

Note

It is not possible and would make no sense to try to configure local password authentication ahead of RADIUS or TACACS+ in the order because “no response” cannot happen. A local authentication request will always either be accepted or rejected.

The handling of a rejected authentication request when RADIUS or TACACS+ are present is more complicated.

  • If password (local password authentication) is not in the authentication order, a RADIUS and/or TACACS+ rejection ends with the rejection.

  • If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the authentication, the Junos OS tries for a local authentication check.

In other words, including password as a final authentication order option is a means by which you can choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last chance for authentication locally.

For more details, see Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication.

The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer to authenticate a client, the authentication is abandoned and a new sequence is initiated.

For example, if you configure three RADIUS servers so that the router or switch attempts to contact each server three times, and with each retry the server times out after 3 seconds, then the maximum time given to the RADIUS authentication method before CHAP considers it a failure is 27 seconds. If you add more RADIUS servers to this configuration, they might not be contacted because the authentication process might be abandoned before these servers are tried.

The Junos OS enforces a limit on the number of standing authentication server requests that the CHAP authentication can have at one time. Thus, an authentication server method—RADIUS, for example—might fail to authenticate a client when this limit is exceeded. If it fails, the authentication sequence is reinitiated by the router or switch until authentication succeeds and the link is brought up. However, if the RADIUS servers are not available and if additional authentication methods such as tacplus or password are configured along with radius, the next authentication method is tried.

The following example shows how to configure radius and password authentication:

The following example shows how to delete the radius statement from the authentication order:

The following example shows how to insert the tacplus statement after the radius statement:

Example: Configuring Authentication Order

This example shows how to configure authentication order.

Requirements

Before you begin, perform the initial device configuration. See the Getting Started Guide for your device.

Overview

You can configure the authentication methods that the device uses to verify that a user can gain access. For each login attempt, the device tries the authentication methods in order, starting with the first one, until the password matches. If you do not configure system authentication, users are verified based on their configured local passwords.

This example configures the device to attempt user authentication with the local password first, then with the RADIUS server, and finally with the TACACS+ server.

When you use local password authentication, you must create a local user account for every user who wants to access the system. However, when you are using RADIUS or TACACS+ authentication, you can create single accounts (for authorization purposes) that are shared by a set of users. You create these accounts using the remote and local user template accounts. When a user is using a template account, the command-line interface (CLI) username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Step-by-Step Procedure

To configure authentication order:

  1. In the J-Web user interface, select Configure>System Properties>User Management.
  2. Click Edit. The Edit User Management dialog box appears.
  3. Select the Authentication Method and Order tab.
  4. Under Available Methods, select the authentication method the device should use to authenticate users, and use the arrow button to move the item to the Selected Methods list. Available methods include:
    • RADIUS

    • TACACS+

    • Local Password

    If you want to use multiple methods to authenticate users, repeat this step to add the additional methods to the Selected Methods list.

  5. Under Selected Methods, use the Up Arrow and Down Arrow to specify the order in which the device should execute the authentication methods.
  6. Click OK to check your configuration and save it as a candidate configuration.
  7. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure authentication order:

  1. Add RADIUS authentication to the authentication order.
  2. Add TACACS+ authentication to the authentication order.

Results

From configuration mode, confirm your configuration by entering the show system authentication-order command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Note

To completely set up RADIUS or TACACS+ authentication, you must configure at least one RADIUS or TACACS+ server and create user template accounts. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verifying the Authentication Order Configuration

Purpose

Verify that the authentication order has been configured.

Action

From operational mode, enter the show system authentication-order command.

Example: Configuring System Authentication for RADIUS, TACACS+, and Password Authentication

The following example shows how to configure system authentication for RADIUS, TACACS+, and password authentication.

In this example, only the user Philip and users authenticated by a remote RADIUS server can log in. If a user logs in and is not authenticated by the RADIUS server, the user is denied access to the router or switch. If the RADIUS server is not available, the user is authenticated using the password authentication method and allowed access to the router or switch. For more information about the password authentication method, see Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication.

When Philip tries to log in to the system, if the RADIUS server authenticates him, he is given access and privileges for the super-user class. Local accounts are not configured for other users. When they log in to the system and the RADIUS server authenticates them, they are given access using the same user ID (UID) 9999 and the privileges associated with the operator class.

Note

For authorization purposes, you can use a template account to create a single account that can be shared by a set of users at the same time. For example, when you create a remote template account, a set of remote users can concurrently share a single UID. For more information about template accounts, see Example: Configuring Authentication Order.

When a user logs in to a device, the user’s login name is used by the RADIUS or TACACS+ server for authentication. If the user is authenticated successfully by the authentication server and the user is not configured at the [edit system login user] hierarchy level, the device uses the default remote template user account for the user, provided a remote template account is configured at the edit system login user remote hierarchy level. The remote template account serves as a default template user account for all users that are authenticated by the authentication server but not having a locally configured user account on the device. Such users share the same login class and UID.

To configure an alternate template user, specify the user-name parameter returned in the RADIUS authentication response packet. Not all RADIUS servers allow you to change this parameter. The following shows a sample Junos OS configuration:

Assume your RADIUS server is configured with the following information:

  • User Philip with password “olympia”

  • User Alexander with password “bucephalus” and username “operator”

  • User Darius with password “redhead” and username “operator”

  • User Roxane with password “athena”

Philip would be given access as a superuser (super-user) because he has his own local user account. Alexander and Darius share UID 9990 and have access as operators. Roxane has no template-user override, so she shares access with all the other remote users, getting read-only access.