On a C-series Controller, you can use more than one authentication method. You can configure the C-series Controller to be a RADIUS and TACACS+ client by:
For each login attempt, the SRC software tries the authentication methods in the order configured, until the password matches. If one of the authentication methods in the authentication order fails to authenticate a user, the user is denied access to the C-series Controller.
If password authentication does not appear in the prioritized list of authentication methods, the SRC software uses password authentication last. The SRC software always uses password authentication, whether or not it appears in the list of authentication methods to be used. As a result, users can log in to the C-series Controller through password authentication if configured authentication servers are unavailable.
Figure 18 shows three authentication scenarios. In the first two, a user is authenticated while authentication servers are unavailable. In the third scenario, a users is not authenticated by an active server.
Figure 18: Authentication Order: RADIUS, TACACS+, Password
 | Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |