 | Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |
When you use local password authentication, you must create a local user account for every user who wants to access the system. However, when you are using RADIUS or TACACS+ authentication, you can create single accounts (for authorization purposes) that are shared by a set of users. You create these accounts using the remote and local user template accounts. When a user is using a template account, the CLI username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account.
If you configure the router to be both a RADIUS and TACACS+ client (by including the radius-server and tacplus-server statements), you can prioritize the order in which the software tries the different authentication methods when verifying that a user can access the router. For each login attempt, the JUNOS software tries the authentication methods in order, starting with the first one, until the password matches.
To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level. For example:
- [edit system]
- authentication-order [ radius tacplus password ];
You can specify one or more of the following in the preferred order, from first tried to last tried:
If you do not include the authentication-order statement, users are verified based on their configured passwords.
For more information on RADIUS and TACACS+, see the JUNOS System Basics Configuration Guide.
| Copyright © 2008, Juniper Networks, Inc. All Rights Reserved. Trademark Notice. | |