[Contents] [Prev] [Next] [Index] [Report an Error]

Configuring the Authentication Order

Using the authentication-order statement, you can prioritize the order in which the JUNOS software tries the different authentication methods when verifying user access to a router.

To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:



[edit system]

authentication-order [authentication-methods ];

Specify one or more of the following authentication methods in the preferred order, from first tried to last tried:

radius—Verify the user using RADIUS authentication services
tacplus—Verify the user using TACACS+ authentication services.
password—Verify the user using the username and password configured locally by including the authentication statement at the [edit system login user] hierarchy level.

For each login attempt, the JUNOS software tries the configured authentication methods in order until the password is accepted. If the username and password are accepted, the login attempt succeeds and no other authentication methods are tried. The next method in the authentication order is consulted if the previous authentication method fails to respond OR if the method returns a reject response to the login attempt due to an incorrect username or password.

If none of the configured authentication methods accept the login credentials and if a reject response is received, the login attempt fails. If no response is received from any configured authentication method, the JUNOS software consults local password authentication as a last resort.

Using RADIUS or TACACS+ Authentication

You can configure the JUNOS software to be both a RADIUS or TACACS+ authentication client.

If an authentication method included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, the JUNOS software tries the next authentication method included in the authentication-order statement.

The RADIUS or TACACS+ server authentication might fail because of the following reasons:

The authentication method is configured, but the corresponding authentication servers are not configured. For instance, the radius and tacplus authentication methods are included in the authentication-order statement, but the corresponding RADIUS or TACACS+ servers are not configured at the respective [edit system radius-server] and [edit system tacplus-server] hierarchy levels.
The RADIUS or TACACS+ server does not respond within the timeout period configured at the [edit system radius-server] or [edit system tacplus-server] hierarchy levels.
The RADIUS or TACACS+ server is not reachable due to a network problem.

The RADIUS or TACACS+ server authentication might return a reject response because of the following reasons:

The user profiles of users accessing a router might not be configured on the RADIUS or TACACS+ server.
The user enters incorrect logon credentials.

Using Local Password Authentication

You can explicitly configure the password authentication method or use this method as a fallback mechanism when remote authentication servers fail. The password authentication method consults the local user profiles configured at the [edit system login] hierarchy level. Users can log in to a router using their local user name and password in the following scenarios:

The password authentication method (password) is explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication is consulted if no previous authentication accepts the logon credentials. This is true whether the previous authentication method fails to respond or returns a reject response due to an incorrect username or password.
The password authentication method is not explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication method is consulted only if all configured authentication methods fail to respond. It is not consulted if any configured authentication method returns a reject response due to an incorrect username or password.

Order of Authentication Attempts

Table 16 describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that the JUNOS software uses to authenticate users for access to a routing platform:

Table 16: Order of Authentication Attempts

Syntax	Order of Authentication Attempts
authentication-order radius;	Try configured RADIUS authentication servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS server is available but authentication is rejected, deny access. If RADIUS servers are not available, try password authentication. Note: If a RADIUS server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
authentication-order [ radius password ];	Try configured RADIUS authentication servers. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
authentication-order [ radius tacplus ];	Try configured RADIUS authentication servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ server is available but authentication is rejected, deny access. If both RADIUS and TACACS+ servers are not available, try password authentication. Note: If either RADIUS or TACACS+ servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
authentication-order [ radius tacplus password ];	Try configured RADIUS authentication servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
authentication-order tacplus;	Try configured TACACS+ authentication servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ server is available but authentication is rejected, deny access. If TACACS+ servers are not available, try password authentication. Note: If a TACACS+ server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
authentication-order [ tacplus password ];	Try configured TACACS+ authentication servers. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.
authentication-order [ tacplus radius ];	Try configured TACACS+ authentication servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ servers fail to respond or return a reject response try configured RADIUS servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS server is available but authentication is rejected, deny access. If both TACACS+ and RADIUS servers are not available, try password authentication. Note: If either TACACS+ or RADIUS servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.
authentication-order [ tacplus radius password ];	Try configured TACACS+ authentication servers. If TACACS+ server is available and authentication is accepted, grant access. If TACACS+ servers fail to respond or return a reject response try configured RADIUS servers. If RADIUS server is available and authentication is accepted, grant access. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.
authentication-order password;	Try to authenticate the user, using the password configured at the [edit system login] hierarchy level. If the authentication is accepted, grant access. If the authentication is rejected, deny access.

Note: If SSH public keys are configured, SSH user authentication first tries to perform public key authentication before using the authentication methods configured in the authentication-order statement. If you want SSH logins to use the authentication methods configured in the authentication-order statement without first trying to perform public key authentication, do not configure SSH public keys. For more information about loading SSH public keys, see Importing Host Key Information from a File.

Example: Removing an Order Set from the Authentication Order

Delete the radius statement from the authentication order:



[edit system]
user@host# delete authentication-order radius

Example: Inserting an Order Set in the Authentication Order

Insert the tacplus statement after the radius statement:



[edit system]
user@host# insert authentication-order tacplus
after radius

[Contents] [Prev] [Next] [Index] [Report an Error]