[Contents] [Prev] [Next] [Index] [Report an Error]

Order of Authentication Attempts

Table 16 describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that the JUNOS software uses to authenticate users for access to a routing platform:

Table 16: Order of Authentication Attempts

Syntax

Order of Authentication Attempts

authentication-order radius;

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS server is available but authentication is rejected, deny access.
  4. If RADIUS servers are not available, try password authentication.

    Note: If a RADIUS server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ radius password ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ radius tacplus ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.
  4. If TACACS+ server is available and authentication is accepted, grant access.
  5. If TACACS+ server is available but authentication is rejected, deny access.
  6. If both RADIUS and TACACS+ servers are not available, try password authentication.

    Note: If either RADIUS or TACACS+ servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ radius tacplus password ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.
  4. If TACACS+ server is available and authentication is accepted, grant access.
  5. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order tacplus;

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ server is available but authentication is rejected, deny access.
  4. If TACACS+ servers are not available, try password authentication.

    Note: If a TACACS+ server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ tacplus password ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

    authentication-order [ tacplus radius ];

    1. Try configured TACACS+ authentication servers.
    2. If TACACS+ server is available and authentication is accepted, grant access.
    3. If TACACS+ servers fail to respond or return a reject response try configured RADIUS servers.
    4. If RADIUS server is available and authentication is accepted, grant access.
    5. If RADIUS server is available but authentication is rejected, deny access.
    6. If both TACACS+ and RADIUS servers are not available, try password authentication.

      Note: If either TACACS+ or RADIUS servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

    authentication-order [ tacplus radius password ];

    1. Try configured TACACS+ authentication servers.
    2. If TACACS+ server is available and authentication is accepted, grant access.
    3. If TACACS+ servers fail to respond or return a reject response try configured RADIUS servers.
    4. If RADIUS server is available and authentication is accepted, grant access.
    5. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.

    authentication-order password;

    1. Try to authenticate the user, using the password configured at the [edit system login] hierarchy level.
    2. If the authentication is accepted, grant access.
    3. If the authentication is rejected, deny access.

    Note: If SSH public keys are configured, SSH user authentication first tries to perform public key authentication before using the authentication methods configured in the authentication-order statement. If you want SSH logins to use the authentication methods configured in the authentication-order statement without first trying to perform public key authentication, do not configure SSH public keys. For more information about loading SSH public keys, see Importing Host Key Information from a File.

    [Contents] [Prev] [Next] [Index] [Report an Error]

    Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.