Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication

Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch.

For each login attempt, the Junos OS tries the configured authentication methods in order until the password is accepted. If the username and password are accepted, the login attempt succeeds and no other authentication methods are tried. The next method in the authentication order is consulted if the previous authentication method fails to respond or if the method returns a reject response to the login attempt because of an incorrect username or password.

If none of the configured authentication methods accept the login credentials and if a reject response is received, the login attempt fails. If no response is received from any configured authentication method, the Junos OS consults local password authentication as a last resort.

Using RADIUS or TACACS+ Authentication

You can configure the Junos OS to be both a RADIUS and TACACS+ authentication client.

If an authentication method included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, the Junos OS tries the next authentication method included in the authentication-order statement.

The RADIUS or TACACS+ server authentication might fail because of the following reasons:

The RADIUS or TACACS+ server authentication might return a reject response because of the following reasons:

Using Local Password Authentication

You can explicitly configure the password authentication method or use this method as a fallback mechanism when remote authentication servers fail. The password authentication method consults the local user profiles configured at the [edit system login] hierarchy level. Users can log in to a router or switch using their local username and password in the following scenarios:

Order of Authentication Attempts

Table 12 describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that the Junos OS uses to authenticate users for access to a router or switch:

Table 12: Order of Authentication Attempts

Syntax

Order of Authentication Attempts

authentication-order radius;

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS server is available but authentication is rejected, deny access.
  4. If RADIUS servers are not available, try password authentication.

    Note: If a RADIUS server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ radius password ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ radius tacplus ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.
  4. If TACACS+ server is available and authentication is accepted, grant access.
  5. If TACACS+ server is available but authentication is rejected, deny access.
  6. If both RADIUS and TACACS+ servers are not available, try password authentication.

    Note: If either RADIUS or TACACS+ servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ radius tacplus password ];

  1. Try configured RADIUS authentication servers.
  2. If RADIUS server is available and authentication is accepted, grant access.
  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.
  4. If TACACS+ server is available and authentication is accepted, grant access.
  5. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order tacplus;

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ server is available but authentication is rejected, deny access.
  4. If TACACS+ servers are not available, try password authentication.

    Note: If a TACACS+ server is available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ tacplus password ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ tacplus radius ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.
  4. If RADIUS server is available and authentication is accepted, grant access.
  5. If RADIUS server is available but authentication is rejected, deny access.
  6. If both TACACS+ and RADIUS servers are not available, try password authentication.

    Note: If either TACACS+ or RADIUS servers are available, password authentication is not attempted, because it is not explicitly configured in the authentication order.

authentication-order [ tacplus radius password ];

  1. Try configured TACACS+ authentication servers.
  2. If TACACS+ server is available and authentication is accepted, grant access.
  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.
  4. If RADIUS server is available and authentication is accepted, grant access.
  5. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.

authentication-order password;

  1. Try to authenticate the user, using the password configured at the [edit system login] hierarchy level.
  2. If the authentication is accepted, grant access.
  3. If the authentication is rejected, deny access.

Note: If SSH public keys are configured, SSH user authentication first tries to perform public key authentication before using the authentication methods configured in the authentication-order statement. If you want SSH logins to use the authentication methods configured in the authentication-order statement without first trying to perform public key authentication, do not configure SSH public keys.

In a routing matrix based on a TX Matrix router or a TX Matrix Plus router, the authentication order must be configured only under the configuration groups re0 and re1. The authentication order must not be configured under the [edit system] hierarchy on the TX Matrix or TX Matrix Plus router. This is because the authentication order for the routing matrix is controlled on the switch-card chassis (or TX Matrix router) or switch-fabric chassis (or TX Matrix Plus router) only.

Related Topics

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.