Technical Documentation

Configuring the JUNOS Software Authentication Order for RADIUS, TACACS+, and Local Password Authentication

Using the authentication-order statement, you can prioritize the order in which the JUNOS Software tries the different authentication methods when verifying user access to a router or switch.

To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:

[edit system]authentication-order [authentication-methods ];

Specify one or more of the following authentication methods in the preferred order, from first tried to last tried:

  • radius—Verify the user using RADIUS authentication services
  • tacplus—Verify the user using TACACS+ authentication services.
  • password—Verify the user using the username and password configured locally by including the authentication statement at the [edit system login user] hierarchy level.

The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer to authenticate a client, the authentication is abandoned and a new sequence is initiated.

For example, if you configure three RADIUS servers so that the router or switch attempts to contact each server three times, and with each retry the server times out after 3 seconds, then the maximum time given to the RADIUS authentication method before CHAP considers it a failure is 27 seconds. If you add more RADIUS servers to this configuration, they might not be contacted because the authentication process might be abandoned before these servers are tried.

The JUNOS Software enforces a limit on the number of standing authentication server requests that the CHAP authentication can have at one time. Thus, an authentication server method—RADIUS, for example—might fail to authenticate a client when this limit is exceeded. If it fails, the authentication sequence is reinitiated by the router or switch until authentication succeeds and the link is brought up. However, if the RADIUS servers are not available and if additional authentication methods such as tacplus or password are configured along with radius, the next authentication method is tried.

The following example shows how to configure radius and password authentication:

[edit system]authentication-order [ radius password ];

The following example shows how to delete the radius statement from the authentication order:

[edit system]user@host# delete authentication-order radius

The following example shows how to insert the tacplus statement after the radius statement:

[edit system]user@host# insert authentication-order tacplus after radius

Note: You can also configure the authentication order by including the authentication-order statement at the [edit access profile name] hierarchy level:

  • [edit access profile profile-name]authentication-order [ authentication-methods ];
  • For the Layer 2 Tunneling Protocol (L2TP), RADIUS authentication servers are configured at the [edit access radius-server] hierarchy level.
  • When you configure the authentication methods for L2TP, only the first configured authentication method is used.

Published: 2010-04-26