Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Authentication Order for LDAPS, RADIUS, TACACS+, and Local Password

Junos OS supports different methods such as local password authentication, LDAPS, RADIUS, and TACACS+ to control access to the network. Starting in Junos OS Release 20.2R1, we introduce LDAPS support for user login with TLS security between the LDAPS client and the LDAPS server. Authentication methods are used for validating users who attempt to access the router or switch using Telnet. You can prioritize the methods to configure the order in which Junos OS tries the different authentication methods when verifying user access to a router or switch or security device. For more information, read this topic.

Determine the Authentication Order for LDAPS, RADIUS, TACACS+, and Password Authentication

Using the authentication-order statement, you can prioritize the order in which the Junos OS tries the different authentication methods when verifying user access to a router or switch.

If LDAP, RADIUS,and/or TACACS+ servers are configured in the authentication order but there is no response from them to a request, the Junos OS always defaults to trying local password authentication as a last resort. If the authentication order is set to authentication-order password, that will be the only authentication method attempted.

Note:

It is not possible and would make no sense to try to configure local password authentication ahead of LDAPS, RADIUS, TACACS+, or in the order because “no response” cannot happen. A local authentication request will always either be accepted or rejected.

The handling of a rejected authentication request when LDAPS, RADIUS, or TACACS+ are present is more complicated.

  • In Junos OS, if password (local password authentication) is not in the authentication order and LDAPS, RADIUS and/or TACACS+ rejects the authentication, the request ends with the rejection.

  • In Junos OS Evolved, if password (local password authentication) is not in the authentication order and RADIUS and/or TACACS+ rejects the authentication, Junos OS Evolved still tries for a local authentication check.

  • If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the authentication, Junos OS and Junos OS Evolved tries for a local authentication check.

In other words, including password as a final authentication order option in Junos OS is a means by which you can choose whether a LDAPS, RADIUS, and/or TACACS+ rejection ends there or if the request is to be given one last chance for authentication locally.

Using LDAPS, RADIUS, and TACACS+ Authentication

You can configure Junos OS to be an LDAPS, RADIUS, and/or TACACS+authentication client.

If an authentication method included in the [authentication-order] statement is not available, or if the authentication is available but returns a reject response, Junos OS tries the next authentication method included in the authentication-order statement.

The LDAP, RADIUS, or TACACS+ server authentication might fail because of the following reasons:

  • The authentication method is configured, but the corresponding authentication servers are not configured. For instance, the RADIUS, and TACACS+ authentication methods are included in the authentication-order statement, but the corresponding RADIUS or TACACS+ servers are not configured at the respective [edit system radius-server] and [edit system tacplus-server] hierarchy levels.

  • The RADIUS or TACACS+ server does not respond within the timeout period configured at the [edit system radius-server] or [edit system tacplus-server] hierarchy levels.

  • The RADIUS or TACACS+ server is not reachable because of a network problem.

The RADIUS, TACACS+, or LDAPS server authentication might return a reject response because of the following reasons:

  • The user profiles of users accessing a router or switch might not be configured on the RADIUS, TACACS+, or LDAP server.

  • The user enters incorrect logon credentials.

How to Use Local Password Authentication

You can explicitly configure the password authentication method or use this method as a fallback mechanism when remote authentication servers fail. The password authentication method consults the local user profiles configured at the [edit system login] hierarchy level. Users can log in to a router or switch using their local username and password in the following scenarios:

  • The password authentication method (password) is explicitly configured as one of the authentication methods in the [authentication-order authentication-methods] statement. In this case, the password authentication method is tried if no previous authentication accepts the logon credentials. This is true whether the previous authentication method fails to respond or returns a reject response because of an incorrect username or password.

  • The password authentication method is not explicitly configured as one of the authentication methods in the authentication-order authentication-methods statement. In Junos OS, the password authentication method is tried only if all configured authentication methods fail to respond. It is not consulted if any configured authentication method returns a reject response because of an incorrect username or password. In Junos OS Evolved, the password authentication method is still tried.

Order of Authentication Attempts

Table 1 describes how the authentication-order statement at the [edit system] hierarchy level determines the procedure that Junos OS uses to authenticate users for access to a device.

Table 1: Order of Authentication Attempts

Syntax

Order of Authentication Attempts

authentication-order radius;

  1. Try configured RADIUS authentication servers.

  2. If RADIUS server is available and authentication is accepted, grant access.

  3. On Junos OS: If RADIUS server is available but authentication is rejected, deny access.

    On Junos OS Evolved: If RADIUS server is available but authentication is rejected, try password authentication.

  4. If RADIUS servers are not available, try password authentication.

authentication-order [ radius password ];

  1. Try configured RADIUS authentication servers.

  2. If RADIUS servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ radius ldaps ];

  1. Try configured RADIUS authentication servers.

  2. If a RADIUS server is available and authentication is accepted, grant access.

  3. If RADIUS servers fail to respond or return a reject response, try configured LDAP servers.

  4. If an LDAP server is available and authentication is accepted, grant access.

  5. If LDAP server is available but authentication is rejected, deny access.

  6. If both RADIUS and LDAP servers are not available, try password authentication.

authentication-order [ radius tacplus ];

  1. Try configured RADIUS authentication servers.

  2. If RADIUS server is available and authentication is accepted, grant access.

  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.

  4. If TACACS+ server is available and authentication is accepted, grant access.

  5. On Junos OS: If TACACS+ server is available but authentication is rejected, deny access.

    On Junos OS Evolved: If TACACS+ server is available but authentication is rejected, try password authentication.

  6. If both RADIUS and TACACS+ servers are not available, try password authentication.

authentication-order [ radius tacplus password ];

  1. Try configured RADIUS authentication servers.

  2. If RADIUS server is available and authentication is accepted, grant access.

  3. If RADIUS servers fail to respond or return a reject response, try configured TACACS+ servers.

  4. If TACACS+ server is available and authentication is accepted, grant access.

  5. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order tacplus;

  1. Try configured TACACS+ authentication servers.

  2. If TACACS+ server is available and authentication is accepted, grant access.

  3. On Junos OS: If TACACS+ server is available but authentication is rejected, deny access.

    On Junos OS Evolved: If TACACS+ server is available but authentication is rejected, try password authentication.

  4. If TACACS+ servers are not available, try password authentication.

authentication-order [ tacplus password ];

  1. Try configured TACACS+ authentication servers.

  2. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ tacplus radius ];

  1. Try configured TACACS+ authentication servers.

  2. If TACACS+ server is available and authentication is accepted, grant access.

  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.

  4. If RADIUS server is available and authentication is accepted, grant access.

  5. On Junos OS: If RADIUS server is available but authentication is rejected, deny access.

    On Junos OS Evolved: If RADIUS server is available but authentication is rejected, try password authentication.

  6. If both TACACS+ and RADIUS servers are not available, try password authentication.

authentication-order [ tacplus ldaps ];

  1. Try configured TACACS+ authentication servers.

  2. If a TACACS+ server is available and authentication is accepted, grant access.

  3. If TACACS+ servers fail to respond or return a reject response, try configured LDAP servers.

  4. If LDAP server is available and authentication is accepted, grant access.

  5. If LDAP server is available but authentication is rejected, deny access.

  6. If both TACACS+ and RADIUS servers are not available, try password authentication.

authentication-order [ tacplus radius password ];

  1. Try configured TACACS+ authentication servers.

  2. If TACACS+ server is available and authentication is accepted, grant access.

  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.

  4. If RADIUS server is available and authentication is accepted, grant access.

  5. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ tacplus radius password ];

  1. Try configured TACACS+ authentication servers.

  2. If TACACS+ server is available and authentication is accepted, grant access.

  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.

  4. If RADIUS server is available and authentication is accepted, grant access.

  5. If RADIUS servers fail to respond or return a reject response try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ radius tacplus ldaps password ];

  1. Try configured TACACS+ authentication servers.

  2. If a TACACS+ server is available and authentication is accepted, grant access.

  3. If TACACS+ servers fail to respond or return a reject response, try configured RADIUS servers.

  4. If RADIUS server is available and authentication is accepted, grant access.

  5. If RADIUS servers fail to respond or return a reject response try configured LDAP servers.

  6. If LDAP server is available and authentication is accepted, grant access.

  7. If LDAP servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order servers.

authentication-order password;

  1. Try to authenticate the user using the password configured at the [edit system login] hierarchy level.

  2. If the authentication is accepted, grant access.

  3. If the authentication is rejected, deny access.

authentication-order ldaps;

  1. Try configured LDAP authentication servers.

  2. If LDAP server is available and authentication is accepted, grant access.

  3. If LDAP server is available but authentication is rejected, deny access.

  4. If LDAP servers are not available, try password authentication.

authentication-order [ ldaps password ];

  1. Try configured LDAP authentication servers.

  2. If LDAP servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

authentication-order [ ldaps tacplus ];

  1. Try configured LDAP authentication servers.

  2. If an LDAP server is available and authentication is accepted, grant access.

  3. If LDAP servers fail to respond or return a reject response, try configured TACACS+ servers.

  4. If a TACACS+ server is available and authentication is accepted, grant access.

  5. On Junos OS: If TACACS+ server is available but authentication is rejected, deny access.

    On Junos OS Evolved: If TACACS+ server is available but authentication is rejected, try password authentication.

  6. If both LDAP and TACACS+ servers are not available, try password authentication.

authentication-order [ ldaps tacplus password ];

  1. Try configured LDAP authentication servers.

  2. If an LDAP server is available and authentication is accepted, grant access.

  3. If LDAP servers fail to respond or return a reject response, try configured TACACS+ servers.

  4. If a TACACS+ server is available and authentication is accepted, grant access.

  5. If TACACS+ servers fail to respond or return a reject response, try password authentication, because it is explicitly configured in the authentication order.

Note:

If SSH public keys are configured, SSH user authentication first tries to perform public key authentication before using the authentication methods configured in the authentication-order statement. If you want SSH logins to use the authentication methods configured in the authentication-order statement without first trying to perform public key authentication, do not configure SSH public keys.

In a routing matrix based on a TX Matrix router, the authentication order must be configured only at the configuration groups re0 and re1. The authentication order must not be configured at the [edit system] hierarchy. This is because the authentication order for the routing matrix is controlled on the switch-card chassis (or TX Matrix router) or switch-fabric chassis (for TX Matrix Plus router) only.

In Junos OS Release 10.0 and later, the superuser (belonging to the super-user login class) is also authenticated based on the authentication order that is configured for TACACS+, RADIUS, or password authentication using the authentication-order statement. For example, if the only configured authentication order is TACACS+, the superuser can only be authenticated by the TACACS+ server and password authentication cannot be used as an alternative. However, in Junos OS Release 9.6 and earlier, the superuser can use password authentication to login, even if password authentication is not configured explicitly using the authentication-order statement.

Configure the Authentication Order for LDAPS, RADIUS, TACACS+ and Local Password Authentication

Using the authentication-order statement, you can prioritize the order in which Junos OS tries the different authentication methods when verifying user access to a router or switch. If you do not set an authentication order, by default users are verified based on their configured passwords.

When configuring a password using plain text and relying on Junos OS to encrypt it, you are still sending the password over the Internet in plain text. Using pre-encrypted passwords is more secure because it means that the plain text of the password never has to be sent over the internet. Also, with passwords, only one user can be assigned to a password at a time.

On the other hand, LDAPS, RADIUS, and TACACS+ encrypt passwords. These authentication methods let you assign a set of users at a time instead of one by one. But here are how these authentication systems differ:

  • RADIUS uses UDP, while TACACS+ and LDAPS use TCP.

  • RADIUS encrypts only the password during transmission, whereas TACACS+ and LDAPS encrypt the entire session.

  • RADIUS and LDAPS combine authentication (device) and authorization (user), whereas TACACS+ separates authentication, authorization, and accountability.

In short, TACACS+ is more secure than RADIUS. However, RADIUS has better performance and is more interoperable. RADIUS is widely supported, whereas TACACS+ is a Cisco proprietary product and not widely supported outside of Cisco.

LDAPS is more secure than RADIUS and TACACS+ as it relies on private key mechanism instead of the shared key used in case of RADIUS and TACACS+. The TLS protocol secures the transmission of data effectively between the LDAP client and the LDAP server.

You can configure the authentication order based on your system, its restrictions, and your IT policy and operational preferences.

To configure the authentication order, include the authentication-order statement at the [edit system] hierarchy level:

For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.

The following are the possible authentication order entry options:

  • radius—Verify the user using RADIUS authentication servers.

  • tacplus—Verify the user using TACACS+ authentication servers.

  • ldaps—Verify the user using LDAPS authentication servers.

  • password—Verify the user using the username and password configured locally by including the authentication statement at the [edit system login user] hierarchy level.

For details on how to order these authentication methods, see Determine the Authentication Order for LDAPS, RADIUS, TACACS+, and Password Authentication

The CHAP authentication sequence cannot take more than 30 seconds. If it takes longer to authenticate a client, the authentication is abandoned and a new sequence is initiated.

For example, if you configure three RADIUS servers so that the router or switch attempts to contact each server three times, and with each retry the server times out after 3 seconds, then the maximum time given to the RADIUS authentication method before CHAP considers it a failure is 27 seconds. If you add more RADIUS servers to this configuration, they might not be contacted because the authentication process might be abandoned before these servers are tried.

Junos OS enforces a limit on the number of standing authentication server requests that the CHAP authentication can have at one time. Thus, an authentication server method—RADIUS, for example—might fail to authenticate a client when this limit is exceeded. If it fails, the authentication sequence is reinitiated by the router or switch until authentication succeeds and the link is brought up. However, if the RADIUS servers are not available and if additional authentication methods such as tacplus or password are configured along with radius, the next authentication method is tried.

The following example shows how to configure radius and password authentication:

The following example shows how to delete the radius statement from the authentication order:

The following example shows how to insert the tacplus statement after the radius statement:

The following example shows how to insert the ldaps statement after the radius statement:

Example: Configure Authentication Order

This example shows how to configure authentication order for user login.

Requirements

Before you begin, perform the initial device configuration. See the Getting Started Guide for your device.

Overview

You can configure the authentication methods that the device uses to verify that a user can gain access. For each login attempt, the device tries the authentication methods in order, starting with the first one, until the password matches. If you do not configure system authentication, users are verified based on their configured local passwords.

This example configures the device to attempt user authentication with the local password first, then with the LDAP server, RADIUS server, and finally with the TACACS+ server.

When you use local password authentication, you must create a local user account for every user who wants to access the system. However, when you are using LDAPS, RADIUS, or TACACS+ authentication, you can create single accounts (for authorization purposes) that are shared by a set of users. You create these accounts using the remote and local user template accounts. When a user is using a template account, the command-line interface (CLI) username is the login name; however, the privileges, file ownership, and effective user ID are inherited from the template account.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

GUI Quick Configuration
Step-by-Step Procedure

To configure authentication order:

  1. In the J-Web user interface, select Configure>System Properties>User Management.

  2. Click Edit. The Edit User Management dialog box appears.

  3. Select the Authentication Method and Order tab.

  4. Under Available Methods, select the authentication method the device should use to authenticate users, and use the arrow button to move the item to the Selected Methods list. Available methods include:

    • RADIUS

    • TACACS+

    • Local Password

    If you want to use multiple methods to authenticate users, repeat this step to add the additional methods to the Selected Methods list.

  5. Under Selected Methods, use the Up Arrow and Down Arrow to specify the order in which the device should execute the authentication methods.

  6. Click OK to check your configuration and save it as a candidate configuration.

  7. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure authentication order:

  1. Add LDAPS authentication to the authentication order.

  2. Add RADIUS authentication to the authentication order.

  3. Add TACACS+ authentication to the authentication order.

Results

From configuration mode, confirm your configuration by entering the show system authentication-order command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Note:

To completely set up LDAPS, RADIUS, or TACACS+ authentication, you must configure at least one LDAP, RADIUS, or TACACS+ server and create user template accounts. Do one of the following tasks:

Verification

Confirm that the configuration is working properly.

Verify the Authentication Order Configuration

Purpose

Verify that the authentication order has been configured.

Action

From operational mode, enter the show system authentication-order command.

Example: Configure System Authentication for LDAPS, RADIUS, TACACS+, and Password Authentication

The following example shows how to configure system authentication for LDAPS, RADIUS, TACACS+, and password authentication on a device running Junos OS.

In this example, only the user Philip and users authenticated by a remote LDAP server can log in. If a user logs in and is not authenticated by the LDAP server, the user is denied access to the router or switch. If the LDAP server is not available, the user is authenticated using the password authentication method and allowed access to the router or switch. For more information about the password authentication method, see Determine the Authentication Order for LDAPS, RADIUS, TACACS+, and Password Authentication.

When Philip tries to log in to the system, if the LDAP server authenticates him, he is given access and privileges for the super-user class. Local accounts are not configured for other users. When they log in to the system and the LDAP server authenticates them, they are given access using the same user ID (UID) 9999 and the privileges associated with the operator class.

Note:

For authorization purposes, you can use a template account to create a single account that can be shared by a set of users at the same time. For example, when you create a remote template account, a set of remote users can concurrently share a single UID. For more information about template accounts, see Example: Configure Authentication Order.

When a user logs in to a device, the user’s login name is used by the LDAP, RADIUS or TACACS+ server for authentication. If the user is authenticated successfully by the authentication server and the user is not configured at the [edit system login user] hierarchy level, the device uses the default remote template user account for the user, provided a remote template account is configured at the edit system login user remote hierarchy level. The remote template account serves as a default template user account for all users that are authenticated by the authentication server but not having a locally configured user account on the device. Such users share the same login class and UID.

To configure an alternate template user, specify the user-name parameter returned in the LDAPS authentication response packet. Not all LDAP servers allow you to change this parameter. The following shows a sample Junos OS configuration:

Assume your LDAP server is configured with the following information:

  • User Philip with password “olympia”

  • User Alexander with password “bucephalus” and username “operator”

  • User Darius with password “redhead” and username “operator”

  • User Roxane with password “athena”

Philip would be given access as a superuser (super-user) because he has his own local user account. Alexander and Darius share UID 9990 and have access as operators. Roxane has no template-user override, so she shares access with all the other remote users, getting read-only access.

Release History Table
Release
Description
20.2R1
Starting in Junos OS Release 20.2R1, we introduce LDAPS support for user login with TLS security between the LDAPS client and the LDAPS server.