Setting the Login Authentication Methods
Problem
You want to use a RADIUS or TACACS+ server to authenticate user logins to the router, and you want to specify a backup login authentication method in case the primary method is unavailable.
Solution
Use the following command to set RADIUS as the primary authentication method and to set as the backup method the user accounts configured on the local router:
[edit] aviva@router1> set system authentication-order [ radius password ]
If you are using TACACS+, you can set up something similar:
[edit] aviva@router1# set system authentication-order [ tacacs password ]
Discussion
When users log in to the router, the JUNOS software can authenticate the username and password against an account that is configured locally in the router configuration file or against an account that is configured on a remote RADIUS or TACACS+ server.
There are a number of methods to authenticate users attempting to log in to the router. The default method is to use the username and password configured on the router and to try no other method if the authentication fails. This method is the equivalent of using the set system authentication-order password command with no options. You should always configure passwords in the configuration file for at least a few users so someone can always log in to the router (see Recipe 2.8).
To have the router use a RADIUS or TACACS+ server as the primary user authentication method, you must change the order in which the JUNOS software tries different authentication methods. The first command in the recipe configures RADIUS to be the primary user authentication method, and the second command configures TACACS+ as the primary method. Both commands set the user account configured on the router (password) as the backup authentication method. Providing a backup method means that users will always be able to log in to the router if there are problems with the RADIUS or TACACS+ server. (Recipes 2.12 and 2.13 describe how to configure RADIUS and TACACS+ user authentication.)
With the configuration in this recipe, when a user tries to log in to the router, the router first checks the username and password against the RADIUS or TACACS+ server. If they match, the user is authenticated and the router logs her in. If the remote authentication fails, the router checks its local configuration. If the user has a local account and the password matches, the user is logged in. If there is no match in either place, the user is denied access to the router.
A slight twist to this recipe is to use only a single authentication, specifying a remote method. The following command uses only RADIUS authentication:
[edit] aviva@router1> set system authentication-order radius
This configuration allows users to log in to the router only if the RADIUS server has an account for them and only if the RADIUS server is up. This means that as long as the RADIUS server is up, users not listed in the RADIUS database won't be able to log in to the router even if there is a configured account for them on the router. However, if the RADIUS server fails or becomes unreachable, the JUNOS software authenticates the users locally. If you configure multiple RADIUS servers, the software checks for locally configured user accounts only after all the servers fail.
Make sure you configure user accounts and assign passwords in the JUNOS configuration for some users (see Recipe 2.5) so that login access to the router will be possible if the RADIUS or TACACS+ servers fail.
See Also
Recipes 2.5, 2.8, 2.12, and 2.13