Junos OS

Hi everyone

I want my MX5 to do this:

When somebody access MX5 over SSH and provide root credentials , it should consult TACPLUS, if no reply is received or Reject is received from TACPLUS, it should then check local database to authenticate.

How can I do that on MX5?

Brocade and Cisco:

If configured to check TACPLUS then local database.

If reject is received from TACPLUS, local router does not consult LOCAL DATABASE even if it configured to do so, in order for local database to be consulted, TACPLUS should not be reachable.

Not sure if we have the similar behavior on Juniper MX5.

Thanks and have a nice day!!!

Both of the requirements mentioned in the question are possible using knob named "authentication-order"

See a following knob

lab@VMX-R5# set system authentication-order ?
Possible completions:
[ Open a set of values
password Traditional password authentication
radius Remote Authentication Dial-In User Service
tacplus TACACS+ authentication services

You need to configure authentication order and methods in acheiving your desired results.

The handling of a rejected authentication request when RADIUS or TACACS+ are present is more complicated.

• If password (local password authentication) is not in the authentication order statement, a RADIUS and/or TACACS+ rejection ends with the rejection. (i.e. set system authentication-order [radius tacacs]
• If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the authentication, the Junos OS tries for a local authentication check. (i.e. set system authentication-order [radius password]

In other words, including password as a final authentication order option is a means by which you can choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last chance for authentication locally.

Refer KB fyr.

https://www.juniper.net/documentation/en_US/junos/topics/concept/authentication-order-authentication-methods-overview.html