Junos OS

Expand all | Collapse all

Manipulating authentication order on MX5

Jump to Best Answer
  • 1.  Manipulating authentication order on MX5

    Posted 11-08-2017 09:35

    Hi everyone



    I want my MX5 to do this:

    When somebody access MX5 over SSH and provide root credentials , it should consult TACPLUS, if no reply is received or Reject is received from TACPLUS, it should then check local database to authenticate.

    How can I do that on MX5?


    Brocade and Cisco:

    If configured to check TACPLUS then local database.

    If reject is received from TACPLUS, local router does not consult LOCAL DATABASE even if it configured to do so, in order for local database to be consulted, TACPLUS should not be reachable.

    Not sure if we have the similar behavior on Juniper MX5.




    Thanks and have a nice day!!!


  • 2.  RE: Manipulating authentication order on MX5
    Best Answer

    Posted 11-08-2017 09:58

    Both of the requirements mentioned in the question are possible using knob named "authentication-order"


    See a following knob

    lab@VMX-R5# set system authentication-order ?
    Possible completions:
    [ Open a set of values
    password Traditional password authentication
    radius Remote Authentication Dial-In User Service
    tacplus TACACS+ authentication services


    You need to configure authentication order and methods in acheiving your desired results.



    The handling of a rejected authentication request when RADIUS or TACACS+ are present is more complicated.

    • If password (local password authentication) is not in the authentication order statement, a RADIUS and/or TACACS+ rejection ends with the rejection. (i.e. set system authentication-order [radius tacacs]
    • If password is included at the end of the authentication order and RADIUS and/or TACACS+ rejects the authentication, the Junos OS tries for a local authentication check. (i.e. set system authentication-order [radius password]

    In other words, including password as a final authentication order option is a means by which you can choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last chance for authentication locally.


    Refer KB fyr.