I want my MX5 to do this:
When somebody access MX5 over SSH and provide root credentials , it should consult TACPLUS, if no reply is received or Reject is received from TACPLUS, it should then check local database to authenticate.
How can I do that on MX5?
Brocade and Cisco:
If configured to check TACPLUS then local database.
If reject is received from TACPLUS, local router does not consult LOCAL DATABASE even if it configured to do so, in order for local database to be consulted, TACPLUS should not be reachable.
Not sure if we have the similar behavior on Juniper MX5.
Thanks and have a nice day!!!
Both of the requirements mentioned in the question are possible using knob named "authentication-order"
See a following knob
lab@VMX-R5# set system authentication-order ?Possible completions: [ Open a set of values password Traditional password authentication radius Remote Authentication Dial-In User Service tacplus TACACS+ authentication services
You need to configure authentication order and methods in acheiving your desired results.
The handling of a rejected authentication request when RADIUS or TACACS+ are present is more complicated.
In other words, including password as a final authentication order option is a means by which you can choose whether a RADIUS and/or TACACS+ rejection ends there or if the request is to be given one last chance for authentication locally.
Refer KB fyr.