User authentication methods on Juniper using Radius, Tacacs+ and local database

Following what I have explained in the last lesson, the user authentication on Juniper can be done on the local database of the Juniper router, or to a server – the 2 types of servers that Juniper provide possibilities to use them are Radius and Tacacs+.

This means that whenever someone is trying to login to the Juniper router and you have set on the router that it has to check the Radius server database to get authenticated, then the request of the authentication is sent to the Radius server by the Juniper router. In that case, the radius server will check if the username and password are valid, then it will allow the user to get authenticated to the Juniper router.

The nice thing that Juniper has is the possibility to provide more than 1 way of authentication and you put them in order.

For example, you can say to the Juniper router to put the authentication method in the following order:

  1. Radius
  2. Tacacs+
  3. Local database

Then when someone tries to login to the Juniper router, the credentials are 1st checked by the Radius server – if it matches then it will allow the user to login, if not then it will go to the Tacacs+ server and again try to check if it can login using the database of the Tacacs+ server – if it matches, then it will login, if not then it will go to the local database which is the database on the Juniper router itself. In this case in case we have the right account created on the Juniper router database then he will be able to login, otherwise that account won’t be able to login.

Let me show you how you can put the order on the Juniper router:

root@R1# set system authentication-order ?

Possible completions:

[                    Open a set of values

password          Traditional password authentication

radius               Remote Authentication Dial-In User Service

tacplus             TACACS+ authentication services


root@R1# set system authentication-order [radius tacplus password ]



I have put the authentication way in order as 1st Radius, 2nd Tacacs+ and 3rd local database.

If I try to login again now, the router will try to see if there is a Radius server to authenticate (which we do not have it), then it will fail and will go to Tacacs+ plus (which we do not have it) and will fail and will check the local database and in this case we will be able to login to the router if we enter the right username and password.

I will try it now but first I need to commit the configuration so it is applied to the active candidate:

root@R1# commit and-quit

commit complete

Exiting configuration mode

root@R1> quit

root@R1% exit


Welcome. If you are not authorized to login, please leave immediately

R1 (ttyd0)

login: root



I could login successfully from the local database.

Let’s say that we have set only the authentication order as:

  1. Radius
  2. Tacacs+

Let’s say that both servers and up and running. Then if I try to login, it will check the Radius and the server says that this account is not valid, then it won’t authenticate and will go to the Tacacs+ plus.

Then the Tacacs+ server will check the account and will see also that it is not valid, then it won’t authenticate and the user will not be able to login. In this case it doesn’t go to the local database because it is not set there and both servers are up and running.

Let’s take the same example and we put the orders as for Radius and Tacacs+ only, but both servers are down and not able to communicate with the Juniper router.

Then if a user tries to login to the router, the Juniper will send the credentials to the Radius server that is down, then nothing would happen. Then the Juniper will send the credentials to the Tacacs+ which is also down, and nothing would happen. Then in this case, even if you do not put the local database as a 3rd option, but as both servers are down then the router will check its local database to see if it can authenticate the user. If it happens that the account is in the local database of the Juniper router, then he will be able to authenticate him, otherwise he will not be authenticated.

Let’s try it. You know that I do not have neither a Radius server nor a Tacacs+ server. I will delete the previous authentication order and put in place only Radius and Tacacs+:

root@R1# delete system authentication-order


root@R1# set system authentication-order [radius tacplus ]


root@R1# commit

commit complete



I will log out and try to login to the Juniper router using the account that is on the local database and see if it will work:

R1 (ttyd0)

login: Maher


Local password:

— JUNOS 14.1R4.8 built 2015-01-28 03:38:12 UTC


Excellent 😊 – it has asked me first for the password and I have put it, but it couldn’t find any Radius or Tacacs+ server to speak to, then it has asked me for the local password which is on the router and once I put it I could login – wooow!!!!

This is all what I wanted to explain you in this lesson, I hope you enjoyed it and see you in the upcoming one.

Course Content


Submit a Comment

Your email address will not be published. Required fields are marked *