Information
Authentication using locally configured usernames and passwords should only be permitted when External AAA servers are down or cannot be reached.
Rationale:
Juniper routers support local user accounts in addition to RADIUS and TACACS+ based authentication. JUNOS will use each of the configured protocols in order set under [edit system authentication-order] until the password is either accepted or the end of the list is reached.
It is vital to understand the impact of this behavior and its relation to security.
If the order is set as RADIUS then local password, the router will attempt to authenticate a user's credentials first using the RADIUS server. If the RADIUS server cannot be reach or the login is denied the router will attempt to authenticate against the user accounts configured in the [edit system login user] hierarchy.
Because local user accounts cannot be centrally audited and controlled they present a far greater risk when, for example, and account is compromised or an employee leaves the organization.
By removing local authentication from the authentication-order you prevent these accounts being used when RADIUS or TACACS+ reject an authentication attempt; however local accounts remain usable on occasions where all other authentication services cannot be reached such as during router maintenance or AAA server outages.
Solution
Remove local user authentication from the authentication order by issuing the following command from the [edit system] hierarchy; [edit system]
user@host#delete authentication-order password
This command will leave other authentication methods (RADIUS or TACACS+) that are already configured under the authentication-order statement.
Default Value:
By default all Juniper routers use local password authentication with accounts set under the [edit system login user] hierarchy.