Information
At least one external Authentication method should be specified.
Rationale:
RADIUS and TACACS+ are centralized Authentication, Authorization and Accounting (AAA) services. Both protocols provide services to authenticate users on routers, switches and other systems.
Juniper routers support both RADIUS and TACACS+ authentication. JUNOS will use each of the configured protocols in order set under [edit system authentication-order] until the password is accepted or the end of the list is reached.
It is vital to understand the impact of this behavior and its relation to security. If the order is set as RADIUS then TACACS+, the router will attempt to authenticate a user's credentials first using the RADIUS server. If the RADIUS server cannot be reach or the login is denied the router will attempt to authenticate against TACACS+.
Settings for RADIUS or TACACS+ servers themselves for Authentication are configured separately under the [edit system radius-server] or [edit system tacplus-server] hierarchies respectively.
Solution
Configure at least one external Authentication method using the following commands under the [edit system] hierarchy; For RADIUS
[edit system]
user@host#set authentication-order radius
For TACACS+
[edit system]
user@host#set authentication-order tacplus
For RADIUS then TACACS+
[edit system]
user@host#set authentication-order [radius, tacplus]
For TACACS+ then RADIUS
[edit system]
user@host#set authentication-order [tacplus, radius]
Default Value:
By default all Juniper routers use local password authentication with accounts set under the [edit system login user] hierarchy.