In Cisco IOS you usually configure RADIUS or TACACS+ authentication with local user database as a backup, and you explicitly define the “local” keyword to tell that the local database is used if external servers are not responding. If the external server says “rejected” then the local database is not consulted.
In Junos you use the “system authentication-order” command to get the same behaviour but the ideology is somewhat different:
- With “authentication-order [ radius password ]” Junos first consults the external server(s) and if the servers are not responding then local users are checked. BUT, additionally, if the external server returns “Access Rejected” then the local users are checked as well! This is not something that happens with very similar Cisco configs. This makes it possible to use the device-local fixed accounts for daily access (instead of sticking with the centralized AD accounts or whatever).
- With “authentication-order radius” Junos checks the external server(s), and if there is no response then the local users are checked. In case of a “Rejected” response code from the servers then it really is the final verdict and the local users are not checked. This is usually the desired way of working: centralized user databases are checked and the local users are configured only as a backup if the servers cannot be used.
This is nothing surprising for the old Junos engineers but the Cisco-familiar specialists may want to specifically note this.