The official Juniper course has this exact example and says that the local database is used if all else fails, even though it is not listed in the output of the command...
https://www.juniper.net/documentation/us/en/software/junos/user-access/topics/topic-map/junos-os-authentication-order.html
authentication-order [ radius tacplus ];
Try configured RADIUS authentication servers.
If a RADIUS server is available and authentication is accepted, grant access.
If the RADIUS servers fail to respond or the servers return a reject response, try configured TACACS+ servers.
If a TACACS+ server is available and authentication is accepted, grant access.
If a TACACS+ server is available but authentication is rejected, deny access.
From the link in the previous comment:
If the authentication order includes RADIUS or TACACS+ servers, but the servers do not respond to a request, Junos OS always defaults to trying local password authentication as a last resort.
A. The device will attempt to authenticate using the local database if RADIUS and TACACS+ are unresponsive.
The authentication-order configuration specifies the order in which authentication methods will be attempted by the device. In this case, the configuration indicates that RADIUS and TACACS+ are the preferred authentication methods as they are listed first in the order.
If the RADIUS and TACACS+ servers are unresponsive or unreachable, the device will fall back to the next available method, which is the local database. So, if RADIUS and TACACS+ authentication fails, the device will attempt authentication using the local database as a backup option.
Therefore, the correct statement is A: The device will attempt to authenticate using the local database if RADIUS and TACACS+ are unresponsive.
if the show command does not reveal "" (Radius tacplus password) "" in the configuration, when radius and tacacs fails, the system will never attempt to use password
Answer is D:
the device must include password as a final authentication order option for the device to attempt local password authentication in the event that the remote authentication servers reject the request
If the authentication order includes LDAPS, RADIUS, or TACACS+ servers, but the servers DO NOT RESPOND to a request, Junos OS always defaults to trying local password authentication as a last resort.
If the authentication order includes LDAPS, RADIUS, or TACACS+ servers, but the servers REJECT the request, the handling of the request is more complicated.
The key is the word UNRESPONSIVE in the A answer.
authentication-order [ radius tacplus ];
Try configured RADIUS authentication servers.
If a RADIUS server is available and authentication is accepted, grant access.
If the RADIUS servers fail to respond or the servers return a reject response, try configured TACACS+ servers.
If a TACACS+ server is available and authentication is accepted, grant access.
If a TACACS+ server is available but authentication is rejected, deny access.
If no RADIUS or TACACS+ servers are available, try local password authentication.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Nish202174
Highly Voted 2 years, 2 months agomohi26
Highly Voted 2 years, 2 months agodlol
Most Recent 9 months agoMayTin
10 months agolanzailan
10 months, 2 weeks agobb58b38
11 months agoNicocisco
1 year, 4 months agoNasredd
1 year, 4 months agoCradical
1 year, 6 months agoYgrec
1 year, 7 months agosanbe
1 year, 7 months agoMakween
1 year, 7 months agoOdvehmir
1 year, 8 months agoggelashvili
2 years agoNebulise
1 year, 11 months agoBogarGtz
1 year, 9 months agoaisa007
2 years agomohdema
2 years, 1 month agoabual3ees
2 years, 2 months agoaisa007
2 years ago