Juniper JUNOSE SOFTWARE 11.0.X - BROADBAND ACCESS CONFIGURATION GUIDE 4-1-2010 Configuration Manual page 359

aaa authentication login
Use to allow privilege determination to be authenticated through the TACACS+
server. This command specifies a list of authentication methods that are used
to determine whether a user is granted access to the privilege command level.
The authentication methods that you can use in a list include these options:
radius, line, tacacs+, none, and enable.
To specify that the authentication should succeed even if all methods return an
error, specify none as the final method in the command line.
Requests sent to a TACACS+ server include the username that is entered for
login authentication.
If a default authentication routine is not set for a function, the default is none,
and no authentication is performed.
If the authentication method list is empty, the local enable password is used.
Example
host1(config)#aaa authentication enable default tacacs+ radius
Use the no version to empty the list.
See aaa authentication enable default
Use to set AAA authentication at login. This command creates a list that specifies
the methods of authentication.
Once you specify aaa new-model as the authentication method for vty lines, an
authentication list called "default" is automatically assigned to the vty lines. To
allow users to access the vty lines, you must create an authentication list and
either:
Name the list "default."
Assign a different name to the authentication list, and assign the new list to
the vty line using the login authentication command.
The authentication methods that you can use in a list include these options:
radius, line, tacacs+, none, and enable.
The router traverses the list of authentication methods to determine whether a
user is allowed to start a Telnet session. If a specific method is available but the
user information is not valid (such as an incorrect password), the router does
not continue to traverse the list and denies the user a session.
If a specific method is unavailable, the router continues to traverse the list. For
example, if tactacs+ is the first authentication type element on the list and the
TACACS+ server is unreachable, the router attempts to authenticate with the
next authentication type on the list, such as radius.
The router assumes an implicit denial of service if it reaches the end of the
authentication list without finding an available method.
Example
host1(config)#aaa authentication login my_auth_list tacacs+ radius line none
Chapter 9: Configuring TACACS+
Configuring TACACS+ Support
319