config>system>security>password>authentication-order
configure system security user-params authentication-order order
To configure the system local user profile configuration for local user authentication and authorization, including VPRNs, use the following CLI contexts:
config>system>security>profile
configure system security aaa local-profiles profile
To configure AAA servers, use the following CLI contexts:
config>system>security for system AAA servers
config>service>vprn>aaa>remote-servers for AAA remote servers under the VPRN
configure system security aaa for system AAA servers
configure service vprn aaa remote-servers for AAA remote servers under the VPRN
When AAA servers are configured using the preceding commands, they are used as follows:
If servers are configured under the VPRN AAA, only the VPRN AAA servers are used.
For example, the authentication-order command lists the order as local, TACACS+, and RADIUS, while the VPRN only has a RADIUS server configured, and under the system AAA servers both TACACS+ and RADIUS are configured. In this case, if a management session connects to the VPRN and the destination IP matches a local interface in the VPRN, the SR OS tries the local AAA first, and then RADIUS as configured in the VPRN. The SR OS does not try the system AAA servers because there is a AAA server configured in the VPRN.
If no AAA servers are configured under VPRN AAA, the system AAA servers are used.