There are a few ways you can do this...
You can use login classes (groups) and then have the RADIUS server return a value for which group (login class) a user belongs to when they log in. This is how I normally do it.
You can also get really granular and define specific commands that users may or may not run via RADIUS, but I find login classes to be a cleaner way to do it.
You have to configure your RADIUS server to return a VSA (Vendor-Specific Attribute) with the correct value.
This KB article gives a good overview of how it works and has links to the pages that document the VSAs in more detail.
- In Cisco, we have “line con 0” for Console specific logins and we can define a different authentication/authorization order than the default for the rest of the box. What is equivalent for this on Juniper? Lets say I wan the authentication order of [ password radius ] for the user who access the router via Console and for the rest of the connections, it should use[ radius password ].
That one I honestly don't know, but I don't think you can do that on Junos. I know what you're talking about, I've just never seen it or done it on Junos. Perhaps someone wiser than I will have an answer for that one.