In tacacs+, you can define three following types of authentication
default authentication = file /etc/passwd
default authentication = pam pap
default authentication = db <mysql>
if you are using /etc/passwd based authentication, then you should keep following things in mind,
1. All linux accounts usernames/password (including root) will be able to SRX firewalls
2. You can NOT define permissions / authorization in "tac_plus.cfg" or "tacacs.conf" file, as you normally do, e.g.
service = junos-exec{
local-user-name = <username-local-to-router>
allow-commands = "<allow-commands-regex>"
allow-configuration = "<allow-configuration-regex>"
deny-commands = "<deny-commands-regex>"
deny-configuration = "<deny-configuration-regex>"
}
3. In order to authorize the users, better way is that you override the tacacs authorization and define your own user class in SRX / JunOS, e.g.
set system login class operations-group permissions network
set system login class operations-group permissions view
set system login user operations full-name “Users with Limited Access”
set system login user operations class operations-group
4. In this way, your authentication will be done by linux based TACACS server, however, permissions will be granted by SRX / JunOS
regards