No bug, works as designed. You have the following bahaviour depending on the authentication-order configuration as described in http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/authentication-order-authentication-methods-overview.html
(1) authentication-order [ radius password ];
- If the user has the correct password due to the radius account, he is accepted
- If the user is not accepted by the radius account, the local database (aka password) is consulted. If the local password is correct, he is accepted, otherwise denied.
(2) authentication-order radius;
- If the user has the correct password due to the radius account, he is accepted, if not he is rejected and cannot login.
- If the radius server does not reply, then the local password database is consulted as a fallback!
So, you have to go for option (2).
Cheers,
Carsten