What can I help you with?
NVIDIA NVOS User Manual for NVLink Switches v25.02.2141
NVIDIA Docs Hub  NVIDIA Networking  Networking Software  Switch Software  NVIDIA NVOS User Manual for NVLink Switches v25.02.2141  TACACS

On This Page

TACACS

NVOS implements TACACS+ client AAA (Accounting, Authentication, and Authorization) in a transparent way with minimal configuration. The client implements the TACACS+ protocol as described in this IETF document. There is no need to create accounts or directories on the switch. Accounting records go to all configured TACACS+ servers by default. Using per-command authorization requires additional setup on the switch.

Supported Features

  • Authentication using PAM: includes login, ssh, sudo and su

  • Runs over the eth0 management interface

  • Up to eight TACACS+ servers

TACACS configuration is made of global configurations and per-server configurations. In general, if per-server configuration is not defined, the configuration will be taken from the global configuration.

All nv tacacs commands can be found in TACACS Commands, where global ones are direct under /system/aaa/tacacs and per-server ones or under /system/aaa/tacacs/hostname/<hostname-id>.

TACACS Users

NVOS supports three types of RADIUS users defined by priv-lvl configured in TACACS server.

  • priv-lvl=15 # admin privileged users (nv set, nv config apply)

  • priv-lvl=7 # monitor privileged users (nv show)

  • priv-lvl=1 # non-privileged users (no nv commands access

TACACS Server Setup and Usage Example

TACACS server can be configured either on a remote host or on the switch itself (for testing or sanity-check).

Basic configuration for users and clients can be done in /etc/tacplus_nss.conf file.

Users Configuration

Copy
Copied!
            

            
user = username {
        login = cleartext "login_password"
        pap = cleartext "pap_password"
        service = exec {
        priv-lvl=<15,7,1>
        }
}

Client Configuration

Client configuration allows specific client IPs and CIDR blocks.

Copy
Copied!
            

            
key = "client-secret"
and:
acl = default   {
                #permit = 192\.168\.0\.
                permit = 10\.7\.140\.30
                permit = .*
}

After configuring a tacacs server, configure the client:

Copy
Copied!
            

            
admin@nvos:~$ nv set system aaa tacacs hostname <tacacs-server-ip> secret tacacs-secret
admin@nvos:~$ nv set system aaa authentication order tacacs,local
admin@nvos:~$ nv config apply -y


TACACS+ Accounting

TACACS Accounting Configuration

TACACS accounting logs user activity and commands executed on the system, providing an audit trail for security and compliance. It ensures accountability by sending these logs to configured TACACS+ servers. The logs will be sent to the first server to respond.

TACACS accounting is managed under the /etc/tacplus_nss.conf file.

After configuring a TACACS server and client, enable accounting with the command nv set system aaa tacacs accounting state enabled.

TACACS Commands
© Copyright 2025, NVIDIA. Last updated on Apr 23, 2025.
content here