Restrictions to enabling security credentials

The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command:

  • The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host's private key is only stored internally, for example, on the switch or on an SSH client device.

  • SNMPv3 security credentials saved to a configuration file on a switch cannot be used after downloading the file on a different switch. The SNMPv3 security replaceables in the file are only supported when loaded on the same switch for which they were configured. This is because when SNMPv3 security credentials are saved to a configuration file, they are saved with the engine ID of the switch as shown here: 
    snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01

If you download a configuration file with saved SNMPv3 security credentials on a switch, when the switch loads the file with the current software version the SNMPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file. (To display the engine ID of a switch, enter the show snmpv3 engine-id command. To configure authentication and privacy passwords for SNMPv3 users, enter the snmpv3 user command.)

If the engine ID in the saved SNMPv3 security settings in a downloaded configuration file does not match the engine ID of the switch:

  • The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with the privileges you want.

  • Only the snmpv3 user<user_name> credentials from the SNMPv3 settings in a downloaded configuration file are loaded on the switch, for example:
    snmpv3 user boris 
    snmpv3 user alan

  • You can store 802.1X authenticator (port access) credentials in a configuration file. However, 802.1X supplicant credentials cannot be stored.

  • The local operator password configured with the password command is no longer accepted as an 802.1X authenticator credential. A new configuration command password port-access is introduced to configure the user name and password used as 802.1X authentication credentials for access to the switch. You can store the password port-access values in the running configuration file by using the include-credentials command.
    NOTE:

    password port-access values are configured separately from local operator user name and passwords configured with the password operator command and used for management access to the switch. For more information about how to use the password port-access command to configure operator passwords and user names for 802.1X authentication,Configuring Username and Password Security.