Include-Credentials
include-credentials radius-tacacs-only
option
This option allows you to execute include-credentials
for
only RADIUS and TACACS. The option radius-tacacs-only
does
not cause the switch to store authentication passwords and SSH keys
in the configuration file.
Enables the inclusion of passwords and security
credentials in each configuration file when the file is saved onto
a remote server or workstation. When [no]include-credentials
is
executed, include-credentials is disabled. Credentials continue to
be stored in the active and inactive configuration files but are not
displayed.
radius-tacacs-only | When executed with the The
|
store-in-config | Stores passwords and SSH authorized keys in the configuration
files. This happens automatically when The |
When include-credentials radius-tacacs-only is executed, a warning message displays.
Displaying the status of include-credentials
on
the switch
The show include-credentials
command
provides the current status of include-credentials on the switch.
Syntax
show include-credentials
Displays information about the passwords and SSH keys stored in the configuration.
Stored in configuration — yes | The passwords and SSH keys are stored in the configuration. Include-credentials was executed. |
Stored in configuration — no | There is only one set of operator/manager passwords and one set of SSH keys for the switch. |
Enabled in active configuration |
|
RADIUS/TACACS only | Displayed when the option is configured. |
Output for show include credentials
command
Executing include-credentials
or include-credentials
store-in-config
When include-credentials
or include-credentials
store-in-config
is executed on a switch for the first time,
the passwords and SSH keys are not currently stored in the configuration
file (not activated.) This prompts the a caution message.
This caution message can also appear if you have
successfully executed the [no] include-credentials store-in-config
command.
Storage states when using include-credentials
The following table shows the states of several
access types when the factory default settings are in effect or when include-credentials
is
enabled or not enabled.
Switch storage states
Type | Factory Default | Enabled | Include-Credentials Disabled but
Active |
No Include- Credentials Executed | ||||||
---|---|---|---|---|---|---|---|---|---|---|
manager/operator passwords & port access | single set for switch — stored outside config — not displayed in config file | one set per — stored config — stored in config'— displayed in config | Same as includecredentials enabled—
not displayed in config |
one set for switch —[no]
credentials displayed in config | ||||||
SSH Public Key | one set for switch — stored in flash— not displayed in config | one set per — stored config — stored in flash— displayed in config | same as includecredentials enabled
— not displayed in config |
one set for switch— no credentials displayed in config | ||||||
SNMPv3 auth and priv | stored in flash— not displayed in config | stored in flash— displayed in config | Same as includecredentials enabled— not
displayed in config |
no credentials displayed in config | ||||||
RADIUS & TACACS keystrings | not displayed in config | stored in flash displayed in config | Same as includecredentials enabled— not
displayed in config |
no credentials displayed in config | ||||||
|
[no]include-credentials store-in-config
option
The [no]include-credentials
command
disables include-credentials. Credentials continue to be stored in
the active and inactive configurations, but are not displayed in the
config file.
When [no]include-credentials
is
used with the store-in-config option, includecredentials
is
disabled and the credentials stored in the config files are removed.
The switch is restored to its default state and only stores one set
of operator/manager passwords and SSH keys. If you choose to execute
the [no]include-credentials store-in-config
command,
you are also presented with the option of setting new switch passwords.
You are queried about retaining the current SSH authorized keys on the switch. If you enter “y”, the currently active authorized key files are renamed to the pre-include-credentials names, for example:
/file/mgr_auth_keys.2 -> /file/mgr_auth_keys /
/file/authorized_keys.2 -> /file/authorized_keys
All remaining authorized keys files with an extension are deleted.
Enabling the storage and display of security credentials
To enable the security settings, enter the include-credentials
command.
Syntax
[no] include-credentials [ radius-tacacs-only | store-in-config ]Enables the inclusion and display of the currently configured manager and operator user names and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.)
To view the currently configured security settings in the running configuration, enter one of the following commands:
show running-config
: Displays the configuration settings in the current running-config file.
write terminal
: Displays the configuration settings in the current running-config file.See “Switch Memory and Configuration” in the basic operation guide.
To view the current status of include-credentials on the switch, enter
show include-credentials
. See Displaying the status of include-credentials on the switch.The
[no]
form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration.Default: The security credentials described in Security settings that can be saved are not stored in the running configuration.
radius-tacacs-only
When executed with the
radius-tacacs-only
option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.The
radius-tacacs-only
option can be disabled with either command
[no]include-credentials
[no]include-credentials radius-tacacs-only
store-in-config:
Stores passwords and SSH authorized keys in the configuration files. This happens automatically when
include-credentials
is enabled.
[no]include-credentials store-in-config
The
[no]include-credentials store-in-config
command disablesincludecredentials
and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.