Include-Credentials

include-credentials radius-tacacs-only option

This option allows you to execute include-credentials for only RADIUS and TACACS. The option radius-tacacs-only does not cause the switch to store authentication passwords and SSH keys in the configuration file.

Syntax

[no] include-credentials [ radius-tacacs-only | store-in-config ]

Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server or workstation. When [no]include-credentials is executed, include-credentials is disabled. Credentials continue to be stored in the active and inactive configuration files but are not displayed.

radius-tacacs-only

When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.

The radius-tacacs-only option can be disabled with either command:

[no]include-credentials

[no]include-credentials radius-tacacs-only

store-in-config

Stores passwords and SSH authorized keys in the configuration files. This happens automatically when include-credentials is enabled.

The [no]include-credentials store-in-config command disables the include-credentials command and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.

When include-credentials radius-tacacs-only is executed, a warning message displays.

Display of caution message for radius-tacacs-only option

Displaying the status of include-credentials on the switch

The show include-credentials command provides the current status of include-credentials on the switch.

Syntax

show include-credentials

Displays information about the passwords and SSH keys stored in the configuration.

Stored in configuration — yes

The passwords and SSH keys are stored in the configuration. Include-credentials was executed.

Stored in configuration — no

There is only one set of operator/manager passwords and one set of SSH keys for the switch.

Enabled in active configuration

Include-credentials is either enabled or disabled.

RADIUS/TACACS only

Displayed when the option is configured.

Output for show include credentials command

Output for show include credentials command

Executing include-credentials or include-credentials store-in-config

When include-credentials or include-credentials store-in-config is executed on a switch for the first time, the passwords and SSH keys are not currently stored in the configuration file (not activated.) This prompts the a caution message.

Caution message

This caution message can also appear if you have successfully executed the [no] include-credentials store-in-config command.

Storage states when using include-credentials

The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.

Switch storage states

Type Factory Default Enabled Include-Credentials Disabled but Active No Include- Credentials Executed
manager/operator passwords & port access single set for switch — stored outside config — not displayed in config file one set per — stored config — stored in config'— displayed in config Same as includecredentials enabled— not displayed in config one set for switch —[no] credentials displayed in config
SSH Public Key one set for switch — stored in flash— not displayed in config one set per — stored config — stored in flash— displayed in config same as includecredentials enabled — not displayed in config one set for switch— no credentials displayed in config
SNMPv3 auth and priv stored in flash— not displayed in config stored in flash— displayed in config Same as includecredentials enabled— not displayed in config no credentials displayed in config
RADIUS & TACACS keystrings not displayed in config stored in flash displayed in config Same as includecredentials enabled— not displayed in config no credentials displayed in config

[NOTE: ]

NOTE: When [no] include-credentials store-in-config command is executed, the switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys.


[no]include-credentials store-in-config option

The [no]include-credentials command disables include-credentials. Credentials continue to be stored in the active and inactive configurations, but are not displayed in the config file.

When [no]include-credentials is used with the store-in-config option, includecredentials is disabled and the credentials stored in the config files are removed. The switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys. If you choose to execute the [no]include-credentials store-in-config command, you are also presented with the option of setting new switch passwords.

You are queried about retaining the current SSH authorized keys on the switch. If you enter “y”, the currently active authorized key files are renamed to the pre-include-credentials names, for example:

/file/mgr_auth_keys.2 -> /file/mgr_auth_keys /

/file/authorized_keys.2 -> /file/authorized_keys

All remaining authorized keys files with an extension are deleted.

Example of [no] include-credentials store-in-config messages and options

Enabling the storage and display of security credentials

To enable the security settings, enter the include-credentials command.

Syntax

[no] include-credentials [ radius-tacacs-only | store-in-config ]

Enables the inclusion and display of the currently configured manager and operator user names and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.)

To view the currently configured security settings in the running configuration, enter one of the following commands:

  • show running-config: Displays the configuration settings in the current running-config file.

  • write terminal: Displays the configuration settings in the current running-config file.

See “Switch Memory and Configuration” in the basic operation guide.

To view the current status of include-credentials on the switch, enter show include-credentials. See Displaying the status of include-credentials on the switch.

The [no] form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration.

Default: The security credentials described in Security settings that can be saved are not stored in the running configuration.

radius-tacacs-only

When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.

The radius-tacacs-only option can be disabled with either command

  • [no]include-credentials

  • [no]include-credentials radius-tacacs-only

store-in-config:

Stores passwords and SSH authorized keys in the configuration files. This happens automatically when include-credentials is enabled.

[no]include-credentials store-in-config

The [no]include-credentials store-in-config command disables includecredentials and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.