Saving user name and password security

Security settings that can be saved

The security settings that can be saved to a configuration file are:

  • Local manager and operator passwords and user names.

  • SNMP security credentials, including SNMPv1 community names and SNMPv3 user names, authentication, and privacy settings.

  • 802.1X port-access passwords and user names.

  • TACACS+ encryption keys.

  • RADIUS shared secret (encryption) keys.

  • Public keys of SSH-enabled management stations that are used by the switch to authenticate SSH clients that try to connect to the switch.

Benefits of saving security credentials

The benefits of including and saving security credentials in a configuration file are:

  • After making changes to security replaceables in the running configuration, you can experiment with the new configuration and, if necessary, view the new security settings during the session. After verifying the configuration, you can then save it permanently by writing the settings to the startup-config file.

  • By permanently saving a switch security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user replaceables) on each switch.

  • By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.

For more information about how to experiment with, upload, download, and use configuration files with different software versions, see:

Saving local manager and operator passwords

The information saved to the running-config file when the include-credentials command is entered includes:

password manager [user-name <name>] <hash-type> <pass-hash>
password operator [user-name <name>] <hash-type> <pass-hash>

where

<name>

is an alphanumeric string for the user name assigned to the manager or operator.

<hash-type>

indicates the type of hash algorithm used: SHA-1 or plain text.

<pass-hash>

is the SHA-1 authentication protocol's hash of the password or clear ASCII text.

For example, a manager user name and password can be stored in a running-config file as follows:

Manager/User name storage

Manager/User name storage

Use the write memory command to save the password configurations in the startup-config file. The passwords take effect when the switch boots with the software version associated with that configuration file.


[CAUTION: ]

CAUTION: If a startup-config file includes other security credentials, but does not contain a manager or operator password, the switch does not have password protection and can be accessed through Telnet, the serial port, or WebAgent with full manager privileges.


Saving SNMP security credentials

SNMPv1 community names and write access settings, and SNMPv3 user names, continue to be saved in the startup-config file even when entering the include-credentials command.

In addition, the following SNMPv3 security replaceables are saved:

[no]front-panel-security password-clear

[no]front-panel-security password-clear

where: <name> is the name of an SNMPv3 management station.

[ auth <md5 | sha> ]

is the optional authentication method used for the management station.

auth-pass is the hashed authentication password used with the configured authentication method.

[ privpriv-pass ]

is the optional hashed privacy password used by a privacy protocol to encrypt SNMPv3 messages between the switch and the station.

The following example shows the additional security credentials for SNMPv3 users that can be saved in a running-config file:

Example of security credentials saved in the running-config

Example of security credentials saved in the running-config

Although you can enter a SNMPv3 authentication or privacy password in either clear ASCII text or the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in hashed format, as shown in Example of security credentials saved in the running-config.

For more information about the configuration of SNMP security replaceables, see "Configuring for Network Management Applications" in management and configuration guide for your switch.

Storing 802.1X port-access credentials

802.1X authenticator (port-access) credentials can be stored in a configuration file.

  • 802.1X authenticator credentials are used by a port to authenticate supplicants requesting a point-to-point connection to the switch.

  • 802.1X supplicant credentials are used by the switch to establish a point-to-point connection to a port on another 802.1X-aware switch.

Only 802.1X authenticator credentials are stored in a configuration file. For information about how to use 802.1X on the switch both as an authenticator and a supplicant, see Storing 802.1X port-access credentials.

The local password configured with the password command is no longer accepted as an 802.1X authenticator credential. A new configuration command password port-access is introduced to configure the local operator user name and password used as 802.1X authentication credentials for access to the switch.

The password port-access values are now configured separately from the manager and operator passwords configured with the password manager and password operator commands and used for management access to the switch. For information on the new password command syntax, see Setting a new console password

After entering the complete password port-access command, the password is set. You are not prompted to enter the password a second time.

Storage states when using include-credentials

The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.

Type Factory default include-credentials enabled include-credentials disabled but active [no]include-credentials executed
manager/operator passwords & port access

Single set for switch.

Stored outside config.

Not displayed in config file.

One set per stored config.

Stored in config.

Displayed in config.

Same as include-credentials enabled

Not displayed in config

One set for switch

No credentials displayed in config

SSH Public Key

One set for switch

Stored in flash

Not displayed in config

One set per stored config

Stored in flash

Displayed in config

Same as include-credentials enabled

Not displayed in config

One set for switch

No credentials displayed in config

SNMPv3 auth and priv

Stored in flash

Not displayed in config

Stored in flash

Displayed in config

Same as include-credentials enabled

Not displayed in config

No credentials displayed in config

RADIUS & TACACS keystrings Not displayed in config

Stored in flash

Displayed in config

Same as include-credentials enabled

Not displayed in config

No credentials displayed in config


[NOTE: ]

NOTE: When

[no]include-credentials store-in-config

is executed, the switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys.