Operating Notes


[CAUTION: ]

CAUTION:

  • When you first enter the include-credentials command to save the additional security credentials to the running configuration, these settings are moved from internal storage on the switch to the running-config file. You are prompted by a warning message to perform a write memory operation to save the security credentials to the startup configuration. The message reminds you that if you do not save the current values of these security settings from the running configuration, they are lost the next time you boot the switch and revert to the values stored in the startup configuration.

  • When you boot a switch with a startup configuration file that contains the include-credentials command, any security credentials that are stored in internal flash memory are ignored and erased. The switch loads only the security settings in the startup configuration file.

  • Security settings are no longer automatically saved internally in flash memory and loaded with the startup configuration when a switch boots up. The configuration of all security credentials requires that you use the write memory command to save them in the startup configuration in order for them to not be lost when you log off. A warning message reminds you to permanently save a security setting.


  • After you enter the include-credentials command, the currently configured manager and operator user names and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys are saved in the running configuration.

    Use the [no] include-credentials command to disable the display and copying of these security parameters from the running configuration using the show running-config and copy running-config commands without disabling the configured security settings on the switch.

    After you enter the include-credentials command, you can toggle between the non-display and display of security credentials in show and copy command output by alternately entering the [no] include-credentials and include-credentials commands.

  • After you permanently save security configurations to the current startupconfig file using the write memory command, you can view and manage security settings with the following commands.

    show config

    Displays the configuration settings in the current startup-config file.

    copy config

    copy config source-filename config target-filename: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.

    copy config tftp

    Uploads a configuration file from the switch to a TFTP server

    copy tftp config

    Downloads a configuration file from a TFTP server to the switch.

    copy config xmodem

    Uploads a configuration file from the switch to an Xmodem host.

    copy xmodem config

    Downloads a configuration file from an Xmodem host to the switch.

    For more information, see “Transferring Startup-Config Files To or From a Remote Server” in the management and configuration guide.

  • The switch can store up to three configuration files. Each configuration file contains its own security credentials and these security configurations can differ. It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image and that all security credentials in the file are supported.

  • If you have already enabled the storage of security credentials (including local manager and operator passwords) by entering the include credentials command, the Reset-on-clearoption is disabled. When you press the Clear button on the front panel, the manager and operator user names and passwords are deleted from the running configuration. However, the switch does not reboot after the local passwords are erased. (The Reset-on-clear option normally reboots the switch when you press the Clear button.)

    See Configuring front panel security.

  • If you load a prior software version that does not contain the encryptcredentials feature, it is important to back up the configuration and then execute the erase startup command on the switch. Features that have encrypted parameters configured do not work until those parameters are cleared and reconfigured.

  • Hewlett Packard Enterprise recommends that when executing an encrypted-<option> command, you copy and paste the encrypted parameter from a known encrypted password that has been generated on the same switch or another switch with the same pre-shared key (whether user-specified or a default key). If an incorrectly encrypted parameter is used, it is highly likely that the decrypted version will contain incorrect characters, and neither key function correctly or be displayed in any show command.

Interaction with include-credentials settings

The following table shows the interaction between include-credentials settings and encrypt-credentials settings when displaying or transferring the configuration.

Interactions

include-credentials Active include-credentials Enabled encrypt-credentials Enabled Resulting behavior for sensitive data
      Hidden (default)
    Yes Shown, encrypted
  Yes   n/a
  Yes Yes n/a
Yes     Hidden
Yes   Yes Shown, encrypted
Yes Yes   Shown, plaintext
Yes Yes Yes Shown, encrypted