The include-credentials radius-tacacs-only option

This option allows you to execute include-credentials for only RADIUS and TACACS. The radius-tacacs-only option does not cause the switch to store authentication passwords and SSH keys in the configuration file.


[no] include-credentials [radius-tacacs-only|store-in-config]

Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server or workstation. When [no]include-credentials is executed, include-credentials is disabled. Credentials continue to be stored in the active and inactive configuration files but are not displayed.


When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.

The radius-tacacs-only option can be disabled with either command:

[no] include-credentials

[no] include-credentials radius-tacacs-only


Stores passwords and SSH authorized keys in the configuration files. This happens automatically when include-credentials is enabled.

The [no] include-credentials store-in-config command disables the include-credentials command and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.

When include-credentials radius-tacacs-only is executed, a warning message displays.

Caution message displayed for the radius-tacacs-only option

switch(config)# include-credentials radius-tacacs-only
                              **** CAUTION ****
This will insert possibly sensitive information in switch configuration files,
and as a part of some CLI commands output. It is strongly recommended that you
use SFTP rather than TFTP for transfer of the configuration over the network,
and that you use the web configuration interface only with SSL enabled.

Erasing configurations with ‘include-credentials’ enabled will erase stored
passwords and security credentials. The system will reboot with the factory
default configuration.