Enabling the storage and display of security credentials

To enable the security settings, enter the include-credentials command.


[no] include-credentials [radius-tacacs-only|store-in-config]

Enables the inclusion and display of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.)

To view the currently configured security settings in the running configuration, enter one of the following commands:

  • show running-config

    : Displays the configuration settings in the current running-config file.

  • write terminal

    : Displays the configuration settings in the current running-config file.

For more information, see “Switch Memory and Configuration” in the basic operation guide.

To view the current status of include-credentials on the switch, enter show include-credentials. See Displaying the status of include-credentials.

The [no] form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration.

Default: The security credentials described in Security settings that can be saved are not stored in the running configuration.


When executed with the radius-tacacs-only option, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.

The radius-tacacs-only option can be disabled with either command

  • [no]include-credentials
  • [no]include-credentials radius-tacacs-only

Stores passwords and SSH authorized keys in the configuration files. This happens automatically when include-credentials is enabled.

[no]include-credentials store-in-config

The [no]include-credentials store-in-config command disables include-credentials and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.