This option allows you to execute include-credentials for only RADIUS and TACACS. The option radius-tacacs-only does not cause the switch to store authentication passwords and SSH keys in the configuration file.
Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server or workstation. When [no]include-credentials is executed, include-credentials is disabled. Credentials continue to be stored in the active and inactive configuration files but are not displayed.
|
radius-tacacs-only |
When executed with the The
|
|
store-in-config |
Stores passwords and SSH authorized keys in the configuration files. This happens automatically when The |
When include-credentials radius-tacacs-only is executed, a warning message displays.
The show include-credentials command provides the current status of include-credentials on the switch.
Syntax
Displays information about the passwords and SSH keys stored in the configuration.
|
Stored in configuration — yes |
The passwords and SSH keys are stored in the configuration. Include-credentials was executed. |
|
Stored in configuration — no |
There is only one set of operator/manager passwords and one set of SSH keys for the switch. |
|
Enabled in active configuration |
|
|
RADIUS/TACACS only |
Displayed when the option is configured. |
When include-credentials or include-credentials store-in-config is executed on a switch for the first time, the passwords and SSH keys are not currently stored in the configuration file (not activated.) This prompts the a caution message.
This caution message can also appear if you have successfully executed the [no] include-credentials store-in-config command.
The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.
Switch storage states
| Type | Factory Default | Enabled | Include-Credentials Disabled but Active |
No Include- Credentials Executed | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| manager/operator passwords & port access | single set for switch — stored outside config — not displayed in config file | one set per — stored config — stored in config'— displayed in config | Same as includecredentials enabled— not displayed in config |
one set for switch —[no] credentials displayed in config |
||||||
| SSH Public Key | one set for switch — stored in flash— not displayed in config | one set per — stored config — stored in flash— displayed in config | same as includecredentials enabled — not displayed in config |
one set for switch— no credentials displayed in config | ||||||
| SNMPv3 auth and priv | stored in flash— not displayed in config | stored in flash— displayed in config | Same as includecredentials enabled— not displayed in config |
no credentials displayed in config | ||||||
| RADIUS & TACACS keystrings | not displayed in config | stored in flash displayed in config | Same as includecredentials enabled— not displayed in config |
no credentials displayed in config | ||||||
|
||||||||||
![[NOTE: ]](images/note.gif)
The [no]include-credentials command disables include-credentials. Credentials continue to be stored in the active and inactive configurations, but are not displayed in the config file.
When [no]include-credentials is used with the store-in-config option, includecredentials is disabled and the credentials stored in the config files are removed. The switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys. If you choose to execute the [no]include-credentials store-in-config command, you are also presented with the option of setting new switch passwords.
You are queried about retaining the current SSH authorized keys on the switch. If you enter “y”, the currently active authorized key files are renamed to the pre-include-credentials names, for example:
/file/mgr_auth_keys.2 -> /file/mgr_auth_keys /
/file/authorized_keys.2 -> /file/authorized_keys
All remaining authorized keys files with an extension are deleted.
To enable the security settings, enter the include-credentials command.
Syntax
Enables the inclusion and display of the currently configured manager and operator user names and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.)
To view the currently configured security settings in the running configuration, enter one of the following commands:
See “Switch Memory and Configuration” in the Basic Operation Guide.
To view the current status of include-credentials on the switch, enter
show include-credentials. See Displaying the status of include-credentials on the switch.The
[no]form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration.Default: The security credentials described in Security settings that can be saved are not stored in the running configuration.