You can store and view the following security settings in the running-config file associated with the current software image by entering the include-credentials command (formerly this information was stored only in internal flash memory):
-
Local manager and operator passwords and (optional) usernames that control access to a management session on the switch through the CLI, menu interface, or WebAgent.
-
SNMP security credentials used by network management stations to access a switch, including authentication and privacy passwords.
-
Port-access passwords and usernames used as 802.1X authentication credentials for access to the switch.
-
TACACS+ encryption keys used to encrypt packets and secure authentication sessions with TACACS+ servers keys.
-
RADIUS shared secret (encryption) keys used to encrypt packets and secure authentication sessions with RADIUS servers.
-
Secure Shell (SSH) public keys used to authenticate SSH clients that try to connect to the switch.
The benefits of including and saving security credentials in a configuration file are:
-
After making changes to security parameters in the running configuration, you can experiment with the new configuration and, if necessary, view the new security settings during the session. After verifying the configuration, you can then save it permanently by writing the settings to the startup-config file.
-
By permanently saving a switch security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the HP switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.
-
By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
For more information about how to experiment with, upload, download, and use configuration files with different software versions, see:
-
"Switch Memory and Configuration" in the Management and Configuration Guide.
To enable the security settings, enter the include-credentials command.
Syntax:
Enables the inclusion and display of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.)
To view the currently configured security settings in the running configuration, enter one of the following commands:
For more information, see “Switch Memory and Configuration” in the Basic Operation Guide.
To view the current status of include-credentials on the switch, enter
show include-credentials. See Displaying the status of include-credentials.The
[no]form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration.Default: The security credentials described in Security settings that can be saved are not stored in the running configuration.
The security settings that can be saved to a configuration file are:
-
Local manager and operator passwords and usernames
-
SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames, authentication, and privacy settings
-
802.1X port-access passwords and usernames
-
TACACS+ encryption keys
-
RADIUS shared secret (encryption) keys
-
Public keys of SSH-enabled management stations that are used by the switch to authenticate SSH clients that try to connect to the switch
When include-credentials or include-credentials store-in-config is executed for the first time (for example, on a new switch) or when you have successfully executed the no include-credentials store-in-config command, the passwords and SSH keys are not currently stored in the configuration file (not activated). The following example shows the caution message displayed.
Caution message
HP Switch(config)# include-credentials
**** CAUTION ****
You have invoked the command 'include-credentials'. This action will make changes
to the password and SSH public-key storage.
It will affect *all* stored configurations, which might need to be updated.
Those credentials will no longer be readable by older software revisions.
It also may break some of your existing user scripts. Continue?[y/n] y
Erasing configurations with ‘include-credentials’ enabled will erase stored
passwords and security credentials. The system will reboot with the factory
default configuration.
Proceed?[y/n]
This caution message can also appear if you have successfully executed the [no] include-credentials store-in-config command.
The [no]include-credentials command disables include-credentials. Credentials continue to be stored in the active and inactive configurations, but are not displayed in the config file.
When [no]include-credentials is used with the store-in-config option, include-credentials is disabled and the credentials stored in the config files are removed. The switch is restored to its default state and only stores one set of operator/manager passwords and SSH keys.
If you choose to execute the [no]include-credentials store-in-config command, you are also presented with the option of setting new switch passwords.
You are queried about retaining the current SSH authorized keys on the switch. If you enter “y”, the currently active authorized key files are renamed to the pre-include-credentials names, for example:
/file/mgr_auth_keys.2 -> /file/mgr_auth_keys/file/authorized_keys.2 -> /file/authorized_keys
All remaining authorized keys files with an extension are deleted.
The no include-credentials store-in-config messages and options
HP Switch(config)# no include-credentials store-in-config This will remove any switch passwords and inactive SSH authorized keys from all configuration files. This will also restore the functionality to store only a single set of passwords and authorized keys on the switch. Do you want to continue (y/n)? y The SSH authorized keys associated with the active configuration will be deleted. Would you like to retain these as the switch global SSH authorized keys (y/n)? y Do you want to set new switch passwords (y/n)? y operator username: admin operator password: ******** Confirm password: ******** manager username: GeorgeV manager password: ******** Confirm password: ******** HP Switch(config)#
The information saved to the running-config file when the include-credentials command is entered includes:
<name>is an alphanumeric string for the user name assigned to the manager or operator.
<hash-type>indicates the type of hash algorithm used: SHA-1 or plain text.
<pass-hash>is the SHA-1 authentication protocol’s hash of the password or clear ASCII text.
For example, a manager username and password can be stored in a runningconfig file as follows:
Use the write memory command to save the password configurations in the startup-config file. The passwords take effect when the switch boots with the software version associated with that configuration file.
|
|
|
![[CAUTION: ]](images/caution.gif) |
CAUTION: If a startup configuration file includes other security credentials, but does not contain a manager or operator password, the switch will not have password protection and can be accessed through Telnet or the serial port of the switch with full manager privileges. |
|
|
The password command has the following options:
Syntax:
Set or clear a local username/password for a given access level.
For more information about configuring local manager and operator passwords, see Configuring Username and Password Security.
SNMPv1 community names and write-access settings, and SNMPv3 usernames continue to be saved in the running configuration file even when you enter the include-credentials command.
In addition, the following SNMPv3 security parameters are also saved:
The following example shows the additional security credentials for SNMPv3 users that can be saved in a running-config file.
Security credentials saved in the running-config
snmpv3 user boris \ auth md5 “9e4cfef901f21cf9d21079debeca453” \ priv “82ca4dc99e782db1a1e914f5d8f16824” snmpv3 user alan \ auth sha “8db06202b8f293e9bc0c00ac98cf91099708ecdf” \ priv “5bc4313e9fd7c2953aaea9406764fe8bb629a538”
Although you can enter an SNMPv3 authentication or privacy password in either clear ASCII text or the SHA-1 hash of the password, the password is displayed and saved in a configuration file only in hashed format, as shown in the preceding example.
See “Configuring for Network Management Applications” in the Management and Configuration Guide for your switch for more information about the configuration of SNMP security parameters.
You can use TACACS+ servers to authenticate users who request access to a switch through Telnet (remote) or console (local) sessions. TACACS+ uses an authentication hierarchy consisting of:
When you configure TACACS+, the switch first tries to contact a designated TACACS+ server for authentication services. If the switch fails to connect to any TACACS+ server, it defaults to its own locally assigned passwords for authentication control if it has been configured to do so.
For improved security, you can configure a global or server-specific encryption key that encrypts data in TACACS+ packets transmitted between a switch and a RADIUS server during authentication sessions. The key configured on the switch must match the encryption key configured in each TACACS+ server application. (The encryption key is sometimes referred to as “shared secret” or “secret” key.)
TACACS+ shared secret (encryption) keys can be saved in a configuration file by entering this command:
The option < is the encryption key (in clear text) used for secure communication with all or a specific TACACS+ server.keystring>
You can use RADIUS servers as the primary authentication method for users who request access to a switch through Telnet, SSH, console, or port access (802.1X). The shared secret key is a text string used to encrypt data in RADIUS packets transmitted between a switch and a RADIUS server during authentication sessions. Both the switch and the server have a copy of the key; the key is never transmitted across the network.
RADIUS shared secret (encryption) keys can be saved in a configuration file by entering this command:
The option < is the encryption key (in clear text) used for secure communication with all or a specific RADIUS server.keystring>
This option allows you to execute include-credentials for only RADIUS and TACACS. The radius-tacacs-only option does not cause the switch to store authentication passwords and SSH keys in the configuration file.
Syntax:
Enables the inclusion of passwords and security credentials in each configuration file when the file is saved onto a remote server or workstation. When
[no]include-credentialsis executed, include-credentials is disabled. Credentials continue to be stored in the active and inactive configuration files but are not displayed.When executed with the
radius-tacacs-onlyoption, only the RADIUS and TACACS security keys are included in the configuration when saving files remotely.The
radius-tacacs-onlyoption can be disabled with either command:Stores passwords and SSH authorized keys in the configuration files. This happens automatically when
include-credentialsis enabled.The
[no] include-credentials store-in-configcommand disables theinclude-credentialscommand and removes credentials stored in the configuration files. The switch reverts to storing only a single set of passwords and SSH keys, regardless of which configuration file is booted.When
include-credentials radius-tacacs-onlyis executed, a warning message displays.
Caution message displayed for the radius-tacacs-only option
HP Switch(config)# include-credentials radius-tacacs-only
**** CAUTION ****
This will insert possibly sensitive information in switch configuration files,
and as a part of some CLI commands output. It is strongly recommended that you
use SFTP rather than TFTP for transfer of the configuration over the network,
and that you use the web configuration interface only with SSL enabled.
Erasing configurations with ‘include-credentials’ enabled will erase stored
passwords and security credentials. The system will reboot with the factory
default configuration.
Secure Shell version 2 (SSHv2) is used by HP switches to provide remote access to SSH-enabled management stations. Although SSH provides Telnet-like functions, unlike Telnet, SSH provides encrypted, two-way authenticated transactions. SSH client public-key authentication is one of the types of authentication used.
Client public-key authentication uses one or more public keys (from clients) that must be stored on the switch. Only a client with a private key that matches a public key stored on the switch can gain access at the manager or operator level. For more information about how to configure and use SSH public keys to authenticate SSH clients that try to connect to the switch, see Configuring Secure Shell (SSH).
The SSH security credential that is stored in the running configuration file is configured with the ip ssh public-key command used to authenticate SSH clients for manager or operator access, along with the hashed content of each SSH client public key.
Syntax:
![[NOTE: ]](images/note.gif)
To display the SSH public-key configurations (72 characters per line) stored in a configuration file, enter the show config or show running-config command. The following example shows the SSH public keys configured for manager access, along with the hashed content of each SSH client public key, that are stored in a configuration file.
SSH public keys
... include-credentials ip ssh public-key manager “ssh-dss \ AAAAB3NzaC1kc3MAAACBAPwJHSJmTRtpZ9BUNC+ZrsxhMuZEXQhaDME1vc/ \ EvYnTKxQ31bWvr/bT7W58NX/YJ1ZKTV2GZ2QJCicUUZVWjNFJCsa0v03XS4 \ BhkXjtHhz6gD701otgizUOO6/Xzf4/J9XkJHkOCnbHIqtB1sbRYBTxj3NzA \ K1ymvIaU09X5TDAAAAFQCPwKxnbwFfTPasXnxfvDuLSxaC7wAAAIASBwxUP \ pv2scqPPXQghgaTkdPwGGtdFW/+K4xRskAnIaxuG0qLbnekohi+ND4TkKZd \ EeidgDh7qHusBhOFXM2g73RpE2rNqQnSf/QV95kdNwWIbxuusBAzvfaJptd \ gca6cYR4xS4TuBcaKiorYj60kk144E1fkDWieQx8zABQAAAIEAu7/1kVOdS \ G0vE0eJD23TLXvu94plXhRKCUAvyv2UyK+piG+Q1el1w9zsMaxPA1XJzSY/ \ imEp4p6WXEMcl0lpXMRnkhnuMMpaPMaQUT8NJTNu6hqf/LdQ2kqZjUuIyV9 \ LWyLg5ybS1kFLeOt0oo2Jbpy+U2e4jh2Bb77sX3G5C0= spock@sfc.gov” \ ip ssh public-key manager ‘ssh-rsa \ AAAAB3NzaC1yc2EAAAADAQABAAAAgQDyO9RDD52JZP8k2F2YZXubgwRAN0R \ JRs1Eov6y1RK3XkmgVatzl+mspiEmPS4wNK7bX/IoXNdGrGkoE8tPkxlZOZ \ oqGCf5Zs50P1nkxXvAidFs55AWqOf4MhfCqvtQCe1nt6LFh4ZMig+YewgQG \ M6H1geCSLUbXXSCipdPHysakw== "TectiaClientKey [1024-bit rsa, \ nobody@testmachine, Mon Aug 15 2005 14:47:34]”’ ip ssh public-key manager “ssh-rsa \ AAAAB3NzaC1yc2EAAABIwAAAIEA1Kk9sVQ9LJOR6XO/hCMPxbiMNOK8C/ay \ +SQ10qGw+K9m3w3TmCfjh0ud9hivgbFT4F99AgnQkvm2eVsgoTtLRnfF7uw \ NmpzqOqpHjD9YzItUgSK1uPuFwXMCHKUGKa+G46A+EWxDAIypwVIZ697QmM \ qPFj1zdI4sIo5bDett2d0= joe@hp.com” ...
If a switch configuration contains multiple SSH client public keys, each public key is saved as a separate entry in the configuration file. You can configure up to 10 SSH client public keys on a switch.
The show include-credentials command provides the current status of include-credentials on the switch.
Syntax:
Displays information about the passwords and SSH keys stored in the configuration.
Stored in configuration — yes:
The passwords and SSH keys are stored in the configuration. Include-credentials was executed.
Stored in configuration — no:
There is only one set of operator/manager passwords and one set of SSH keys for the switch.
Enabled in active configuration:
Include-credentialsis either enabled or disabled.RADIUS/TACACS only:
Displayed when the option is configured.
The following table shows the states of several access types when the factory default settings are in effect or when include-credentials is enabled or not enabled.
Switch storage states
| Type | Factory default | Include-credentials enabled | Include-credentials disabled but active | No include- credentials executed (factory default) | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
Manager/Operator passwords & port access |
|
|
|
|
||||||
|
SSH Public Key |
|
|
|
|
||||||
|
SNMPv3 auth and priv |
|
|
|
|
||||||
|
SNTP auth |
|
|
|
|
||||||
|
RADIUS & TACACS keystrings |
|
|
|
|
||||||
|
||||||||||
-
After you enter the
include-credentialscommand, the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys are saved in the running configuration.Use the
no include-credentialscommand to disable the display and copying of these security parameters from the running configuration using theshow running-configandcopy running-configcommands without disabling the configured security settings on the switch.After you enter the
include-credentialscommand, you can toggle between the non-display and display of security credentials inshowandcopycommand output by alternately entering theno include-credentialsandinclude-credentialscommands. -
After you permanently save security configurations to the current startup-config file using the
write memorycommand, you can view and manage security settings with the following commands:-
show config: Displays the configuration settings in the current startup-config file. -
copy config <: Makes a local copy of an existing startup-config file by copying the contents of the startup-config file in one memory slot to a new startup-config file in another, empty memory slot.source-filename>config<target-filename> -
copy config tftp: Uploads a configuration file from the switch to a TFTP server. -
copy tftp config: Downloads a configuration file from a TFTP server to the switch. -
copy config xmodem: Uploads a configuration file from the switch to an Xmodem host. -
copy xmodem config: Downloads a configuration file from an Xmodem host to the switch.
For more information, see “Transferring startup-config files to or from a remote server” in the Management and Configuration Guide.
-
-
The switch can store up to three configuration files. Each configuration file contains its own security credentials and these security configurations can differ. It is the responsibility of the system administrator to ensure that the appropriate security credentials are contained in the configuration file that is loaded with each software image and that all security credentials in the file are supported.
-
If you have already enabled the storage of security credentials (including local manager and operator passwords) by entering the
include credentialscommand, thereset-on-clearoption is disabled. When you press the Clear button on the front panel, the manager and operator usernames and passwords are deleted from the running configuration. However, the switch does not reboot after the local passwords are erased. (Thereset-on-clearoption normally reboots the switch when you press the Clear button.)For more in formation, see Configuring front panel security.
The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentials command:
-
The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host's private key is only stored internally, for example, on the switch or on an SSH client device.
-
SNMPv3 security credentials saved to a configuration file on a switch cannot be used after downloading the file on a different switch. The SNMPv3 security replaceables in the file are only supported when loaded on the same switch for which they were configured. This is because when SNMPv3 security credentials are saved to a configuration file, they are saved with the engine ID of the switch as shown here:
snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01
If you download a configuration file with saved SNMPv3 security credentials on a switch, when the switch loads the file with the current software version the SNMPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file. (To display the engine ID of a switch, enter the
show snmpv3 engine-idcommand. To configure authentication and privacy passwords for SNMPv3 users, enter thesnmpv3 usercommand.)If the engine ID in the saved SNMPv3 security settings in a downloaded configuration file does not match the engine ID of the switch:
-
The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with the privileges you want.
-
Only the
snmpv3 user< user_name> credentials from the SNMPv3 settings in a downloaded configuration file are loaded on the switch, for example:snmpv3 user boris
snmpv3 user alan
-