You can store and view the following security settings in the running-config file associated with the current software image by entering the include-credentials
command (formerly this information was stored only in internal flash memory):
-
Local manager and operator passwords and (optional) usernames that control access to a management session on the switch through the CLI, menu interface, or WebAgent.
-
SNMP security credentials used by network management stations to access a switch, including authentication and privacy passwords.
-
Port-access passwords and usernames used as 802.1X authentication credentials for access to the switch.
-
TACACS+ encryption keys used to encrypt packets and secure authentication sessions with TACACS+ servers keys.
-
RADIUS shared secret (encryption) keys used to encrypt packets and secure authentication sessions with RADIUS servers.
-
Secure Shell (SSH) public keys used to authenticate SSH clients that try to connect to the switch.
The benefits of including and saving security credentials in a configuration file are:
-
After making changes to security parameters in the running configuration, you can experiment with the new configuration and, if necessary, view the new security settings during the session. After verifying the configuration, you can then save it permanently by writing the settings to the startup-config file.
-
By permanently saving a switch security credentials in a configuration file, you can upload the file to a TFTP server or Xmodem host, and later download the file to the HP switches on which you want to use the same security settings without having to manually configure the settings (except for SNMPv3 user parameters) on each switch.
-
By storing different security settings in different files, you can test different security configurations when you first download a new software version that supports multiple configuration files, by changing the configuration file used when you reboot the switch.
For more information about how to experiment with, upload, download, and use configuration files with different software versions, see:
-
"Switch Memory and Configuration" in the Management and Configuration Guide.
To enable the security settings, enter the include-credentials
command.
Syntax:
Enables the inclusion and display of the currently configured manager and operator usernames and passwords, RADIUS shared secret keys, SNMP and 802.1X authenticator (port-access) security credentials, and SSH client public keys in the running configuration. (Earlier software releases store these security configuration settings only in internal flash memory and do not allow you to include and view them in the running-config file.)
To view the currently configured security settings in the running configuration, enter one of the following commands:
For more information, see “Switch Memory and Configuration” in the Basic Operation Guide.
The
[no]
form of the command disables only the display and copying of these security parameters from the running configuration, while the security settings remain active in the running configuration.Default: The security credentials described in Security settings that can be saved are not stored in the running configuration.
The security settings that can be saved to a configuration file are:
-
Local manager and operator passwords and usernames
-
SNMP security credentials, including SNMPv1 community names and SNMPv3 usernames, authentication, and privacy settings
-
802.1X port-access passwords and usernames
-
TACACS+ encryption keys
-
RADIUS shared secret (encryption) keys
-
Public keys of SSH-enabled management stations that are used by the switch to authenticate SSH clients that try to connect to the switch
The information saved to the running-config file when the include-credentials command is entered includes:
<name>
is an alphanumeric string for the user name assigned to the manager or operator.
<hash-type>
indicates the type of hash algorithm used: SHA-1 or plain text.
<pass-hash>
is the SHA-1 authentication protocol’s hash of the password or clear ASCII text.
For example, a manager username and password can be stored in a runningconfig
file as follows:
Use the write memory
command to save the password configurations in the startup-config
file. The passwords take effect when the switch boots with the software version associated with that configuration file.
|
|
CAUTION: If a startup configuration file includes other security credentials, but does not contain a manager or operator password, the switch will not have password protection and can be accessed through Telnet or the serial port of the switch with full manager privileges. |
|
|