Configuring Username and Password Security

Saving Security Credentials in a Config File

Restrictions

The following restrictions apply when you enable security credentials to be stored in the running configuration with the include-credentialscommand:

The private keys of an SSH host cannot be stored in the running configuration. Only the public keys used to authenticate SSH clients can be stored. An SSH host’s private key is only stored internally, for example, on the switch or on an SSH client device.

SNMPv3 security credentials saved to a configuration file on a switch cannot be used after downloading the file on a different switch. The SNMPv3 security parameters in the file are only supported when loaded on the same switch for which they were configured. This is because when SNMPv3 security credentials are saved to a configuration file, they are saved with the engine ID of the switch as shown here:

snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01

If you download a configuration file with saved SNMPv3 security credentials on a switch, when the switch loads the file with the current software version the SNMPv3 engine ID value in the downloaded file must match the engine ID of the switch in order for the SNMPv3 users to be configured with the authentication and privacy passwords in the file. (To display the engine ID of a switch, enter the show snmpv3 engine-idcommand. To configure authentication and privacy passwords for SNMPv3 users, enter the snmpv3 user command.)

If the engine ID in the saved SNMPv3 security settings in a downloaded configuration file does not match the engine ID of the switch:

The SNMPv3 users are configured, but without the authentication and privacy passwords. You must manually configure these passwords on the switch before the users can have SNMPv3 access with the privi- leges you want.

Only the snmpv3 user <user_name> credentials from the SNMPv3 settings in a downloaded configuration file are loaded on the switch, for example:

snmpv3 user boris snmpv3 user alan

You can store 802.1X authenticator (port-access) credentials in a configuration file. However, 802.1X supplicant credentials cannot be stored.

The local operator password configured with the password command is no longer accepted as an 802.1X authenticator credential. A new configuration command (password port-access)is introduced to configure

2-21