2-21
Configuring Username and Password Security
Saving Security Credentials in a Config File
Restrictions
The following restrictions apply when you enable security credentials to be
stored in the running configuration with the include-credentials command:
■ The private keys of an SSH host cannot be stored in the running
configuration. Only the public keys used to authenticate SSH clients can
be stored. An SSH host’s private key is only stored internally, for example,
on the switch or on an SSH client device.
■ SNMPv3 security credentials saved to a configuration file on a switch
cannot be used after downloading the file on a different switch. The
SNMPv3 security parameters in the file are only supported when loaded
on the same switch for which they were configured. This is because when
SNMPv3 security credentials are saved to a configuration file, they are
saved with the engine ID of the switch as shown here:
If you download a configuration file with saved SNMPv3 security creden-
tials on a switch, when the switch loads the file with the current software
version the SNMPv3 engine ID value in the downloaded file must match
the engine ID of the switch in order for the SNMPv3 users to be configured
with the authentication and privacy passwords in the file. (To display the
engine ID of a switch, enter the show snmpv3 engine-id command. To
configure authentication and privacy passwords for SNMPv3 users, enter
the snmpv3 user command.)
If the engine ID in the saved SNMPv3 security settings in a downloaded
configuration file does not match the engine ID of the switch:
• The SNMPv3 users are configured, but without the authentication and
privacy passwords. You must manually configure these passwords on
the switch before the users can have SNMPv3 access with the privi-
leges you want.
• Only the snmpv3 user <user_name> credentials from the SNMPv3
settings in a downloaded configuration file are loaded on the switch,
for example:
snmpv3 user boris
snmpv3 user alan
■ You can store 802.1X authenticator (port-access) credentials in a
configuration file. However, 802.1X supplicant credentials cannot be
stored.
■ The local operator password configured with the password command is
no longer accepted as an 802.1X authenticator credential. A new
configuration command (password port-access) is introduced to configure
snmpv3 engine-id 00:00:00:0b:00:00:08:00:09:01:10:01
To Next Page
Loading...
