topic Re: 9800 encrypt PSK in config file in Wireless

9800 encrypt PSK in config file

merilcerpos — Fri, 10 Dec 2021 16:03:07 GMT

is there a way to encrypt the PSK in the config file?

I tried password enryption aes in config mode and saved, as well as service password-encryption but no success with the PSK

wlan Test 1 Test
security wpa psk set-key ascii 0 Test1234
no security wpa akm dot1x
security wpa akm psk
no shutdown

Re: 9800 encrypt PSK in config file

Rich R — Sat, 11 Dec 2021 14:08:23 GMT

All working fine for us - PSKs are type 8 encrypted.

service password-encryption
password encryption aes

What model of WLC and what version of IOS-XE are you doing this on?

Have you actually set the AES encryption key using "key config-key password-encrypt <key>"?

Have you tried re-entering the PSK?

Re: 9800 encrypt PSK in config file

Haydn Andrews — Mon, 13 Dec 2021 02:46:35 GMT

Cisco IOS XE allows you to encrypt all the passwords used on the box. This includes user passwords but also SSID passwords, for example. To use encryption, first define an encryption key:

c9800-1(config)#key config-key password-encrypt <key>

and then use the following command:

c9800-1(config)#password encryption aes

This is recommended for protecting your password information.

Note: On the C9800, once the passwords are encrypted there is no mechanism to decrypt them, as a security best practice. The only way to recover would be to reconfigure the passwords.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html

Re: 9800 encrypt PSK in config file

merilcerpos — Tue, 21 Dec 2021 08:47:49 GMT

hello, thank you for your replies. Unfortunately it is still not working:

I tried that on 9800-CL WLC with software version 17.3.3 in dcloud.

applied those commands in that order:

service password-encryption
key config-key password-encrypt Test5678
password encryption aes

wlan Test 1 Test
security wpa psk set-key ascii 0 Test1234
no security wpa akm dot1x
security wpa akm psk
no shutdown

tried to reapply wlan profile configuration another time and save, but still the psk appears unencrypted in the config.

Re: 9800 encrypt PSK in config file

Rich R — Tue, 21 Dec 2021 10:05:39 GMT

It's working fine for us on C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.6.1 running on VMware ESX.

I can't see any reason why the same code shouldn't work fine in dcloud but that is a Cisco demo environment so they might have disabled some features. You should be testing on a production release - not dcloud.

Did you try password encryption aes
*before*
key config-key password-encrypt Test5678

Did you watch for error messages or other prompts?

Did you check the logs?

For example if there's already a key set you'll be prompted to enter the old key before it will allow you to set a new one.

Re: 9800 encrypt PSK in config file

merilcerpos — Tue, 21 Dec 2021 13:01:04 GMT

thank you it is working now. My mistake was to apply the cli commands via the gui command line interface instead via ssh/console

Re: 9800 encrypt PSK in config file

Rich R — Tue, 21 Dec 2021 13:21:32 GMT

Lesson learned: do not use the GUI for CLI config, just use the CLI!

Re: 9800 encrypt PSK in config file

shadowplay101 — Sat, 15 Jan 2022 00:11:20 GMT

Hi,

So you are using "ascii 0", and not "ascii 8" ?

What's the difference between this password

key config-key password-encrypt Test5678

and this one

security wpa psk set-key ascii 0 Test1234

Is the first one the Master? how is it used?

Thanks

Re: 9800 encrypt PSK in config file

Rich R — Sun, 16 Jan 2022 00:04:41 GMT

0 is plain text, unencrypted

8 is encrypted

ascii refers to the PSK format in this instance which is either ascii or hex.

key config-key password-encrypt Test5678 is setting the AES encryption master key which the device keeps stored in private NVRAM (hidden) which is used to strongly (but reversibly) AES encrypt various keys/passwords in the config.

security wpa psk set-key ascii 0 Test1234 is simply defining a WPA key for an SSID and ascii refers to the PSK format not the encryption or otherwise.

Corrected to clarify ascii keyword.

Re: 9800 encrypt PSK in config file

shadowplay101 — Sat, 15 Jan 2022 13:35:49 GMT

Thank you. I've been banging my head about how to "restore" a config file into a new WLC that includes the encrypted pre-shared keys

My wlan is configured like this (all good: preshared key encrypted, clients associated)

 no broadcast-ssid
 security wpa psk set-key ascii 8 gKMSb[fBS^_ffUSI_MXZa`CWDUX[OeKHFAAB
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown

Let's say my WLC fails and gets replaced, so I upload my config file

After the upload my wlan looks like this ( client cannot associate because there is no PSK)

 no broadcast-ssid
 no security wpa akm dot1x
 no shutdown

At this point, it seems that I have to re-enable PSK, re-enter my pre-shared key, and re-send this command again

key config-key password-encrypt <key>

Is there a way for my pre-shared key to "transfer" by uploading my config file?

Thanks so much for the help!!

Re: 9800 encrypt PSK in config file

Rich R — Sun, 16 Jan 2022 00:13:36 GMT

Can't say I've tried it myself but a few pointers:

- make sure you're on latest version of IOS-XE that you can be.

- make sure AES encryption is configured with the same master key before restoring any of the backup config otherwise IOS cannot decrypt those keys.

- you can enable AES, configure the master key (must be identical to what was used to encrypt initially) and then copy the backup config to running-config or to startup-config then reload.

Re: 9800 encrypt PSK in config file

shubhamverma — Fri, 27 Sep 2024 08:01:35 GMT

Error: Failed to decrypt password in WLC 9800-40

GUI: Go to Configuration > WLC > Select WLAN ''name'' > Security > Change ''PSK Type'' to unencrypted from dropdown > save the password and PSK Type will auto switch to AES.