topic Cisco Catalyst 9800 Controller Type 6 Key/Password in Wireless

Cisco Catalyst 9800 Controller Type 6 Key/Password

saifuddin.miyaji — Sun, 02 Jun 2024 19:22:46 GMT

We have Cisco 9800 wireless controller with radius authentication with NPS servers. Its working as expected.

Now, Im trying to copy the radius configurations from this controller to another one (Same model, same IOS version), it wont accept the radius type 6 key/password. Specifically, error is as below:

WLC-9800(config)#aaa server radius dynamic-author

client 1.1.1.1 server-key 6 XXXXYYYYZZZ

%invalid encrypted key: XXXXYYYYZZZ

% Could not define per-client secret.

Key has been taken from the working configuration as it is.

Any suggestions?

Regards

Saif

Re: Cisco Catalyst 9800 Controller Type 6 Key/Password

Mark Elsen — Mon, 03 Jun 2024 08:09:11 GMT

- Where or are the 2 controllers running the same ios-xe version ?
- Is the target controller on an older version perhaps ?
- Can you use the key , when it's entered without encryption ?
- Can you use another key ?
- Check controller logs after trying the particular command

Re: Cisco Catalyst 9800 Controller Type 6 Key/Password

Rich R — Mon, 03 Jun 2024 16:15:48 GMT

Further to what Marce said - type 6 encryption relies on the AES key you have configured on that box:
1. Have you enabled AES encryption on the new WLC? "password encryption aes"
2. Have you configured the same AES key on both WLCs? "key config-key password-encrypt <your-secure-AES-key>"

If the AES master key is not identical on both boxes then decryption of the type 6 encrypted key will fail. (radius must be able to access the original decrypted key to build the radius packets)

Re: Cisco Catalyst 9800 Controller Type 6 Key/Password

saifuddin.miyaji — Mon, 03 Jun 2024 16:42:49 GMT

Hi Marce and Rich,

Thank you for your valuable input on the subject.

Where or are the 2 controllers running the same ios-xe version ?
- Is the target controller on an older version perhaps ?

Both the controller are on different versions, but the difference is maginal. 17.3.8 (existing) and 17.9.4a (New controller)
- Can you use the key , when it's entered without encryption ?

Yes, it takes the command if no key type is specified and then converts it to type 7 in running config.
- Can you use another key ?

It does not accept any key of type 6
- Check controller logs after trying the particular command

I am yet to check this.

1. Have you enabled AES encryption on the new WLC? "password encryption aes"

Yes, it is enabled on both the controllers.
2. Have you configured the same AES key on both WLCs? "key config-key password-encrypt <your-secure-AES-key>"

No, I have no clue what was the key originally configured by the previous admin for passwrd-encrypt.

Regards

Saif

Re: Cisco Catalyst 9800 Controller Type 6 Key/Password

Mark Elsen — Mon, 03 Jun 2024 17:08:21 GMT

>....No, I have no clue what was the key originally configured by the previous admin for passwrd-encrypt.
- Then you need to reconfigure the passwords from scratch (with new values),

Re: Cisco Catalyst 9800 Controller Type 6 Key/Password

Rich R — Mon, 03 Jun 2024 22:33:48 GMT

Marce is correct - if you don't know the original password then there is nothing you can do but choose a new password and configure that on both WLCs and the radius server.

While you're about it you may want to reset your AES master key to something you know - use "no key config-key password-encrypt" to erase the old one but beware you will need to re-configure all your type 6 passwords so make sure you know what they are before doing that. Again if you don't know them they will all need to be reset.

Re: Cisco Catalyst 9800 Controller Type 6 Key/Password

saifuddin.miyaji — Tue, 04 Jun 2024 10:41:47 GMT

Thank you Rich and Marce,

Your suggestions have been useful in resolving this issue.

Saif