topic Re: 9800 WLC - WPA2 pre-shared key not working after uploading config in Wireless

9800 WLC - WPA2 pre-shared key not working after uploading config file

shadowplay101 — Fri, 14 Jan 2022 18:10:09 GMT

This how my SSID is configured:

c9800-1(config)#key config-key password-encrypt <key>
c9800-1(config)#password encryption aes 

no broadcast-ssid
 security wpa psk set-key ascii 8 fHeEGWK[YCWF\PcLNgTidD]WQfGKVR[`aAAB
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown

My problem is that if upload my config file, the pre-shared key no longer works and get the following message at book up:

 % Password encryption failed: Possible mismatch of password type & secret type!
% node-1:dbm:wireless:AKM PSK can be enabled only when PSK key is set

All I need to be able to upload a config file to my 9800 WLC and for the preshared keys to work, but also want the config file not to show the preshared key in clear text.

What am I doing wrong?

Thanks for the help

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

balaji.bandi — Fri, 14 Jan 2022 19:00:06 GMT

May be due to garbage charcters got carry forward like any spaces in the notepad,

remove manually add directly on the device and test it,

make it simple PSK before get in to advanced make sure it working.

reference :

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/multi-preshared-key.html

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

shadowplay101 — Fri, 14 Jan 2022 19:11:49 GMT

If I manually add it to the device it works, but I'm trying to have a base config file that I can upload to the WLC with the already preconfigured pre-shared keys.

Also, if I configure it as an unencrypted key, I can upload the config file and my preshared keys work right away

security wpa psk set-key ascii 0 test1234

I am just trying to avoid the passphrase to be cleartext in my config file.

Thanks for the help

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

Rich R — Sun, 16 Jan 2022 02:07:08 GMT

What version of IOS-XE are you doing this on?

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

shadowplay101 — Sun, 16 Jan 2022 02:36:44 GMT

17.3.3

Your suggestion from the other thread did the trick!

-make sure AES encryption is configured with the same master key before restoring any of the backup config otherwise IOS cannot decrypt those keys.

I had to set the master key BEFORE uploading the config. Once I did this all my pre-shared keys were functional.

I guess the master key is not saved in the config?

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

Rich R — Sun, 16 Jan 2022 19:11:17 GMT

Correct the master key is saved separately in a secure part of NVRAM and not backed up.

If it was then anybody could steal that config with your encrypted keys and passwords so for security reasons it has to be kept separate and the config can only be 'unlocked' by someone that knows the master key.

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

shadowplay101 — Sun, 16 Jan 2022 19:37:17 GMT

Thank you makes sense now.

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

Azeem Mohamad — Thu, 29 Feb 2024 07:34:41 GMT

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/multi-preshared-key.html

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

jjessetej — Mon, 13 Jan 2025 00:04:17 GMT

in case someone bumps into this same issue as me, i recently installed EWC on a 9120AXI AP running on 17.09.06, and it was driving me insane that i couldnt encrypt the psk shared key on both the web gui and CLI, i later discovered that the below encrypts the passwords and no longer show in plain text

password encryption aes key config-key password-encrypt <your key>

Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

Rich R — Mon, 13 Jan 2025 08:41:46 GMT

That's correct - AES encryption is gradually replacing the less secure type 7 password/key encryption which has been deprecated. AES encryption for these keys has been the standard from day 1 on 9800 series WLCs.

You should be aware that AES encrypted passwords are not easily decrypted like Type 7 passwords so if you lose your AES master key you will not be able to use the encrypted config. If trying to copy the encrypted config to another WLC then that WLC must already be configured with the same AES master key otherwise the config won't work and must be entered as clear text. All Cisco Business Units have been implementing type 6 (AES) password/key encryption in their portions of the code over the last few years and there have been a few different variations and bugs in implementation - some still getting fixed and others remaining with quirks.

This article gives a good overview:
https://community.cisco.com/t5/networking-knowledge-base/configuring-type-6-passwords-in-ios-xe/ta-p/4438495