Solved: 9800 encrypt PSK in config file

merilcerpos · ‎12-10-2021

is there a way to encrypt the PSK in the config file?

I tried password enryption aes in config mode and saved, as well as service password-encryption but no success with the PSK

wlan Test 1 Test
security wpa psk set-key ascii 0 Test1234
no security wpa akm dot1x
security wpa akm psk
no shutdown

Rich R · ‎12-21-2021

It's working fine for us on C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.6.1 running on VMware ESX.

I can't see any reason why the same code shouldn't work fine in dcloud but that is a Cisco demo environment so they might have disabled some features. You should be testing on a production release - not dcloud.

Did you try password encryption aes
*before*
key config-key password-encrypt Test5678

Did you watch for error messages or other prompts?

Did you check the logs?

For example if there's already a key set you'll be prompted to enter the old key before it will allow you to set a new one.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

Rich R · ‎12-11-2021

All working fine for us - PSKs are type 8 encrypted.

service password-encryption
password encryption aes

What model of WLC and what version of IOS-XE are you doing this on?

Have you actually set the AES encryption key using "key config-key password-encrypt <key>"?

Have you tried re-entering the PSK?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Haydn Andrews · ‎12-12-2021

Cisco IOS XE allows you to encrypt all the passwords used on the box. This includes user passwords but also SSID passwords, for example. To use encryption, first define an encryption key:

c9800-1(config)#key config-key password-encrypt <key>

and then use the following command:

c9800-1(config)#password encryption aes

This is recommended for protecting your password information.

Note: On the C9800, once the passwords are encrypted there is no mechanism to decrypt them, as a security best practice. The only way to recover would be to reconfigure the passwords.

https://www.cisco.com/c/en/us/products/collateral/wireless/catalyst-9800-series-wireless-controllers/guide-c07-743627.html

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

merilcerpos · ‎12-21-2021

hello, thank you for your replies. Unfortunately it is still not working:

I tried that on 9800-CL WLC with software version 17.3.3 in dcloud.

applied those commands in that order:

service password-encryption
key config-key password-encrypt Test5678
password encryption aes

wlan Test 1 Test
security wpa psk set-key ascii 0 Test1234
no security wpa akm dot1x
security wpa akm psk
no shutdown

tried to reapply wlan profile configuration another time and save, but still the psk appears unencrypted in the config.

Rich R · ‎12-21-2021

It's working fine for us on C9800-CL Software (C9800-CL-K9_IOSXE), Version 17.6.1 running on VMware ESX.

I can't see any reason why the same code shouldn't work fine in dcloud but that is a Cisco demo environment so they might have disabled some features. You should be testing on a production release - not dcloud.

Did you try password encryption aes
*before*
key config-key password-encrypt Test5678

Did you watch for error messages or other prompts?

Did you check the logs?

For example if there's already a key set you'll be prompted to enter the old key before it will allow you to set a new one.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

merilcerpos · ‎12-21-2021

thank you it is working now. My mistake was to apply the cli commands via the gui command line interface instead via ssh/console

Rich R · ‎12-21-2021

Lesson learned: do not use the GUI for CLI config, just use the CLI!

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

shadowplay101 · ‎01-14-2022

Hi,

So you are using "ascii 0", and not "ascii 8" ?

What's the difference between this password

key config-key password-encrypt Test5678

and this one

security wpa psk set-key ascii 0 Test1234

Is the first one the Master? how is it used?

Thanks

Rich R · ‎01-15-2022

0 is plain text, unencrypted

8 is encrypted

ascii refers to the PSK format in this instance which is either ascii or hex.

key config-key password-encrypt Test5678 is setting the AES encryption master key which the device keeps stored in private NVRAM (hidden) which is used to strongly (but reversibly) AES encrypt various keys/passwords in the config.

security wpa psk set-key ascii 0 Test1234 is simply defining a WPA key for an SSID and ascii refers to the PSK format not the encryption or otherwise.

Corrected to clarify ascii keyword.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

shadowplay101 · ‎01-15-2022

Thank you. I've been banging my head about how to "restore" a config file into a new WLC that includes the encrypted pre-shared keys

My wlan is configured like this (all good: preshared key encrypted, clients associated)

 no broadcast-ssid
 security wpa psk set-key ascii 8 gKMSb[fBS^_ffUSI_MXZa`CWDUX[OeKHFAAB
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown

Let's say my WLC fails and gets replaced, so I upload my config file

After the upload my wlan looks like this ( client cannot associate because there is no PSK)

 no broadcast-ssid
 no security wpa akm dot1x
 no shutdown

At this point, it seems that I have to re-enable PSK, re-enter my pre-shared key, and re-send this command again

key config-key password-encrypt <key>

Is there a way for my pre-shared key to "transfer" by uploading my config file?

Thanks so much for the help!!

Rich R · ‎01-15-2022

Can't say I've tried it myself but a few pointers:

- make sure you're on latest version of IOS-XE that you can be.

- make sure AES encryption is configured with the same master key before restoring any of the backup config otherwise IOS cannot decrypt those keys.

- you can enable AES, configure the master key (must be identical to what was used to encrypt initially) and then copy the backup config to running-config or to startup-config then reload.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

shubhamverma · ‎09-27-2024

Error: Failed to decrypt password in WLC 9800-40

GUI: Go to Configuration > WLC > Select WLAN ''name'' > Security > Change ''PSK Type'' to unencrypted from dropdown > save the password and PSK Type will auto switch to AES.