Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7579
Views
11
Helpful
9
Replies

9800 WLC - WPA2 pre-shared key not working after uploading config file

Go to solution
shadowplay101
Level 1
Level 1

‎01-14-2022 10:10 AM

This how my SSID is configured: 

c9800-1(config)#key config-key password-encrypt <key>
c9800-1(config)#password encryption aes 

no broadcast-ssid
 security wpa psk set-key ascii 8 fHeEGWK[YCWF\PcLNgTidD]WQfGKVR[`aAAB
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown

My problem is that if upload my config file, the pre-shared key no longer works and get the following message at book up:

 % Password encryption failed: Possible mismatch of password type & secret type!
% node-1:dbm:wireless:AKM PSK can be enabled only when PSK key is set

All I need to be able to upload a config file to my 9800 WLC and for the preshared keys to work, but also want the config file not to show the preshared key  in clear text.

 

What am I doing wrong?

 

Thanks for the help

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP

‎01-16-2022 11:11 AM

Correct the master key is saved separately in a secure part of NVRAM and not backed up.

If it was then anybody could steal that config with your encrypted keys and passwords so for security reasons it has to be kept separate and the config can only be 'unlocked' by someone that knows the master key.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

0 Helpful
9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-14-2022 10:57 AM - edited ‎01-14-2022 11:00 AM

May be due to garbage charcters got carry forward like any spaces in the notepad,

remove manually add directly on the device and test it,

make it simple PSK before get in to advanced make sure it working.

 

reference :

 

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/multi-preshared-key.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
shadowplay101
Level 1
Level 1
In response to balaji.bandi

‎01-14-2022 11:11 AM

If I manually add it to the device it works, but I'm trying to have a base config file that I can upload to the WLC with the already preconfigured pre-shared keys. 

 

Also, if I configure it as an unencrypted key, I can upload the config file and my preshared keys work right away 

security wpa psk set-key ascii 0 test1234

 I am just trying to avoid the passphrase to be cleartext in my config file. 

 

Thanks for the help

0 Helpful

Go to solution
Rich R
VIP
VIP

‎01-15-2022 06:07 PM

What version of IOS-XE are you doing this on?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

Go to solution
shadowplay101
Level 1
Level 1
In response to Rich R

‎01-15-2022 06:36 PM

17.3.3

 

Your suggestion from the other thread did the trick!

 

-make sure AES encryption is configured with the same master key before restoring any of the backup config otherwise IOS cannot decrypt those keys.

 

I had to set the master key BEFORE uploading the config. Once I did this all my pre-shared keys were functional.

 

I guess the master key is not saved in the config?

Go to solution
Rich R
VIP
VIP

‎01-16-2022 11:11 AM

Correct the master key is saved separately in a secure part of NVRAM and not backed up.

If it was then anybody could steal that config with your encrypted keys and passwords so for security reasons it has to be kept separate and the config can only be 'unlocked' by someone that knows the master key.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful

Go to solution
shadowplay101
Level 1
Level 1
In response to Rich R

‎01-16-2022 11:37 AM

Thank you makes sense now.

0 Helpful

Go to solution
jjessetej
Level 1
Level 1

‎01-12-2025 03:46 PM - edited ‎01-12-2025 04:04 PM

in case someone bumps into this same issue as me, i recently installed EWC on a 9120AXI AP running on 17.09.06, and it was driving me insane that i couldnt encrypt the psk shared key on both the web gui and CLI, i later discovered that the below encrypts the passwords and no longer show in plain text

 

password encryption aes
key config-key password-encrypt <your key>

 

 

 

Go to solution
Rich R
VIP
VIP
In response to jjessetej

‎01-13-2025 12:40 AM - edited ‎01-13-2025 12:41 AM

That's correct - AES encryption is gradually replacing the less secure type 7 password/key encryption which has been deprecated.  AES encryption for these keys has been the standard from day 1 on 9800 series WLCs.

You should be aware that AES encrypted passwords are not easily decrypted like Type 7 passwords so if you lose your AES master key you will not be able to use the encrypted config.  If trying to copy the encrypted config to another WLC then that WLC must already be configured with the same AES master key otherwise the config won't work and must be entered as clear text. All Cisco Business Units have been implementing type 6 (AES) password/key encryption in their portions of the code over the last few years and there have been a few different variations and bugs in implementation - some still getting fixed and others remaining with quirks.

This article gives a good overview:
https://community.cisco.com/t5/networking-knowledge-base/configuring-type-6-passwords-in-ios-xe/ta-p/4438495

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card