Solved: Re: 9800 WLC - WPA2 pre-shared key not working after uploading config

shadowplay101 · ‎01-14-2022

This how my SSID is configured:

c9800-1(config)#key config-key password-encrypt <key>
c9800-1(config)#password encryption aes 

no broadcast-ssid
 security wpa psk set-key ascii 8 fHeEGWK[YCWF\PcLNgTidD]WQfGKVR[`aAAB
 no security wpa akm dot1x
 security wpa akm psk
 no shutdown

My problem is that if upload my config file, the pre-shared key no longer works and get the following message at book up:

 % Password encryption failed: Possible mismatch of password type & secret type!
% node-1:dbm:wireless:AKM PSK can be enabled only when PSK key is set

All I need to be able to upload a config file to my 9800 WLC and for the preshared keys to work, but also want the config file not to show the preshared key in clear text.

What am I doing wrong?

Thanks for the help

Rich R · ‎01-16-2022

Correct the master key is saved separately in a secure part of NVRAM and not backed up.

If it was then anybody could steal that config with your encrypted keys and passwords so for security reasons it has to be kept separate and the config can only be 'unlocked' by someone that knows the master key.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

balaji.bandi · ‎01-14-2022

May be due to garbage charcters got carry forward like any spaces in the notepad,

remove manually add directly on the device and test it,

make it simple PSK before get in to advanced make sure it working.

reference :

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/multi-preshared-key.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shadowplay101 · ‎01-14-2022

If I manually add it to the device it works, but I'm trying to have a base config file that I can upload to the WLC with the already preconfigured pre-shared keys.

Also, if I configure it as an unencrypted key, I can upload the config file and my preshared keys work right away

security wpa psk set-key ascii 0 test1234

I am just trying to avoid the passphrase to be cleartext in my config file.

Thanks for the help

Rich R · ‎01-15-2022

What version of IOS-XE are you doing this on?

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

shadowplay101 · ‎01-15-2022

17.3.3

Your suggestion from the other thread did the trick!

-make sure AES encryption is configured with the same master key before restoring any of the backup config otherwise IOS cannot decrypt those keys.

I had to set the master key BEFORE uploading the config. Once I did this all my pre-shared keys were functional.

I guess the master key is not saved in the config?

Rich R · ‎01-16-2022

Correct the master key is saved separately in a secure part of NVRAM and not backed up.

If it was then anybody could steal that config with your encrypted keys and passwords so for security reasons it has to be kept separate and the config can only be 'unlocked' by someone that knows the master key.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

shadowplay101 · ‎01-16-2022

Thank you makes sense now.

Azeem Mohamad · ‎02-28-2024

https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/multi-preshared-key.html

9800 WLC - WPA2 pre-shared key not working after uploading config file