Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
3
Helpful
6
Replies

Cisco Catalyst 9800 Controller Type 6 Key/Password

Go to solution
saifuddin.miyaji
Level 3
Level 3

‎06-02-2024 12:21 PM - edited ‎06-02-2024 12:22 PM

We have Cisco 9800 wireless controller with radius authentication with NPS servers. Its working as expected.

Now, Im trying to copy the radius configurations from this controller to another one (Same model, same IOS version), it wont accept the radius type 6 key/password. Specifically, error is as below:

WLC-9800(config)#aaa server radius dynamic-author

client 1.1.1.1 server-key 6 XXXXYYYYZZZ

%invalid encrypted key: XXXXYYYYZZZ

% Could not define per-client secret.

 

Key has been taken from the working configuration as it is.

Any suggestions?

Regards

Saif

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rich R
VIP
VIP
In response to saifuddin.miyaji

‎06-03-2024 03:33 PM - edited ‎06-03-2024 03:33 PM

Marce is correct - if you don't know the original password then there is nothing you can do but choose a new password and configure that on both WLCs and the radius server.

While you're about it you may want to reset your AES master key to something you know - use "no key config-key password-encrypt" to erase the old one but beware you will need to re-configure all your type 6 passwords so make sure you know what they are before doing that.  Again if you don't know them they will all need to be reset.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

View solution in original post

6 Replies 6

Go to solution
marce1000
VIP
VIP

‎06-03-2024 01:09 AM

 

         - Where or are the 2 controllers running the same ios-xe version ?
         - Is the target controller on an older version perhaps ?
         - Can you use the key , when it's entered without encryption ?
         - Can you use another key ?
         - Check controller logs after trying the particular command 

 M.
   



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
Rich R
VIP
VIP

‎06-03-2024 09:15 AM

Further to what Marce said - type 6 encryption relies on the AES key you have configured on that box:
1. Have you enabled AES encryption on the new WLC? "password encryption aes"
2. Have you configured the same AES key on both WLCs? "key config-key password-encrypt <your-secure-AES-key>"

If the AES master key is not identical on both boxes then decryption of the type 6 encrypted key will fail. (radius must be able to access the original decrypted key to build the radius packets)

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
0 Helpful

Go to solution
saifuddin.miyaji
Level 3
Level 3

‎06-03-2024 09:42 AM

Hi Marce and Rich,

Thank you for your valuable input on the subject.

Where or are the 2 controllers running the same ios-xe version ?
         - Is the target controller on an older version perhaps ?

Both the controller are on different versions, but the difference is maginal. 17.3.8 (existing) and 17.9.4a (New controller)
         - Can you use the key , when it's entered without encryption ?

Yes, it takes the command if no key type is specified and then converts it to type 7 in running config.
         - Can you use another key ?

It does not accept any key of type 6
         - Check controller logs after trying the particular command 

I am yet to check this.

1. Have you enabled AES encryption on the new WLC? "password encryption aes"

Yes, it is enabled on both the controllers.
2. Have you configured the same AES key on both WLCs? "key config-key password-encrypt <your-secure-AES-key>"

No, I have no clue what was the key originally configured by the previous admin for passwrd-encrypt.

Regards

Saif

0 Helpful

Go to solution
marce1000
VIP
VIP
In response to saifuddin.miyaji

‎06-03-2024 10:08 AM

 

            >....No, I have no clue what was the key originally configured by the previous admin for passwrd-encrypt.
                      - Then you need to reconfigure the passwords from scratch (with new values), 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Go to solution
Rich R
VIP
VIP
In response to saifuddin.miyaji

‎06-03-2024 03:33 PM - edited ‎06-03-2024 03:33 PM

Marce is correct - if you don't know the original password then there is nothing you can do but choose a new password and configure that on both WLCs and the radius server.

While you're about it you may want to reset your AES master key to something you know - use "no key config-key password-encrypt" to erase the old one but beware you will need to re-configure all your type 6 passwords so make sure you know what they are before doing that.  Again if you don't know them they will all need to be reset.

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's   and   TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's,   Best Practices for 9800 WLC's   and   Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs

Go to solution
saifuddin.miyaji
Level 3
Level 3

‎06-04-2024 03:41 AM

Thank you Rich and Marce,

Your suggestions have been useful in resolving this issue.

Saif

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card