06-02-2024 12:21 PM - edited 06-02-2024 12:22 PM
We have Cisco 9800 wireless controller with radius authentication with NPS servers. Its working as expected.
Now, Im trying to copy the radius configurations from this controller to another one (Same model, same IOS version), it wont accept the radius type 6 key/password. Specifically, error is as below:
WLC-9800(config)#aaa server radius dynamic-author
client 1.1.1.1 server-key 6 XXXXYYYYZZZ
%invalid encrypted key: XXXXYYYYZZZ
% Could not define per-client secret.
Key has been taken from the working configuration as it is.
Any suggestions?
Regards
Saif
Solved! Go to Solution.
06-03-2024 03:33 PM - edited 06-03-2024 03:33 PM
Marce is correct - if you don't know the original password then there is nothing you can do but choose a new password and configure that on both WLCs and the radius server.
While you're about it you may want to reset your AES master key to something you know - use "no key config-key password-encrypt" to erase the old one but beware you will need to re-configure all your type 6 passwords so make sure you know what they are before doing that. Again if you don't know them they will all need to be reset.
06-03-2024 01:09 AM
- Where or are the 2 controllers running the same ios-xe version ?
- Is the target controller on an older version perhaps ?
- Can you use the key , when it's entered without encryption ?
- Can you use another key ?
- Check controller logs after trying the particular command
M.
06-03-2024 09:15 AM
Further to what Marce said - type 6 encryption relies on the AES key you have configured on that box:
1. Have you enabled AES encryption on the new WLC? "password encryption aes"
2. Have you configured the same AES key on both WLCs? "key config-key password-encrypt <your-secure-AES-key>"
If the AES master key is not identical on both boxes then decryption of the type 6 encrypted key will fail. (radius must be able to access the original decrypted key to build the radius packets)
06-03-2024 09:42 AM
Hi Marce and Rich,
Thank you for your valuable input on the subject.
Where or are the 2 controllers running the same ios-xe version ?
- Is the target controller on an older version perhaps ?
Both the controller are on different versions, but the difference is maginal. 17.3.8 (existing) and 17.9.4a (New controller)
- Can you use the key , when it's entered without encryption ?
Yes, it takes the command if no key type is specified and then converts it to type 7 in running config.
- Can you use another key ?
It does not accept any key of type 6
- Check controller logs after trying the particular command
I am yet to check this.
1. Have you enabled AES encryption on the new WLC? "password encryption aes"
Yes, it is enabled on both the controllers.
2. Have you configured the same AES key on both WLCs? "key config-key password-encrypt <your-secure-AES-key>"
No, I have no clue what was the key originally configured by the previous admin for passwrd-encrypt.
Regards
Saif
06-03-2024 10:08 AM
>....No, I have no clue what was the key originally configured by the previous admin for passwrd-encrypt.
- Then you need to reconfigure the passwords from scratch (with new values),
M.
06-03-2024 03:33 PM - edited 06-03-2024 03:33 PM
Marce is correct - if you don't know the original password then there is nothing you can do but choose a new password and configure that on both WLCs and the radius server.
While you're about it you may want to reset your AES master key to something you know - use "no key config-key password-encrypt" to erase the old one but beware you will need to re-configure all your type 6 passwords so make sure you know what they are before doing that. Again if you don't know them they will all need to be reset.
06-04-2024 03:41 AM
Thank you Rich and Marce,
Your suggestions have been useful in resolving this issue.
Saif
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide