WPA Keys

Unanswered Question

Bare with me, I'm new to wireless.

I'm trying to change the WPA keys and I can't get it to take. This is the present settings:

aaa session-id common


dot11 ssid !abbessidprivate!

vlan 1

authentication open

authentication key-management wpa

infrastructure-ssid optional

wpa-psk hex 7 BCBA028E263B5C5789D29D55E3F03E7E2CF0B2A9915B19FD626036D79092F06



What commands do I need to enter? I tryed this:

41-AccessPoint-1(config-ssid)#wpa-psk hex 7

% Ambiguous command: "wpa-psk hex 7"

41-AccessPoint-1(config-ssid)#wpa-psk hex 7?


41-AccessPoint-1(config-ssid)#wpa-psk hex 7 ?

Hex-data 66 hexadecimal digits


Invalid key length, expecting 66 hexadecimal digits


Invalid key length, expecting 66 hexadecimal digits

41-AccessPoint-1(config-ssid)#wpa-psk hex 7

% Ambiguous command: "wpa-psk hex 7"




41-AccessPoint-1#show runn

It didn't change....

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
kka Tue, 03/18/2008 - 06:20
User Badges:

With the 7 a scrambled key is expected.

Scrambling (service password-encryption) also

adds 2 characters (offset) to the string.

To enter the actual hex-string use

wpa-psk hex 0 KEYSTRING or the equivalent

wpa-psk hex KEYSTRING

KEYSTRING is the actual 64 char hex key.

If you want to use an ascii key use the

command "wpa-psk ascii ...". (Make sure

to use at least 20 characters, everything

else can be easily broken...)

kka Tue, 03/18/2008 - 11:23
User Badges:

To hide cleartext passwords in IOS configs, the command

'service password-encryption' can be used.

If enabled, passwords, WEP- and WPA-keys are scrambled

with 'method 7'. This is a very simple encryption easily

reverted, and only meant to protect from someone peaking

over your shoulder.

Unless you want to reenter the same password, you hardly

enter passwords with the 7 in the command, but instead

with a 0 or simply without the number.

So to enter a new cleartext WPA-Key you simply enter

wpa-psk hex KEYSTRING

This requires the actual 256-bit preshared key, which is

written as 64 hex characters.

To enter a password/passphrase for your WPA-PSK, use

wpa-psk ascii STRING

This will generate the actual PSK from the STRING and

the SSID. This is what's usually used, some clients

even don't accept 64 char hex strings.

bcolvin Tue, 03/18/2008 - 15:13
User Badges:
  • Bronze, 100 points or more


for your reference the following document is excelent in how to configure WPA-PSK

I reccomend you use the GUI as it is much simpler, the you can look at Config for the resulting CLI, or follow the CLI instructions also included.


good luck


Well, that's another problem, I can't get in through the GUI. When I enter the IP, it comes up with nothing. It can't fing the page. All this start when I installed a different switch last week. We've had trouble with our private wireless networks being to weak or slow but never any problems with the public one. Since I installed the switch you can connect to the public wireless but you have limited or no connectivity.

It shouldn't have anyting to do with the access point, but I noticed the two private wireless network had the wrong keys... So I was going to fix it while I was fixing stuff.

Any idea what I should try? Thanks.


The only difference in the orginal switch configuration (and then it was working) is the ip helper-addresses were the old servers and they are not longer on the network.

And the wireless network I'm troubleshooting, is for the public, therefore it doesn't have wpa keys. I'm new to wireless, so maybe I missing something. I will be at the branch having the trouble sometimes next week. Any advice you can give me on troubleshooting the switch and accesspoint connection would be greatlly appreciated. If I can supply any additional info, just ask.



bcolvin Sat, 03/22/2008 - 23:41
User Badges:
  • Bronze, 100 points or more


the best clue I can give is verify the switch ports the AP's are connected to are set for .1q trunking

Switches are not my thing.

Good luck



This Discussion