I inherited an extremely poorly documented IT infrastructure. It includes an Aironet 1130AG Access Point.
I would like to change the password that clients use to connect to it. I'm digging through the manuals because I didn't seem to find it at a cursory glance.
Can anyone point a newbie, lost in an unknown environ, in the right direction?
This is autonomous, correct?
If so, console into the AP and do a SHOW RUN. You will see a line ..
username (then the username) password (then the password).
Do a NO usersame ---> etc
Then redo it with your username etc ..
Please rate helpful post!
If the authentication mechanism is 802.1x, the password can be stored locally if your AP is configured to use local radius feature.
If the radius server is external (IAS, ACS, etc), the password is actually stored on your radius server, and AP has no idea about it.
for the local radius, the password cannot be recovered (just deleted), as it is under nthash format.
If the authentication mechanism is psk,, you could recover if it is on "format 7" like the one bellow:
dot11 ssid wgb
authentication key-management wpa
wpa-psk ascii 7 00071A1507545A545C < this
Just use one of the multiple user password recovery tools around the net for IOS.
Thanks for the quick responses.
Yes, it is just the client access (WPA) key/password that I wish to change. I have he admin password and am using it to log on to the web-based management console.
On the Express Security tab, I've found an SSID Table which includes the record for the wireless network that clients see. Its key management is set to "WPA", but it gives me no option to manage this wpa key.
So, I apologize if I'm asking you to repeat yourself, but how do I go about making it so that when I try to connect my laptop to this ssid broadcast (radio0 is set to 802.11G and radio1 is 802.11A), instead of entering
1. Do telnet/ssh to AP
2. go enable mode. en, then your enable password (prompt should change)
3. do sh run, check that you have the "wpa-psk" command under your SSID
4. if yes, write the SSID name
6. do, config, then T (prompt should change)
7. write dot11 ssid YOURSSID (prompt should change)
8. write wpa-psk ascii YOURNEWWPAPASSWORD
9. write exit
10. write "wr"
config is saved
now, you should be able to connect witth the new PSK key.
NOTE: this is only for wpa-psk, if you have any other method this will not work. Make sure you validate step 3.
thanks again, for the quick help, Javier.
I got as far as the last line. When I typed "wr" it gave me an eror message:
% invalid input detected at '^' marker.
the '^' marker is sitting just below the "r" in the "wr" command.
Please let me know what you think might be the issue.
I'll continue to investigate on my side.
When I typed "wr" it gave me an eror messageSounds like you inherited a controller-based AP. Can you confirm that there's a WLC?
I'm not sure what you mean by "wlc".
The chnage was done, eventhough the record didn't get written, so when the router rebooted, it reverted to the original acces passcode.
I'll follow the instructions to change it again, but I would really like to write the record so the change is permanent.
It looks like you may have needed to back out one more context (level). Add the "exit" command again to Javier's barely-comprehsnsible script and you might have it. I don't have that interface in front of me to work with, but an additional exit might be what you needed.
Obviously he meant "type" every time he said "write." His switch to using quotes suddenly at the end was oddball, and his separation of the configure terminal command into "do, config, then T" was lame. His wide variations in how he abbreviates the commands was startling.
Here's what he wanted you to do. Connect to the access point using telnet, ssh, or the console so that we can use the command line interface.
Log in and get into enable mode (the command is enable and you should be prompted for credentials). The end of the command prompt should change from a > to a #. Do a "show run" command and look for "wpa-psk" under your SSID's name. If it's there, then use the following. Remember the old notation where <>'s indicate your information, not that you type them in the commands. From the enabled (#) prompt:
You needed to back out one more context for the wr command to work. Otherwise, you could attach "do" to the beginning of it, as in "do wr" from a deeper context. Each time your prompt changes, that's a change in "context," meaning where you're issuing commands to.
Man i missed the boat on that one ... I thought you mean the LOCAL AP logon ...