Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

how to retrieve the Radius shared secret key on the 5508 WLC

Hi All,

The privious wirelss admin left our company and didn't let the other know the Radius shared secret key on the 5508 WLC.

The 5508 WLC is running on code 7.0.98.0. I can access the WLC viao CLI and GUI. I can also access the Win2003 Radius server but the key shows asterisk to me. I have listed partial Radius config of the WLC below. How can I get the radius shared secret key? Thanks in advance.

(Cisco Controller) >show radius summary

Vendor Id Backward Compatibility................. Disabled
Call Station Id Case............................. lower
Call Station Id Type............................. IP Address
Aggressive Failover.............................. Enabled
Keywrap.......................................... Disabled
Fallback Test:
    Test Mode.................................... Off
    Probe User Name.............................. cisco-probe
    Interval (in seconds)........................ 300
MAC Delimiter for Authentication Messages........ hyphen
MAC Delimiter for Accounting Messages............ hyphen

Authentication Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1    NM    10.xx.18.48       1645    Enabled   2     Disabled  Disabled - none/unknown/group-0/0 none/none

Accounting Servers

Idx  Type  Server Address    Port    State     Tout  RFC3576  IPSec - AuthMode/Phase1/Group/Lifetime/Auth/Encr

--More-- or (q)uit
---  ----  ----------------  ------  --------  ----  -------  ------------------------------------------------
1      N     10.xx.18.48       1646    Enabled   2     N/A       Disabled - none/unknown/group-0/0 none/none

Regards,

Robert

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

how to retrieve the Radius shared secret key on the 5508 WLC

You can retrieve the RADIUS shared secret key like other passwords that are stored on the WLC using the procedure at the following link:

https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2011/11/04/recover-wepadminguest-account-password-from-wlc

NOTE: WPA keys are not available through these methods.

Basically, you can enable password cleartext on the wlc with "config passwd-cleartext enable" and then issue a "show run-config commands" -- your RADIUS configuration command should now display the shared secret.

-Pat

9 REPLIES
Bronze

how to retrieve the Radius shared secret key on the 5508 WLC

I'm not sure that we can "retrieve" that key from your WLC, nor the Microsoft side, that I am aware of.  Is there any opposition to scheduling some brief downtime, or afterhours, to recreate the shared secret on your RADIUS (IAS), and then retype on the WLC?  You would be looking at a very short interruption making this change.

Cisco Employee

how to retrieve the Radius shared secret key on the 5508 WLC

You can retrieve the RADIUS shared secret key like other passwords that are stored on the WLC using the procedure at the following link:

https://supportforums.cisco.com/community/netpro/wireless-mobility/begin-wireless/blog/2011/11/04/recover-wepadminguest-account-password-from-wlc

NOTE: WPA keys are not available through these methods.

Basically, you can enable password cleartext on the wlc with "config passwd-cleartext enable" and then issue a "show run-config commands" -- your RADIUS configuration command should now display the shared secret.

-Pat

Bronze

how to retrieve the Radius shared secret key on the 5508 WLC

Good call.  Thanks Pat!

how to retrieve the Radius shared secret key on the 5508 WLC

Pats the MAN ... +5

Side note -- If you have a client using win xp supplicant you can pull the WEP and PSK from the reg. Check a program called ZCOOk. I did a video on my site actually ...

__________________________________________________________________________________________ "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin ___________________________________________________________
New Member

Re: how to retrieve the Radius shared secret key on the 5508 WLC

Thank you Pat for your reply.

I've got another problem and hope you can help.

I used the Local Admin account "badmin" along with the password to login to the WLC successfully via both GUI and CLI, but couldn't use the password to complete the command of "config passwd-cleartext enable". See the output below. Actually I've tried both badmin and cmdr_taco, all got the same result. I believe badmin and cmdr_taco are all the admin accounts. I'm 100% sure I typed in the correct password for each account. Please help. Do I need to create a admin account named as "admin" first? Thanks in advance.

(Cisco Controller)

User: badmin

Password:*************

(Cisco Controller) >show mgmtuser

User Name                 Permissions    Description
-----------------------   ------------   --------------------------------
alexandrem                read-write    
badmin                    read-write    
cmdr_taco                 read-write    

(Cisco Controller) >config switchconfig secret-obfuscation disable

Secret de-obfuscation may take a few minutes.
Please wait...  Done!

(Cisco Controller) >config passwd-cleartext enable

The way you see your passwds will be changed
You are being warned.

Enter admin password: *************

Incorrect Password!

(Cisco Controller) >

Cisco Employee

Re: how to retrieve the Radius shared secret key on the 5508 WLC

Hi Robert,

The admin password that you use needs to be the password for the account that is currently logged in. If you are logging in via TACACS, you will not be able to issue this command.

I just tried in the lab and I created a new management local user, and once I logged in with that particular user, I could use the matching password to enable this command. (On 7.0.116.0)

If you are logging in with a local account and using the matching password and it's still not working, I suppose we are dealing with some sort of bug here -- I haven't found any matching behavior so far...let me see if I have a controller on 7.0.98.0 to test this.

-Pat

New Member

how to retrieve the Radius shared secret key on the 5508 WLC

Thanks Pat for the quick reply.

I've tried 2 local accounts along with their matching password. Both failed.

Cisco Employee

how to retrieve the Radius shared secret key on the 5508 WLC

Hi Robert,

That's very strange -- I'm able to run that command when logging in via console, ssh, and service-port without issues.

At this point I think you should go ahead and open up a service request and we'll take a look first-hand.

-Pat

New Member

how to retrieve the Radius shared secret key on the 5508 WLC

I hit this same issue with it not taking the admin password. I was able to solve it by creating a new account with read/write privileges and a short password. It looks like it may be a bug related to the length/complexity of the password.

14136
Views
15
Helpful
9
Replies
CreatePlease login to create content