cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3404
Views
10
Helpful
16
Replies

Cisco 3850 wirelsss - Can't configure wpa akm psk set-key ascii 8 <word>. Prompt decryption failed.

jazmario
Level 1
Level 1

Hi, anyone manage to configure on Cisco 3850 wireless wpa key using the ascii 8 encryption ? I'm able to configure using the >> security wpa akm psk set-key ascii 0 <pre-sharedkey>. But since it is not encrypted, i'm able to see the PSK string in plaintext if i show config.

I tried to use the ascii 8 <pre-sharedkey> but prompted for the below error after entering the command.

% switch-1:eicored:Invalid Encrypted Text : Decryption Failed

 

2 Accepted Solutions

Accepted Solutions

Hi 

I am also not so sure how to get AES encrypted text to follow this ascii 8 <pre-sharedkey>.

But here is a workaround I am doing not to disclose PSK in plain text in switch configuration. Hope that may be useful to you as well.

You can enter your PSK in HEX format instead of plaintext. You can use this website to derive your PSK in hex format.

Here is an example (SSID: ABC-PSK, Presharedkey: Test12345). From the above link you can get the PSK in HEX format as shown below & configure it on your WLAN.

wlan ABC-PSK 17 ABC-PSK
client vlan 1410
no mfp client
no mfp client required
no security wpa akm dot1x
security wpa akm psk set-key hex 0 194d3ee23de5212c109a7139e6c398ecd0ce9a394f84c0c88fb3cfd389262ae2
no shutdown

 

HTH

Rasika

**** Pls rate all useful responses ****

View solution in original post

Nice.. You can mark the thread as "answered" if you are satisfied with the resolution.

Rasika

View solution in original post

16 Replies 16

Hi 

I am also not so sure how to get AES encrypted text to follow this ascii 8 <pre-sharedkey>.

But here is a workaround I am doing not to disclose PSK in plain text in switch configuration. Hope that may be useful to you as well.

You can enter your PSK in HEX format instead of plaintext. You can use this website to derive your PSK in hex format.

Here is an example (SSID: ABC-PSK, Presharedkey: Test12345). From the above link you can get the PSK in HEX format as shown below & configure it on your WLAN.

wlan ABC-PSK 17 ABC-PSK
client vlan 1410
no mfp client
no mfp client required
no security wpa akm dot1x
security wpa akm psk set-key hex 0 194d3ee23de5212c109a7139e6c398ecd0ce9a394f84c0c88fb3cfd389262ae2
no shutdown

 

HTH

Rasika

**** Pls rate all useful responses ****

Great. That did the job. Thanks.

Nice.. You can mark the thread as "answered" if you are satisfied with the resolution.

Rasika

Hi 

I checked this with Cisco & here is the resolution for this. You need to simply configure the below & then all your PSK shown in encrypted format.

3850(config)#passwd encryption on

HTH

Rasika

**** Pls rate all useful responses ****

Hi Rasika

 

That Command don't work in 16.9. version command is 

password encryption aes but it didn't encrypted my psk key.

Take a look at this guide:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/config-guide/b_wl_16_10_cg/wlans.html <>

We recommend that you configure the password encryption aes and the key config-key password-encrypt key commands to encrypt your password.
-Scott
*** Please rate helpful posts ***

Thanks for reply but I want to encrypt my PSK Key so Please tell me how I can encrypt that key. It is still in plain text.

What device do you have, a 9800 controller?
-Scott
*** Please rate helpful posts ***

Hi Scott

 

Yes we have 9880 WLC wit 16.12.4 software version.

I posted the command you need to encrypt your psk. Here is another link:

https://www.cisco.com/c/en/us/td/docs/ios/ios_xe/sec_secure_connectivity/configuration/guide/2_xe/sec_secure_connectivity_xe_book/sec_encrypt_preshare_xe.html
-Scott
*** Please rate helpful posts ***

Hi Scott

 

Thanks for this post. What we want to do is want to encrypt WPA2 PSK Key under WLAN configuration. What you have given here is for VPN Preshared key.

 

Password encryption
Cisco IOS XE allows you to encrypt all the passwords used on the box. This includes user passwords but also SSID passwords, for example. To use encryption, first define an encryption key:
c9800-1(config)#key config-key password-encrypt

and then use the following command:
c9800-1(config)#password encryption aes

This is recommended for protecting your password information.
Note: On the C9800, once the passwords are encrypted there is no mechanism to decrypt them, as a security best practice. The only way to recover would be to reconfigure the passwords.

At the time of writing, it is recommended that you deal with password settings directly in the CLI. There is a bug (CSCvr43527) that prevents this from working on the GUI. This is fixed in release 17.2.
-Scott
*** Please rate helpful posts ***

Thanks Scott for this help. 

Did you not try the commands? IOS-XE is IOS-XE no matter a wireless controller or not. If the commands do not work for you, then I suggest to open a TAC case.
-Scott
*** Please rate helpful posts ***
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: