Recover RADIUS secret on Cisco 5508 WLC

by

It was whilst we were configuring our new Cisco 9800 Wireless LAN Controllers that we discovered a RADIUS configuration which was not documented. To resolve this issue, we needed to somehow recover the RADIUS secret on our Cisco 5508 WLC.

My initial thought was dig through old emails to see if I had anything relating to the setup, but as this was not configured by me. This was a pointless task.

After a bit of research on “The Network Engineer’s Handbook” I found a site which said it was possible to get the RADIUS secrets from the config. “Great!” I thought. However, the site did not work!

After a good hour of further research on “The Network Engineer’s Handbook” I tried to work it out methodically. If this was any other network device, the first thing I would do is to try get the config. This was easily done using a Show tech-support.

Now i know that I could see the configuration I could see the following line:

radius auth add 1 192.168.1.100 1812 ascii ****

With 10 years of working with Cisco equipment, I knew that anything shown as asterisks in the config, is not encrypted. The platform will not show the real password without being told to do so.

Some more research on “The Network Engineer’s Handbook” relating to password encryption on the Cisco Wireless LAN Controller I found the following command:

config password-cleartext enable

This is exactly what i needed. After saving the configuration followed by another Show tech-support I got exactly what I needed.

The full list of commands needed to recover the RADIUS secrets on a Cisco 5508 WLC are:

  1. SSH into the WLC
  2. Enter the command:
    3. config password-cleartext enable
  3. You will be prompted to re-enter your password
  4. Save the configuration with:
    5. save config
  5. Issue the Show Technical Support command:
    6. show tech-support

After a number of space bar presses you will see output like:

radius auth add 1 192.168.1.100 1812 ascii Sup3rSec3rtP@55w0rd

Once you have all of your secret’s recovered, remember to re-issue the config password-cleartext disable command and then save.

This will then show the config with a hidden password:

radius auth add 1 192.168.1.100 1812 ascii ****
Post Views: 1,080

Leave a comment