Symptom
The command "key config-key password-encrypt " gives an error when a user attempts to put in a key with more than 128 characters:
WLC(config)# key config-key password-encrypt
% Key length less than 128 chars
However, applying the same command without the key allows for 256 characters with no errors/warnings:
WLC(config)# key config-key password-encrypt
New key:
Confirm key:
This command successfully encrypts passwords with the long key with no errors. When changing any password (PSK, RADIUS key, etc.), WLC shows unable to decrypt the password and configuration does not change. When rebooting WLC or failing over to standby, decryption errors are shown and passwords/encryption disappears.
Conditions
9800-CL / 9800-L
Tested on 17.3.6, 17.3.7, 17.9.2, and 17.9.3 - same results on these versions
The following command shows no errors/warnings:
WLC(config)# key config-key password-encrypt
New key:
Confirm key:
Workaround
Use a key shorter than 128 characters. If configured key is already > 127 characters, remove encryption and reconfigure passwords.
Further Problem Description
Applying "key config-key password-encrypt" without the key in this initial command should not allow users to configure a key longer than 127 characters and should display a warning when attempted.