Cisco SSID password change (no WLC or GUI)

Dan Sheridan
Dan Sheridan used Ask the Experts™
on
I have some cisco access points (air-1121g) that have SSIDs broadcast and I need to change the password.

How can I change the password via the CLI (command line, iOS)?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would suggest that you attached a suitably sanitised copy of the config
Dan SheridanSenior System Eng / vITM

Author

Commented:
Is there no way to change the password from CLI for one SSID?
It is possible to change the password for a single SSID from the CLI.

Questions are clearer if they do not contain negatives.
Dan SheridanSenior System Eng / vITM

Author

Commented:
So I ask my question again.
How do I change the password via the CLI?
Dan SheridanSenior System Eng / vITM

Author

Commented:
Building configuration...

Current configuration : 7763 bytes
!
! Last configuration change at 17:20:54 UTC Tue Nov 26 2019 by netadm
! NVRAM config last updated at 16:06:50 UTC Tue Nov 26 2019 by netadm
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 00182-01-ap05-sec
!
no logging console
enable secret 5 $1$Q5mp$inCqUG1gWTkYWJ/mpaZ021
!
ip subnet-zero
ip domain name private.network
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
aaa new-model
!
!
aaa group server radius rad_eap
 server 10.250.4.3 auth-port 1645 acct-port 1646
 server 10.250.4.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
 server 10.250.4.3 auth-port 1645 acct-port 1646
 server 10.250.4.2 auth-port 1645 acct-port 1646
!
aaa group server radius rad_admin
 server 10.250.4.3 auth-port 1645 acct-port 1646
 server 10.250.4.2 auth-port 1645 acct-port 1646
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_eap1
 server 10.250.4.2 auth-port 1645 acct-port 1646
 server 10.250.4.3 auth-port 1645 acct-port 1646
!
aaa authentication banner ^CC
********************************************************************************
** This system is for use by authorized personnel only.  Unauthorized use of  **
** this system is unlawful and is subject to civil and/or criminal penalties. **
** Any use of this system may be logged or monitored without further notice.  **
** Any resulting logs may be used as evidence in court.                       **
********************************************************************************
^C
aaa authentication login default local group rad_admin
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login eap_methods1 group rad_eap1
aaa authorization exec default local group rad_admin
aaa session-id common
dot11 mbssid
dot11 syslog
!
dot11 ssid BETHEL
   vlan 123
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 02210B79042F0E2D5F2C594B55
!
dot11 ssid NSCGUEST
   vlan 9
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 09425D0A0A1618002F1F
!
dot11 ssid NSCSTAFF
   vlan 12
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 1419310858100A1D227F61
!
dot11 ssid NSCVOICE
   vlan 20
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 7 0528671C321C7E02490B4401
!
!
crypto pki trustpoint TP-self-signed-3289474642
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3289474642
 revocation-check none
 rsakeypair TP-self-signed-3289474642
!
!
username netadm privilege 15 secret 5 *********************************
archive
 path tftp://10.250.1.3/$h
 write-memory
!
bridge irb
!
!
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 9 mode ciphers aes-ccm tkip
 !
 encryption vlan 12 mode ciphers aes-ccm tkip
 !
 encryption vlan 20 mode ciphers aes-ccm tkip
 !
 encryption vlan 125 mode ciphers aes-ccm tkip
 !
 encryption vlan 123 mode ciphers aes-ccm tkip
 !
 ssid BETHEL
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
 bridge-group 1 spanning-disabled
!
interface Dot11Radio0.9
 encapsulation dot1Q 9
 no ip route-cache
 bridge-group 9
 bridge-group 9 subscriber-loop-control
 bridge-group 9 block-unknown-source
 no bridge-group 9 source-learning
 no bridge-group 9 unicast-flooding
 bridge-group 9 spanning-disabled
!
interface Dot11Radio0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 bridge-group 12 subscriber-loop-control
 bridge-group 12 block-unknown-source
 no bridge-group 12 source-learning
 no bridge-group 12 unicast-flooding
 bridge-group 12 spanning-disabled
!
interface Dot11Radio0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 bridge-group 20 subscriber-loop-control
 bridge-group 20 block-unknown-source
 no bridge-group 20 source-learning
 no bridge-group 20 unicast-flooding
 bridge-group 20 spanning-disabled
!
interface Dot11Radio0.123
 encapsulation dot1Q 123
 no ip route-cache
 bridge-group 123
 bridge-group 123 subscriber-loop-control
 bridge-group 123 block-unknown-source
 no bridge-group 123 source-learning
 no bridge-group 123 unicast-flooding
 bridge-group 123 spanning-disabled
!
interface Dot11Radio0.125
 encapsulation dot1Q 125
 no ip route-cache
 bridge-group 125
 bridge-group 125 subscriber-loop-control
 bridge-group 125 block-unknown-source
 no bridge-group 125 source-learning
 no bridge-group 125 unicast-flooding
 bridge-group 125 spanning-disabled
!
interface FastEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 bridge-group 1
 no bridge-group 1 source-learning
 bridge-group 1 spanning-disabled
!
interface FastEthernet0.9
 encapsulation dot1Q 9
 no ip route-cache
 bridge-group 9
 no bridge-group 9 source-learning
 bridge-group 9 spanning-disabled
!
interface FastEthernet0.12
 encapsulation dot1Q 12
 no ip route-cache
 bridge-group 12
 no bridge-group 12 source-learning
 bridge-group 12 spanning-disabled
!
interface FastEthernet0.20
 encapsulation dot1Q 20
 no ip route-cache
 bridge-group 20
 no bridge-group 20 source-learning
 bridge-group 20 spanning-disabled
!
interface FastEthernet0.123
 encapsulation dot1Q 123
 no ip route-cache
 bridge-group 123
 no bridge-group 123 source-learning
 bridge-group 123 spanning-disabled
!
interface FastEthernet0.125
 encapsulation dot1Q 125
 no ip route-cache
 bridge-group 125
 no bridge-group 125 source-learning
 bridge-group 125 spanning-disabled
!
interface BVI1
 ip address 10.3.76.105 255.255.255.0
 no ip route-cache
!
ip default-gateway 10.3.76.1
no ip http server
ip http authentication aaa
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
!
ip access-list extended Voice_Over_IP_300
 permit 119 any any
 permit ip any any
ip access-list extended Voice_Over_IP_301
 permit 119 any any
 permit ip any any
logging trap debugging
logging facility local0
logging 10.250.1.3
snmp-server view iso_view iso included
snmp-server community ***** RW
snmp-server community ****** RO
snmp-server queue-length 1
snmp-server location (00182-01, NSC HQ SRS HTCX)
snmp-server contact Warner Connect
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps entity
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps config
snmp-server enable traps syslog
snmp-server enable traps cpu threshold
snmp-server enable traps aaa_server
no radius-server attribute 77 include-in-access-req
radius-server host 10.250.4.2 auth-port 1645 acct-port 1646 key 7 132D12321F3F012F20213A
radius-server host 10.250.4.3 auth-port 1645 acct-port 1646 key 7 062E0A01587D0C1C0E1200
radius-server retry method reorder
radius-server deadtime 2
radius-server key 7 132D12321F3F012F20213A
radius-server vsa send accounting
radius-server vsa send authentication
bridge 1 route ip
!
!
!
line con 0
line vty 0 4
 transport input ssh
!
sntp server 10.250.4.200
sntp server 10.250.4.201
end

Open in new window

Top Expert 2014
Commented:
conf t
dot11 ssid <SSID>
wpa-psk ascii <NEWKEY>
end

Open in new window


If you have the service password-encryption command enabled it will convert the PSK to a type-7 password in the config.
Dan SheridanSenior System Eng / vITM

Author

Commented:
Thank you

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial