cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4672
Views
0
Helpful
14
Replies

Automate obtaining show command output when wireless clients associate with Cisco access point.

Sam Brynes
Level 1
Level 1

This question is similar to the one here: https://supportforums.cisco.com/t5/network-management/help-with-tcl-scripts-to-do-show-commands/td-p/1731560

 

I have a Cisco access point that runs IOS. It currently broadcasts an SSID which supports AES or TKIP encryption ciphers. I'd like to find out whether or not we have any clients that are using the older TKIP so that we can decide if we should switch to AES.

 

My first thought was to use TCL to write the output of "show dot11 associations all-client | include Name|Encryption" to the flash with a file name of the system time (so that data isn't overwritten and lost), and EEM would trigger the TCL script whenever a wireless client associated to the access point.

 

I have a Cisco 1252AG access point running 15.2(2)JA1, and it doesn't look like it support EEM (the "event" command isn't available). Does anyone have any ideas on how to automate this work? I'd be open to also doing a "pull" - which means running the script from a workstation and polling the access point every minute, but the downside is that we might miss clients that are associated to the access point for less than one minute.

14 Replies 14

Francesco Molino
VIP Alumni
VIP Alumni
Hi

As per your description, all your aps are autonomous, right?

Have you tried getting that information using snmp?

If eem isn't supported on that specific model then to pull this information you can use python. You'll will launch the script from your host to get all APs outputs or you can schedule to run it every x minutes/hours or days.

If you want to do it through python, let me know i can give you a script. Just let me know if the output has to be formatted in a specific way or just taking the standard ios format.
I've already posted in this forum a template script that read a text file with all device ips on which we want to connect to.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yep, my one and only AP is autonomous. I think I could use SNMP. Here are the possible values for cDot11ClientUnicastCipher (1.3.6.1.4.1.9.9.273.1.2.1.1.23):

 

These are all the possible unicast data frame cipher
encryption type combinations currently supported on
this IEEE 802.11 client. If none of the bits is set,
the client is not performing any unicast data frame
encryption.
aesccm WPA AES CCMP encryption,
ckip Cisco Per packet key hashing,
cmic Cisco MMH MIC,
ckip|cmic Cisco Per packet key hashing and
Cisco MMH MIC,
tkip WPA Temporal Key encryption,
wep128 128-bit WEP key,
wep40 40-bit WEP key.
tkip|wep128 WPA Temporal Key and 128-bit WEP,

 

ckip(0), cmic(1), tkip(2), wep40(3), wep128(4), aesccm(5)

 

For some reason, when I issue the command "show dot11 associations all-client | include Name|Encryption", I see that all clients are using AES-CCMP, which should be a value of 5 (above).

 

I then saw this Cisco bug:

 

CSCsk44106—SNMP returns incorrect cipher values for some clients in cDot11ClientUnicastCipher when multiple ciphers are defined on an interface.

 

It looks like the SNMP database results can't be reliable. The actual "show" output is correct, though (see below). I'll probably try to use the Python method you brought up. I just need to grab the MAC address of the client and its encryption cipher and put them into a file. A CSV is probably fine.

 

Here's the format that shows up when I run the Cisco IOS show command:

 

HEMOGLOBIN#show dot11 associations all-client | include Name|Encryption
Address : 0000.1234.5678 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 21a0.01bc.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 99a7.9088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP

Hi,

Ok let me know if you need my help for Python.
What your want is getting a csv file with 2 columns MAC and Encryption.
Is that right?

I'll be definitely able to help you on scripting that using Python this WE.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yeah, the Python help would be appreciated. I'l have time this weekend to work test the script out.

 

Thanks!

I've some migration this WE but I will provide you a basic script

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

 

I don't have any autonomous AP to test it. I tested it quickly by creating a variable with the output you gave me.

 

The script can run over a list of IP (multiple APs) or to only 1 IP.

To run the script, you need to follow below instructions:

  1. run the command: python dot11association.py --iplist /path/ip.txt --> Give the path and filename containing all IP addresses on which the script needs to connect to
  2. run the command: python dot11association.py --iponly xx.xx.xx.xx --> Give the AP IP address on which the script needs to connect to

It will create a csv file on same path you're standing when running that script.

 

To be able to run the script, you'll need to install python 2.7 (https://www.python.org/downloads/), install Paramiko (http://www.paramiko.org/installing.html) and click package (using command pip install click --> http://click.pocoo.org/6/)

 

When the script starts, it will ask username and password to connect to AP(s). Be careful, if you run it over multiple APs, username and password have to be the same across all APs.

 

 Rename the script dot11association.txt to dot11association.py

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks! Looks like we are getting somewhere.

Also FYI, I had to install netmiko (sudo pip install netmiko).

 

I'm getting an "IndexError: List index out of range" error when running the script.


python dot11encryption.py --iponly <IP>
Username: <USERNAME>
Password:
Getting information from device <IP>
Traceback (most recent call last):
File "dot11encryption.py", line 111, in <module>
wirelessassociation()
File "/Library/Python/2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "dot11encryption.py", line 86, in wirelessassociation
address = (line.split('Address : ', 1)[1]).split(' ', 1)[0]
IndexError: list index out of range

 

I checked the output of show dot11 associations all-client | include Name|Encryption", and there was around 50 rows of output.

Hi

Yes sorry for netmiko I forgot to tell you to install.
Can you give me the output for the command: show dot11 associations all-client | include Name|Encryption

I don't have any autonomous and can't test completely my script as I said, I based the test on the output you gave before.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sure, here's the output. The MAC address for the wireless client is on the first line, and the cipher type for that wireless client is on the following line.

 

ap#show dot11 associations all-client | include Name|Encryption

Address           : 000d.4bcd.6ae1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 001e.b2c4.6c82     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0080.92c9.69e3     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 00db.7088.357a     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0805.8125.cfee     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0c47.c90b.b7a8     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0c47.c912.4b02     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 38a2.8c9a.3fed     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 40b4.cdb5.0274     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 64db.431e.437d     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 64db.431e.466f     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 7070.0d85.7cf1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 7831.c1cb.a3f6     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 784f.435b.670a     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 8866.a5e4.50bc     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 9800.c6a4.cbd1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : a063.916e.cba7     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : a48d.3b70.d561     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : a88e.246c.98b8     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : b034.9578.6bd2     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : c8d3.ffff.964d     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : dc0b.3489.adcc     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : dcef.caf7.f254     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : acbc.32cd.9639     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

ap#

Sure, here is a part of the command output. I think there's a bug to where if I try to post something too long, it automatically deletes the post. The first line is the wireless client MAC address, and the second line is the encryption type used by the wireless client.

 

show dot11 associations all-client | include Name|Encryption

Address           : 000d.4bcd.6ae1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 001e.b2c4.6c82     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0080.92c9.69e3     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 00db.7088.357a     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0805.8125.cfee     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0c47.c90b.b7a8     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 0c47.c912.4b02     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 38a2.8c9a.3fed     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 40b4.cdb5.0274     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 64db.431e.437d     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 64db.431e.466f     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 7070.0d85.7cf1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 7831.c1cb.a3f6     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 784f.435b.670a     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 8866.a5e4.50bc     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 9800.c6a4.cbd1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : a063.916e.cba7     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : a48d.3b70.d561     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : a88e.246c.98b8     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : b034.9578.6bd2     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : c8d3.ffff.964d     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : dc0b.3489.adcc     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : dcef.caf7.f254     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : acbc.32cd.9639     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Sure, here is a part of the command output. I think there's a bug to where if I try to post something too long, it automatically deletes the post. The first line is the wireless client MAC address, and the second line is the encryption type used by the wireless client.

 

ap#show dot11 associations all-client | include Name|Encryption

Address           : 000d.4bcd.6ae1     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

Address           : 001e.b2c4.6c82     Name             : NONE

Key Mgmt type     : WPAv2 PSK          Encryption       : AES-CCMP

 

ap#

Hi

The script crashes because in my regex i took the first output and in your last output the number of spaces doesn't match.

Can you send me the output in a text file just to ensure there's no space removed/added when you paste it in the forum.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Is there a way to make it so that the script can handle different numbers of spaces? Maybe with .* ?

 

I've attached the output as a text file here.

Hi

Yes sure you can but I built something very quick.
I've changed all regex stuff, give it a try and let me know.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: