Automate obtaining show command output when wireless clients associate with Cisco access point.

Sam Brynes · ‎11-15-2017

This question is similar to the one here: https://supportforums.cisco.com/t5/network-management/help-with-tcl-scripts-to-do-show-commands/td-p/1731560

I have a Cisco access point that runs IOS. It currently broadcasts an SSID which supports AES or TKIP encryption ciphers. I'd like to find out whether or not we have any clients that are using the older TKIP so that we can decide if we should switch to AES.

My first thought was to use TCL to write the output of "show dot11 associations all-client | include Name|Encryption" to the flash with a file name of the system time (so that data isn't overwritten and lost), and EEM would trigger the TCL script whenever a wireless client associated to the access point.

I have a Cisco 1252AG access point running 15.2(2)JA1, and it doesn't look like it support EEM (the "event" command isn't available). Does anyone have any ideas on how to automate this work? I'd be open to also doing a "pull" - which means running the script from a workstation and polling the access point every minute, but the downside is that we might miss clients that are associated to the access point for less than one minute.

Francesco Molino · ‎11-15-2017

Hi

As per your description, all your aps are autonomous, right?

Have you tried getting that information using snmp?

If eem isn't supported on that specific model then to pull this information you can use python. You'll will launch the script from your host to get all APs outputs or you can schedule to run it every x minutes/hours or days.

If you want to do it through python, let me know i can give you a script. Just let me know if the output has to be formatted in a specific way or just taking the standard ios format.
I've already posted in this forum a template script that read a text file with all device ips on which we want to connect to.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sam Brynes · ‎11-16-2017

Yep, my one and only AP is autonomous. I think I could use SNMP. Here are the possible values for cDot11ClientUnicastCipher (1.3.6.1.4.1.9.9.273.1.2.1.1.23):

These are all the possible unicast data frame cipher
encryption type combinations currently supported on
this IEEE 802.11 client. If none of the bits is set,
the client is not performing any unicast data frame
encryption.
aesccm WPA AES CCMP encryption,
ckip Cisco Per packet key hashing,
cmic Cisco MMH MIC,
ckip|cmic Cisco Per packet key hashing and
Cisco MMH MIC,
tkip WPA Temporal Key encryption,
wep128 128-bit WEP key,
wep40 40-bit WEP key.
tkip|wep128 WPA Temporal Key and 128-bit WEP,

ckip(0), cmic(1), tkip(2), wep40(3), wep128(4), aesccm(5)

For some reason, when I issue the command "show dot11 associations all-client | include Name|Encryption", I see that all clients are using AES-CCMP, which should be a value of 5 (above).

I then saw this Cisco bug:

CSCsk44106—SNMP returns incorrect cipher values for some clients in cDot11ClientUnicastCipher when multiple ciphers are defined on an interface.

It looks like the SNMP database results can't be reliable. The actual "show" output is correct, though (see below). I'll probably try to use the Python method you brought up. I just need to grab the MAC address of the client and its encryption cipher and put them into a file. A CSV is probably fine.

Here's the format that shows up when I run the Cisco IOS show command:

HEMOGLOBIN#show dot11 associations all-client | include Name|Encryption
Address : 0000.1234.5678 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 21a0.01bc.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 99a7.9088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP

Francesco Molino · ‎11-16-2017

Hi,

Ok let me know if you need my help for Python.
What your want is getting a csv file with 2 columns MAC and Encryption.
Is that right?

I'll be definitely able to help you on scripting that using Python this WE.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sam Brynes · ‎11-16-2017

Yeah, the Python help would be appreciated. I'l have time this weekend to work test the script out.

Thanks!

Francesco Molino · ‎11-16-2017

I've some migration this WE but I will provide you a basic script

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Francesco Molino · ‎11-16-2017

Hi,

I don't have any autonomous AP to test it. I tested it quickly by creating a variable with the output you gave me.

The script can run over a list of IP (multiple APs) or to only 1 IP.

To run the script, you need to follow below instructions:

run the command: python dot11association.py --iplist /path/ip.txt --> Give the path and filename containing all IP addresses on which the script needs to connect to
run the command: python dot11association.py --iponly xx.xx.xx.xx --> Give the AP IP address on which the script needs to connect to

It will create a csv file on same path you're standing when running that script.

To be able to run the script, you'll need to install python 2.7 (https://www.python.org/downloads/), install Paramiko (http://www.paramiko.org/installing.html) and click package (using command pip install click --> http://click.pocoo.org/6/)

When the script starts, it will ask username and password to connect to AP(s). Be careful, if you run it over multiple APs, username and password have to be the same across all APs.

Rename the script dot11association.txt to dot11association.py

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sam Brynes · ‎11-17-2017

Thanks! Looks like we are getting somewhere.

Also FYI, I had to install netmiko (sudo pip install netmiko).

I'm getting an "IndexError: List index out of range" error when running the script.

python dot11encryption.py --iponly <IP>
Username: <USERNAME>
Password:
Getting information from device <IP>
Traceback (most recent call last):
File "dot11encryption.py", line 111, in <module>
wirelessassociation()
File "/Library/Python/2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "dot11encryption.py", line 86, in wirelessassociation
address = (line.split('Address : ', 1)[1]).split(' ', 1)[0]
IndexError: list index out of range

I checked the output of show dot11 associations all-client | include Name|Encryption", and there was around 50 rows of output.

Francesco Molino · ‎11-18-2017

Hi

Yes sorry for netmiko I forgot to tell you to install.
Can you give me the output for the command: show dot11 associations all-client | include Name|Encryption

I don't have any autonomous and can't test completely my script as I said, I based the test on the output you gave before.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sam Brynes · ‎11-18-2017

Sure, here's the output. The MAC address for the wireless client is on the first line, and the cipher type for that wireless client is on the following line.

ap#show dot11 associations all-client | include Name|Encryption

Address : 000d.4bcd.6ae1 Name : NONE