Automate obtaining show command output when wireless clients associate with Cisco access point.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2017 10:46 AM - edited 03-01-2019 06:15 PM
This question is similar to the one here: https://supportforums.cisco.com/t5/network-management/help-with-tcl-scripts-to-do-show-commands/td-p/1731560
I have a Cisco access point that runs IOS. It currently broadcasts an SSID which supports AES or TKIP encryption ciphers. I'd like to find out whether or not we have any clients that are using the older TKIP so that we can decide if we should switch to AES.
My first thought was to use TCL to write the output of "show dot11 associations all-client | include Name|Encryption" to the flash with a file name of the system time (so that data isn't overwritten and lost), and EEM would trigger the TCL script whenever a wireless client associated to the access point.
I have a Cisco 1252AG access point running 15.2(2)JA1, and it doesn't look like it support EEM (the "event" command isn't available). Does anyone have any ideas on how to automate this work? I'd be open to also doing a "pull" - which means running the script from a workstation and polling the access point every minute, but the downside is that we might miss clients that are associated to the access point for less than one minute.
- Labels:
-
Network Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-15-2017 08:17 PM
As per your description, all your aps are autonomous, right?
Have you tried getting that information using snmp?
If eem isn't supported on that specific model then to pull this information you can use python. You'll will launch the script from your host to get all APs outputs or you can schedule to run it every x minutes/hours or days.
If you want to do it through python, let me know i can give you a script. Just let me know if the output has to be formatted in a specific way or just taking the standard ios format.
I've already posted in this forum a template script that read a text file with all device ips on which we want to connect to.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2017 12:30 AM - edited 11-16-2017 12:31 AM
Yep, my one and only AP is autonomous. I think I could use SNMP. Here are the possible values for cDot11ClientUnicastCipher (1.3.6.1.4.1.9.9.273.1.2.1.1.23):
These are all the possible unicast data frame cipher
encryption type combinations currently supported on
this IEEE 802.11 client. If none of the bits is set,
the client is not performing any unicast data frame
encryption.
aesccm WPA AES CCMP encryption,
ckip Cisco Per packet key hashing,
cmic Cisco MMH MIC,
ckip|cmic Cisco Per packet key hashing and
Cisco MMH MIC,
tkip WPA Temporal Key encryption,
wep128 128-bit WEP key,
wep40 40-bit WEP key.
tkip|wep128 WPA Temporal Key and 128-bit WEP,
ckip(0), cmic(1), tkip(2), wep40(3), wep128(4), aesccm(5)
For some reason, when I issue the command "show dot11 associations all-client | include Name|Encryption", I see that all clients are using AES-CCMP, which should be a value of 5 (above).
I then saw this Cisco bug:
CSCsk44106—SNMP returns incorrect cipher values for some clients in cDot11ClientUnicastCipher when multiple ciphers are defined on an interface.
It looks like the SNMP database results can't be reliable. The actual "show" output is correct, though (see below). I'll probably try to use the Python method you brought up. I just need to grab the MAC address of the client and its encryption cipher and put them into a file. A CSV is probably fine.
Here's the format that shows up when I run the Cisco IOS show command:
HEMOGLOBIN#show dot11 associations all-client | include Name|Encryption
Address : 0000.1234.5678 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 21a0.01bc.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 99a7.9088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2017 04:50 AM
Ok let me know if you need my help for Python.
What your want is getting a csv file with 2 columns MAC and Encryption.
Is that right?
I'll be definitely able to help you on scripting that using Python this WE.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2017 07:58 AM
Yeah, the Python help would be appreciated. I'l have time this weekend to work test the script out.
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2017 06:30 PM
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-16-2017 07:52 PM
Hi,
I don't have any autonomous AP to test it. I tested it quickly by creating a variable with the output you gave me.
The script can run over a list of IP (multiple APs) or to only 1 IP.
To run the script, you need to follow below instructions:
- run the command: python dot11association.py --iplist /path/ip.txt --> Give the path and filename containing all IP addresses on which the script needs to connect to
- run the command: python dot11association.py --iponly xx.xx.xx.xx --> Give the AP IP address on which the script needs to connect to
It will create a csv file on same path you're standing when running that script.
To be able to run the script, you'll need to install python 2.7 (https://www.python.org/downloads/), install Paramiko (http://www.paramiko.org/installing.html) and click package (using command pip install click --> http://click.pocoo.org/6/)
When the script starts, it will ask username and password to connect to AP(s). Be careful, if you run it over multiple APs, username and password have to be the same across all APs.
Rename the script dot11association.txt to dot11association.py
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-17-2017 10:28 PM - edited 11-17-2017 10:31 PM
Thanks! Looks like we are getting somewhere.
Also FYI, I had to install netmiko (sudo pip install netmiko).
I'm getting an "IndexError: List index out of range" error when running the script.
python dot11encryption.py --iponly <IP>
Username: <USERNAME>
Password:
Getting information from device <IP>
Traceback (most recent call last):
File "dot11encryption.py", line 111, in <module>
wirelessassociation()
File "/Library/Python/2.7/site-packages/click/core.py", line 722, in __call__
return self.main(*args, **kwargs)
File "/Library/Python/2.7/site-packages/click/core.py", line 697, in main
rv = self.invoke(ctx)
File "/Library/Python/2.7/site-packages/click/core.py", line 895, in invoke
return ctx.invoke(self.callback, **ctx.params)
File "/Library/Python/2.7/site-packages/click/core.py", line 535, in invoke
return callback(*args, **kwargs)
File "dot11encryption.py", line 86, in wirelessassociation
address = (line.split('Address : ', 1)[1]).split(' ', 1)[0]
IndexError: list index out of range
I checked the output of show dot11 associations all-client | include Name|Encryption", and there was around 50 rows of output.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2017 07:47 AM
Yes sorry for netmiko I forgot to tell you to install.
Can you give me the output for the command: show dot11 associations all-client | include Name|Encryption
I don't have any autonomous and can't test completely my script as I said, I based the test on the output you gave before.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2017 12:02 PM
Sure, here's the output. The MAC address for the wireless client is on the first line, and the cipher type for that wireless client is on the following line.
ap#show dot11 associations all-client | include Name|Encryption
Address : 000d.4bcd.6ae1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 001e.b2c4.6c82 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0080.92c9.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 00db.7088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0805.8125.cfee Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c90b.b7a8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c912.4b02 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 38a2.8c9a.3fed Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 40b4.cdb5.0274 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.437d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.466f Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7070.0d85.7cf1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7831.c1cb.a3f6 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 784f.435b.670a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 8866.a5e4.50bc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 9800.c6a4.cbd1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a063.916e.cba7 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a48d.3b70.d561 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a88e.246c.98b8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : b034.9578.6bd2 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : c8d3.ffff.964d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dc0b.3489.adcc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dcef.caf7.f254 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : acbc.32cd.9639 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
ap#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2017 05:04 PM
Sure, here is a part of the command output. I think there's a bug to where if I try to post something too long, it automatically deletes the post. The first line is the wireless client MAC address, and the second line is the encryption type used by the wireless client.
show dot11 associations all-client | include Name|Encryption
Address : 000d.4bcd.6ae1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 001e.b2c4.6c82 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0080.92c9.69e3 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 00db.7088.357a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0805.8125.cfee Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c90b.b7a8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 0c47.c912.4b02 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 38a2.8c9a.3fed Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 40b4.cdb5.0274 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.437d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 64db.431e.466f Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7070.0d85.7cf1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 7831.c1cb.a3f6 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 784f.435b.670a Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 8866.a5e4.50bc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 9800.c6a4.cbd1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a063.916e.cba7 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a48d.3b70.d561 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : a88e.246c.98b8 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : b034.9578.6bd2 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : c8d3.ffff.964d Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dc0b.3489.adcc Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : dcef.caf7.f254 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : acbc.32cd.9639 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2017 05:05 PM
Sure, here is a part of the command output. I think there's a bug to where if I try to post something too long, it automatically deletes the post. The first line is the wireless client MAC address, and the second line is the encryption type used by the wireless client.
ap#show dot11 associations all-client | include Name|Encryption
Address : 000d.4bcd.6ae1 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
Address : 001e.b2c4.6c82 Name : NONE
Key Mgmt type : WPAv2 PSK Encryption : AES-CCMP
ap#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2017 08:11 PM
The script crashes because in my regex i took the first output and in your last output the number of spaces doesn't match.
Can you send me the output in a text file just to ensure there's no space removed/added when you paste it in the forum.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2017 10:03 PM
Is there a way to make it so that the script can handle different numbers of spaces? Maybe with .* ?
I've attached the output as a text file here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-19-2017 09:57 AM
Hi
Yes sure you can but I built something very quick.
I've changed all regex stuff, give it a try and let me know.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
