Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1603
Views
0
Helpful
5
Replies

WIFI AP action via CDP and MAC Address

totophe_cisco
Level 1
Level 1

‎03-23-2015 08:35 AM

Hello,

 

I'm wishing to write a script in order to secure port connected to a Cisco wifi AP when they are note well mounted on the wall as it must be.

So I have a script that is checking the presence of an AP and a small one that is showing the new Mac on ports. But I don't know how to do to let them work together. :-/

I also wanted to check if the mac is still the same because we don't want someone change the AP by a new one without our permission.

So we need to create associated variables : CDP_INT_AP with MAC_INT_AP and check the old MAC and new one. ;-)

Here are our two actual scripts which are more for test only :

event manager applet AP-DESC authorization bypass
event neighbor-discovery interface regexp (Ethernet.*|FastEthernet.*|GigabitEthernet.*) cdp add
action 100 regexp "(AP-)" "$_nd_cdp_platform"
action 110 if $_regexp_result eq 1
action 200 cli command "enable"
action 220 cli command "sh mac address-table interface $_nd_local_intf_name"
action 221 cli command "description $_nd_cdp_entry_name"
action 300 syslog priority informational msg "EEM script updated description on $_nd_local_intf_name to Description: $_nd_cdp_entry_name"
action 500 end

 

event manager applet AP-MAC authorization bypass
event mat interface regexp (Ethernet.*|FastEthernet.*|GigabitEthernet.*) type add
action 300 syslog priority informational msg "$_mat_mac_address"

The creation of event manager environnement VARIABLE doesn't seem to help to share information between the two scripts.

 

Thanks a lot for your help,

Totophe

 

Labels:
0 Helpful
5 Replies 5

Leo Laohoo
Hall of Fame
Hall of Fame

‎03-23-2015 02:31 PM

Who "owns" or manages your DHCP server?  You can "lock down" an IP address to a MAC address so this means that if an client that hasn't been registered to your DHCP cannot get an IP address.  

 

Another method is DOT1X.  

 

I don't recommend what you're doing because not all switches support EEM.  

0 Helpful

totophe_cisco
Level 1
Level 1
In response to Leo Laohoo

‎03-23-2015 03:36 PM

Thank you for your reply Leo.

Unfortunately, my customer doesn't manage all the DHCP server but I agree, it could be a simple solution.

Dot 1.X is not a solution because of Hreap mode of the AP and we can't change the all configuration on AP. In addition you have several MAC addresses on the same interface and multiple-host authentication is not as secured as we want.

We'll know that the first MAC found on the switch will be the AP one, so I am trying to check the CDP platform + the MAC.

So far this is working: :-) There's only left the compare verification.

event manager environment q "

event manager applet AP-SHUTDOWN authorization bypass
description "This policy counts the number of configuration changes"
event neighbor-discovery interface regexp (Ethernet.*|FastEthernet.*|GigabitEthernet.*) cdp delete
action 100 regexp "(AIR-)" "$_nd_cdp_platform"
action 102 if $_regexp_result eq 1
action 103 syslog priority informational msg "Interface : $_nd_local_intf_name"
action 200 cli command "enable"
action 201 cli command "conf t"
action 202 cli command "event manager environment CDP_$_nd_local_intf_name '$_nd_cdp_platform'"
action 204 cli command "event manager applet AP-$_nd_local_intf_name authorization bypass"
action 205 cli command "event mat interface $_nd_local_intf_name type add"
action 206 cli command "action 100 cli command $q enable $q "
action 207 cli command "action 110 cli command $q conf t $q "
action 208 cli command "action 120 cli command \"event manager environment MAC_$_nd_local_intf_name '\$_mat_mac_address'\""
action 209 cli command "action 130 syslog priority informational msg \"MAC : \$_mat_mac_address\" "
action 210 cli command "end"
action 211 cli command "clear mac address-table dynamic interface $_nd_local_intf_name"
action 300 end

 

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to totophe_cisco

‎03-23-2015 09:30 PM

You still have some embedded quotes that need to be replaced with $q else they won't survive a reboot.  But, the nested applet seems like overkill in this case.  Why not just run a "show mac address-table" command upon CDP detection and look for the MAC on the port.  Given that the AP has just come up, you're only likely to see it.

0 Helpful

totophe_cisco
Level 1
Level 1
In response to Joe Clarke

‎03-24-2015 02:24 AM

Hi Joseph,

 

Thank you very much for you advice. I didn't know very well the reason why to use the $q instead of \. ;-)

I think about the show mac address but I must admit I don't know how to extract the right information from the result. :-/

 

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to totophe_cisco

‎03-24-2015 11:33 AM

Something like this would work:

 

cli command "show mac address-table interface $_nd_local_intf_name"

foreach line line $_cli_result "\n"

regexp " +[0-9]+ +([A-Fa-f\.0-9])" $line $_cli_result match mac

if $_regexp_result eq 1

break

end

end

puts "The MAC is $mac"

0 Helpful
Customers Also Viewed These Support Documents