cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Community Live- Understanding How Multicast Works with Cisco

Access Point Certificate check tool - apCertCheck

11283
Views
5
Helpful
14
Comments

Current version

Filenameapcertcheck-1.2.1.zip
Version1.2.1
Date2015-06-30

 

Description

The apCertCheck tool allows to collect information from Cisco Unified Wireless Access Points in order to assess the device certificate expiration date.


It automatically performs the steps described at this document, making data collection easier, especially on large deployments with several WLCs and APs:
https://supportforums.cisco.com/document/12453081/lightweight-ap-fail-create-capwaplwapp-connection-due-certificate-expiration

The output is presented in CSV format, for easy processing with any common spreadsheet application.

 

What's new?

  • Version 1.2.1

This version adds the capability to import AP information with no direct connection to the WLC, either through a static AP list specified in the config.ini file, or by importing the raw output of the "show ap join stats summary all" in one or more text files.

 

Requirements

Notes:

The “pip” command requires internet access to reach the PyPI repositories via HTTPs.
Should the above commands on CLI return a “file not found” error, execute the command after changing directory to the “Scripts” directory under the python installation, e.g. C:\Python27\Scripts\

 

  • The host running the script needs to have network connectivity (SSH and/or Telnet) to the Access Points.
    Connectivity to the Wireless LAN Controller(s) is also required unless AP information is imported through text files (version 1.2.1).

 

Installation and Configuration instructions:

Please refer to the release notes PDF document for more details.

 

Download:

The tool and documentation can be downloaded from this repository (CCO account required):

https://upload.cisco.com/cgi-bin/swc/fileexg/main.cgi?CONTYPES=wireless-esc-tools

Comments
Rising star

Thank you Federico for sharing essential information, much appreciated.

 

Regards,

Vinay Sharma,

Community Manager,

CCIE#44972

 

Beginner

Hi,

I´m trying to run the script but I do not get an result in the reports:

c:\Python27>python C:\\apcertcheck-1.2.1\apCertCheck.py
Current ap_report.csv file found, reading entries...

Appending new entries to existing ap_report.csv file.

 > Waiting for AP data collection to complete
Done.


=================================
Summary
=================================
Total APs:      0
Known APs:      0
Processed APs:  0
Failed APs:     0

Duration:               0:00:00.016000
=================================

c:\Python27>

Cisco Employee

Hi,

it looks like a problem with the configuration ("config.ini" file) as the script is not processing any WLC nor any static list or import from text file.

If you send me your config.ini file I can review it (feel free to change the users/passwords, but please leave everything else as it is).

Regards,
Fede

Beginner

Hi, thanks for the quick response...

 

Here the config file:

[General]
mode: ssh        ; config global mode for WLC connection: "ssh" or "telnet"
ap_mode: ssh     ; config global mode for AP connection: "ssh" or "telnet"

; Configures "config ap telnet/ssh enable <apname>" to ensure AP reachability
; Performance impact: uncomment only if unsure about AP config or if connection to some APs fails.
ap_enable_console: True

; set global WLC/AP credentials
wlc_user: xxxxxx
wlc_pasw: yyyyy
ap_user: xxxxxxx
ap_pasw: yyyyyyy

; Set max concurrent connections (if not specified, default = 10)
concurrent_connections: 30

; Filename suffix for CSV reports
output_file: report.csv

[c010-03AC01-t]              ; WLC-specific config, one section per WLC
active: True            ; defines if APs on this WLC will be processed or not: "True" or "False" (default: True)
ipaddr: 10.50.13.7    ; WLC IP address - this is mandatory

; Uncomment to override global credentials
; wlc_user: <wlc1-user>
; wlc_pasw: <wlc1-pasw>
; mode: ssh
; port: <custom-port>

;[WLC-Wlc2]
;active: False
;mode: telnet            ; override global
;ipaddr: <wlc2-ipaddress>

[AP-List]
 AP3462.8866.4830: 10.50.166.32

[AP-Import]
;; import from "show ap join stats summary all" output in text file
; <import_label>: <filename>

Cisco Employee

Please change the following:

  • WLC section name to:  [WLC-c010-03AC01-t] 

The "WLC-" prefix is needed to identify this as a section containing controller details.
By using hyphens on the name, you may see that the WLC name is incorrectly parsed while running the script (showing the name as "c010"), but this is just cosmetic as the actual WLC name used in the report is taken from the WLC itself.

  • in the AP list, remove the space in front of the AP name:
    [AP-List]
    AP3462.8866.4830: 10.50.166.32

After correcting these details, it should work :)

I hope it helps.

Regards,
Fede

Beginner

I did it, but without any improvement in the result:

 

[WLC-c010-03AC01-t]               ; WLC-specific config, one section per WLC
active: True            ; defines if APs on this WLC will be processed or not: "True" or "False" (default: True)
ipaddr: 10.50.13.7    ; WLC IP address - this is mandatory

; Uncomment to override global credentials
; wlc_user: <wlc1-user>
; wlc_pasw: <wlc1-pasw>
; mode: ssh
; port: <custom-port>

;[WLC-Wlc2]
;active: False
;mode: telnet            ; override global
;ipaddr: <wlc2-ipaddress>

[AP-List]
AP3462.8866.4830: 10.50.166.32

[AP-Import]
;; import from "show ap join stats summary all" output in text file
; <import_label>: <filename>

 

 

Current ap_report.csv file found, reading entries...

Appending new entries to existing ap_report.csv file.

 > Waiting for AP data collection to complete
Done.


=================================
Summary
=================================
Total APs:      0
Known APs:      0
Processed APs:  0
Failed APs:     0

Duration:               0:00:00.021000
=================================

c:\Python27>

Cisco Employee

This is odd...

Please modify the value of the variable "verbose" inside the apCertCheck.py file as follows:

# global/defaults
verbose = True

Launch the script again and see what it prints.
We should be able to see what's going.

Thanks,
Fede

Beginner

No, big difference:

 

c:\Python27>python C:\apcertcheck-1.2.1\apCertCheck.py
{}
[]
Current ap_report.csv file found, reading entries...

Appending new entries to existing ap_report.csv file.

Concurrent connections: 10
 > Waiting for AP data collection to complete
Done.


=================================
Summary
=================================
Total APs:      0
Known APs:      0
Processed APs:  0
Failed APs:     0

Duration:               0:00:00.018000
=================================

c:\Python27>

Cisco Employee

This output is actually very useful as it tells that the script is unable to access the config, most probably because of path issues and the way the script is launched:

c:\Python27>python C:\apcertcheck-1.2.1\apCertCheck.py
{}   <-- empty
[]   <-- empty

I just verified that if the config doesn't exist, the script just continues with an empty config, so I will enhance the script to print an error message when this happens.

By default the script looks for a config.ini file in the current directory, or you can specify the file path as an optional argument.

There are different ways you can overcome this:

  • Make sure python is on the system path list and execute the script from the same directory where the script is located, e.g.:
cd C:\apcertcheck-1.2.1\
C:\apcertcheck-1.2.1>python apCertCheck.py
  • Again from the the script directory, launch python using the full path, e.g.:
C:\apcertcheck-1.2.1>C:\Python27\python apCertCheck.py
  • Explicitly specify the config file path as a command argument, e.g.:
c:\Python27>python C:\apcertcheck-1.2.1\apCertCheck.py C:\apcertcheck-1.2.1\config.ini

I hope this works.

Thanks,
Fede

Beginner

 > Retrieved 3 APs from WLC c010-03AC01-t
 > Waiting for AP data collection to complete
Done.


=================================
Summary
=================================
Total APs:      4
Known APs:      0
Processed APs:  4
Failed APs:     0

Duration:               0:00:07.906000
=================================

c:\Python27>

 

that worked!

 

thanks a lot!

Cisco Employee

I'm glad to hear this! :)

I'll publish a new version printing an error message if the config file is not found as soon as I can.

Have a nice day.

Regards,
Fede

Beginner

Hi Fede,

Can you add a WLC-Import section for clients with hundreds of WLCs?

Also, where AP CLI access needs two passwords (eg: login then enable?)

Cheers!
Dan

Cisco Employee

Hi Dan,

Thanks for the feedback.

I'll add your requests to the enhancements to be published in the next version of the script:
- WLC-Import from CSV file
- allow to specify separate enable password for AP CLI

At this moment I don't have a target date for the next release, but please follow this thread to be notified once it is available.

Regards,
Fede

Beginner

I am getting an Error that says SSH unavailable.    Even though I can run Putty and I can SSH to my controller just fine.   Ideas? 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards