Re: c9800 - listing WPA2 or WPA3 security for clients

rfd1 · ‎11-11-2022

Does anyone know a way to list all the wireless clients on a c9800 showing whether they are using WPA2 or WPA3?

I have a WPA2/WPA3 transition mode SSID and am interesting to know the usage of both methods.

I can query an individual mac address but would like a summary list. e.g.

c9800#show wireless client mac-address aaa.4444.dddd detail | i Policy Type

Policy Type : WPA3

balaji.bandi · ‎11-11-2022

i do not see that option, looks like you need to create a script out of the box or explore API can get that information.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Haydn Andrews · ‎11-13-2022

If you have Cisco Prime, believe it shows in the client details report.

Have requested this feature in DNAC as well.

May be able to do it via a script to the cli or via netconf / SNMP

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***

rfd1 · ‎11-14-2022

Thanks Haydn

Prime does show the security policy type in the client report, and I see lots of unknowns that seem to tie up with the WPA3 clients on the controller. I guess I need to bump up the version of Prime.

Scott Fella · ‎11-14-2022

You should be able to see that info on the controller also. That should be listed under protocol when you look at the clients. As far as Prime, yeah you should be using the latest 3.10 version.

-Scott
*** Please rate helpful posts ***

balaji.bandi · ‎11-14-2022

@Scott Fella - i am more intrested to get this report too.

under protocol of client i see below :

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Scott Fella · ‎11-14-2022

Yeah... I was just looking at it again and I must of been thinking something else. Let me see if there is a way when you have WPA2 + WPA3 enabled.

-Scott
*** Please rate helpful posts ***

Scott Fella · ‎11-14-2022

I was looking around and if you are using WPA3, the auth method would show something other than PSK. So if you run the following on the cli, and modify the regex in case you need to to only show clients that do not show PSK or OPEN

show wireless client summary detail | exclude \[PSK\]|\[OPEN\]

show wireless client summary detail | include \[SAE\]

Or you can create a script that runs through all the mac address to parse the following data to only output data that includes WPA3.

show wireless client mac-address <mac xxxx.xxxx.xxxx> detail | in WPA3

-Scott
*** Please rate helpful posts ***

balaji.bandi · ‎11-14-2022

show wireless client summary detail | exclude \[PSK\]|\[OPEN\]

show wireless client summary detail | include \[SAE\]

Thank you let me test the above and get back to you,

we made some python script works out of box.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Scott Fella · ‎11-14-2022

I did some different configs for WPA2 + WPA3 and SAE was the item that reflected devices connected using WPA3. I also crossed reference using this command:

show wireless client mac-address <mac xxxx.xxxx.xxxx> detail | in WPA3

-Scott
*** Please rate helpful posts ***

Haydn Andrews · ‎11-14-2022

@balaji.bandi any chance you can share the python script?

*****Help out other by using the rating system and marking answered questions as "Answered"*****
*** Please rate helpful posts ***