Logging of Associations and Disassociations on Local-Mode APs / C9800

rschroeder1006 · ‎08-19-2022

Hi,

when we used FlexConnect, all the APs logged every single association and disassociation of a client, i.e.:

%DOT11-6-ASSOC: Interface Dot11Radio0, Station aeda.0a63.xxxx REAP Associated KEY_MGMT[Open]
%DOT11-6-DISASSOC: Interface Dot11Radio0, Deauthenticating Station aeda.0a63.xxxx Sending station has left the BSS

In Local mode, this logging does not happen and even the controller does not log anything comparable.

I would like to log any association and disassociation of all wireless clients in the network while using Local mode APs. How is that possible with C9800 controllers? And is there a possibility for AireOS controllers too?

Thanks,

Robin

marce1000 · ‎08-19-2022

- Could you try with logging trap debugging in the controller running-configuration ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

rschroeder1006 · ‎08-19-2022

Hi,

this does not help, unfortunately. But thanks for the suggesstion.

Robin

Arshad Safrulla · ‎08-19-2022

You can always do Radio active trace from GUI.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Gibraltar 16.10.x - Conditional Debug and Radioactive Tracing [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

___________________________________________
TAC recommended codes for AireOS WLC's
Best Practices for AireOS WLC's
TAC recommended codes for 9800 WLC's
Best Practices for 9800 WLC's
Cisco Wireless compatibility matrix
___________________________________________
Arshad Safrulla

rschroeder1006 · ‎08-23-2022

I know about radio active traces but they don't run all the time for every possible wireless client. I would like to know where my wireless clients are. This was possible with FlexConnect and in early times without controllers by simply looking at the AP logs.

rschroeder1006 · ‎09-06-2022

I will try using SNMP traps for that as soon as I have some spare time for it - and share the results.

rschroeder1006 · ‎10-11-2022

...and here is the solution: SNMP traps that will be sent to syslog with the help of a trap handler script.

First, install a SNMP trap receiver (Net-SNMP) with the following configuration (snmptrapd.conf) on your syslog server:

disableAuthorization yes
format1 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%.4Y-%.2M-%.2L %.2H:%.2J:%.2K] %v\n
format2 %.4y-%.2m-%.2l %.2h:%.2j:%.2k %B [%.4Y-%.2M-%.2L %.2H:%.2J:%.2K] %v\n
traphandle 1.3.6.1.4.1.14179.2.6.3.53 /usr/local/bin/traphandle.pl
traphandle 1.3.6.1.4.1.14179.2.6.3.1 /usr/local/bin/traphandle.pl

Then, create the trap handler script /usr/local/bin/traphandle.pl:

#!/usr/local/bin/perl

use strict;
use warnings;
use Sys::Syslog qw(:standard :macros);

my $data = {};

my $reason = {
    '1' => 'unspecified',
    '2' => 'previousAuthNotValid',
    '3' => 'deauthenticationLeaving',
    '4' => 'disassociationDueToInactivity',
    '5' => 'disassociationAPBusy',
    '6' => 'class2FrameFromNonAuthStation',
    '7' => 'class2FrameFromNonAssStation',
    '8' => 'disassociationStaHasLeft',
    '9' => 'staReqAssociationWithoutAuth',
    '40' => 'invalidInformationElement',
    '41' => 'groupCipherInvalid',
    '42' => 'unicastCipherInvalid',
    '43' => 'akmpInvalid',
    '44' => 'unsupportedRsnVersion',
    '45' => 'invalidRsnIeCapabilities',
    '46' => 'cipherSuiteRejected',
    '99' => 'missingReasonCode',
    '101' => 'maxAssociatedClientsReached',
    '200' => 'unSpecifiedQosFailure',
    '201' => 'qosPolicyMismatch',
    '202' => 'inSufficientBandwidth',
    '203' => 'inValidQosParams',
};

while (<>) {
    $data->{'type'} = 'Association' if /^SNMPv2-MIB::snmpTrapOID\.0 SNMPv2-SMI::enterprises\.14179\.2\.6\.3\.53$/;
    $data->{'type'} = 'Disassociation' if /^SNMPv2-MIB::snmpTrapOID\.0 SNMPv2-SMI::enterprises\.14179\.2\.6\.3\.1$/;
    $data->{'source'} = $1, next if /^([^\.\s]*)\S*$/;
    $data->{'AP'} = $1, next if /^SNMPv2-SMI::enterprises\.14179\.2\.2\.1\.1\.3\.[^\s]* "([^"]*)"$/;
    $data->{'MAC'} = lc("$1:$2:$3:$4:$5:$6"), next if /^SNMPv2-SMI::enterprises\.14179\.2\.6\.2\.34\.0 "(..) (..) (..) (..) (..) (..) ?"$/;
    $data->{'BSSID'} = lc("$1$2.$3$4.$5$6"), next if /^SNMPv2-SMI::enterprises\.14179\.2\.6\.2\.35\.0 "(..) (..) (..) (..) (..) (..) ?"$/;
    $data->{'slot'} = $1, next if /^SNMPv2-SMI::enterprises\.14179\.2\.6\.2\.36\.0 (\d+)$/;
    $data->{'reason'} = "Reason:$1/$reason->{$1}", next if /^SNMPv2-SMI::enterprises\.14179\.2\.6\.2\.37\.0 (\d+)$/;
    $data->{'user'} = $1, next if /^SNMPv2-SMI::enterprises\.14179\.2\.6\.2\.39\.0 "([^"]*)"$/;
    $data->{'IP'} = $1, next if /^SNMPv2-SMI::enterprises\.14179\.2\.6\.2\.43\.0 (.*)$/;
}

openlog('WLAN-Assoc', 'pid', LOG_LOCAL0);
syslog(LOG_INFO,
    join(" ",
        "Src:$data->{'source'}",
        "Type:$data->{'type'}",
        "Client:$data->{'MAC'}",
        "AP:$data->{'AP'}",
        "BSSID:$data->{'BSSID'}",
        "Slot:$data->{'slot'}",
        "IP:$data->{'IP'}",
        "User:$data->{'user'}",
        $data->{'reason'},
    )
);
closelog();

Finally, do a chmod +x /usr/local/bin/traphandle.pl to make the script executable.

You can chech the syntax with perl -c /usr/local/bin/traphandle.pl

On the 9800 series controllers, configure the following to enable the respective SNMP traps additionally to the already existing SNMP configuration:

snmp-server host <ip-address> version 2c public
trapflags client dot11 associate
trapflags client dot11 disassociate

From now on, Associations and Disassociations will be logged into syslog on the syslog server, i.e.:

WLAN-Assoc[16649] Src:wlc-3 Type:Association Client:9e:de:29:xx:xx:xx AP:ap-hzo-3 BSSID:7010.5cxx.xxxx Slot:0 IP:0.0.0.0 User:<username>
WLAN-Assoc[16650] Src:wlc-3 Type:Disassociation Client:66:2f:7a:xx:xx:xx AP:ap-hma20-1 BSSID:544a.00xx.xxxx Slot:1 IP:x.x.x.x User:<username> Reason:1/unspecified

Have fun.

Robin