Capturing MAC Addresses from an Access Point with SNMP

I'm trying to use SNMP to track information as to whats connected to
our access points. The purpose is basic security and auditing in case
of a problem ( virus, technical problem, etc ). We're already able to
capture what wired devices are connected, but not the MAC addresses of
the wireless clients.

We're employing Cisco Aironet APs, and looking around the MIBs, I found
one object that has what I want, but it's not accessible.

cDot11ClientAddress OBJECT-TYPE
SYNTAX MacAddress
MAX-ACCESS not-accessible
STATUS current
DESCRIPTION
"The MAC address of the client."
::= { cDot11ClientConfigInfoEntry 1 }

Does any one know another way to get this information via SNMP? (We're
using SNMP linked to a database to monitor a large network, so third
party tool integration is not a real option. )

Thanks!

On 29 Jul 2005 10:52:25 -0700, (E-Mail Removed) wrote:

>I'm trying to use SNMP to track information as to whats connected to
>our access points. The purpose is basic security and auditing in case
>of a problem ( virus, technical problem, etc ). We're already able to
>capture what wired devices are connected, but not the MAC addresses of
>the wireless clients.

Try walking the MIB tree starting at:
1.3.6.1.2.1.3.1.1
(or possibly 1.3.6.1.2.1.4.22.1.2)
You should get a table of MAC Addresses and corresponding IP
addresses. I'm not 100.0% sure this is the correct OID, but it's
close. Use the MIB browser to be sure.

>We're employing Cisco Aironet APs, and looking around the MIBs, I found
>one object that has what I want, but it's not accessible.

What model Cisco Aironet access point?
What operating system are you using for your MIB browser?
What utilities do you have availble (i.e. Net-SNMP).
What MIB browser are you using?
Which MIB file are you looking at?
Which 3rd party application?
Why so vague?
Why me?


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
AE6KS 831-336-2558

I'm accessing 1210s and 350s using HPOV tools ( mibtable specifically )
off of Solaris.
Unfortunately, of those OIDs only one works ( 1.3.6.1.2.1.3.1.1 is
deprecated and not-accessible ). The other one appears to refer to the
device's own NICs ( the associated IP addresses are sequential, and the
related MIB is 1213 which does not include wireless info ).

Why vague? To avoid red herrings.

Any other ideas?

On 1 Aug 2005 08:08:18 -0700, (E-Mail Removed) wrote:

>I'm accessing 1210s and 350s using HPOV tools ( mibtable specifically )
>off of Solaris.

I'll assume you have the corresponding MIB files. I'm not terribly
familiar with HP OpenView. For Windoze, I use GetIF 2.3.1 for mib
browseing.
http://www.wtcs.org/snmp4tpc/getif.htm
There's a small trick to using it effectively. The directory:
c:\program files\getif 2.3.1\mibs\
contains all the MIB files. Dump your Cisco vendor specific files
into the directory and erase the .index file. It will be recreated
when you run the program. Then, GetIF can find the MIB files. Point
it at your Cisco routers and dump the entire MIB tree. You should
find a section near the OID's I specified that contain a mess of MAC
addresses.

I'm not sure what the MIB browser of fashion is for Solaris. Mostly,
I use Net-SNMP at:
http://net-snmp.sourceforge.net
Use snmpwalk to dump the MIB tree with whatever options are necessary
to get a proper description instead of a numeric OID.

There are better MIB browsers with more artistic user interfaces
available. The ones with a "tree view" might be more useful in
finding the correct section.

>Unfortunately, of those OIDs only one works ( 1.3.6.1.2.1.3.1.1 is
>deprecated and not-accessible ).

>The other one appears to refer to the
>device's own NICs ( the associated IP addresses are sequential, and the
>related MIB is 1213 which does not include wireless info ).

Wonderful. I used a DWL-900AP+ to check the OID. Probably ancient.
I don't have a 1200 or 350 series router to test. I probably made a
bad guess as to whether I was looking at MAC addresses from
workstation on the ethernet interface, or MAC addresses on the
wireless side. It's in there (somewhere). Sorry.

In self defense, I'm NOT going to try to extract the proper OID from a
router that I don't have in front of my face. I've done it wrong too
often and find that such things are best done with a MIB browser or
snmpwalk. However, if you're desperate, I can download the Cisco
wireless MIB files and give it a try.

>Why vague? To avoid red herrings.

You mean topic drift? Vague questions are the way to guarantee topic
drift. If you want a specific answer, kindly supply sufficient
information or you will surely get an off topic answer. The absolute
minimum is:
1. What are you trying to accomplish?
2. What do you have to work with?

>Any other ideas?

Yep. Walk the MIB tree. You know the MAC addresses of your wireless
devices so you should be able to spot where in the tree they are
located. Watch out for SNMP tables that move around (i.e. last digit
of OID changes). It's probably in the IEEE802dot11 MIB.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice http://www.LearnByDestroying.com
# http://802.11junk.com
# (E-Mail Removed)
# (E-Mail Removed) AE6KS