Cisco 1230 AP cDot11ClientAddress

Hi there,

I'm trying to receive the mac-address and ip-address for all the
connected clients to our Cisco access-point by SNMP.
The best way to do this seems with the cDot11ClientConfigInfoTable
table.(CISCO-DOT11-ASSOCIATION-MIB OID: .1.3.6.1.4.1.9.9.273.1.2.1

The problem i have is that the mac-address of the clients isn't
readable. The permission for this OID is 'not-accessible'
(.1.3.6.1.4.1.9.9.273.1.2.1.1.1)
The ip-address is not a problem, this
oid(.1.3.6.1.4.1.9.9.273.1.2.1.1.16) is read-only.

Does any know if there is a possibility to change this permission or
if there is another way to get the mac-address and ip-address from
all the connected clients by SNMP(or in another way than SNMP)?

Kind regards,

Frank Zwart

On Tue, 29 Nov 2005 23:59:27 +0100, Frank <(E-Mail Removed)> wrote:

>I'm trying to receive the mac-address and ip-address for all the
>connected clients to our Cisco access-point by SNMP.
>The best way to do this seems with the cDot11ClientConfigInfoTable
>table.(CISCO-DOT11-ASSOCIATION-MIB OID: .1.3.6.1.4.1.9.9.273.1.2.1
>
>The problem i have is that the mac-address of the clients isn't
>readable. The permission for this OID is 'not-accessible'
>(.1.3.6.1.4.1.9.9.273.1.2.1.1.1)
>The ip-address is not a problem, this
>oid(.1.3.6.1.4.1.9.9.273.1.2.1.1.16) is read-only.

What happens when you point a MIB browser at the top of the tree or
run SNMPwalk on:
.1.3.6.1.4.1.9.9.273.1.2.1.1
Do you MAC's under it? Probably not, but worth a try.

>Does any know if there is a possibility to change this permission or
>if there is another way to get the mac-address and ip-address from
>all the connected clients by SNMP(or in another way than SNMP)?

See:
| http://tools.cisco.com/Support/SNMP/....9.273.1.2.1.1
| http://tools.cisco.com/Support/SNMP/...1ClientAddress
Yep. not-accessible. Very strange.

I can't find anywhere else where the MAC's might be listed. My usual
brute force method is to connect with a known client, SNMPwalk the
DOT11 part of the tree, and grep for the known MAC address of the
client. It's in there, somewhere, maybe.

Whatever you're using as a MIB browser, did you grab *ALL* the MIB's?
| http://tools.cisco.com/Support/SNMP/...SSOCIATION-MIB

Ummm... I don't suppose you would also care to disclose the model
number and IOS version of your Cisco access point? There are bugs
here and there.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

> What happens when you point a MIB browser at the top of the tree or
> run SNMPwalk on:
> .1.3.6.1.4.1.9.9.273.1.2.1.1
> Do you MAC's under it? Probably not, but worth a try.

I allready did an SNMPwalk, there are some other OID's that show a MAC
address. But there are no other OID's that give such a great overview
of mac- & ipaddresses.

> See:
> | http://tools.cisco.com/Support/SNMP/....9.273.1.2.1.1
> | http://tools.cisco.com/Support/SNMP/...1ClientAddress
> Yep. not-accessible. Very strange.

Very strange indeed, such a usefull table and only that collum
not-accessible (by the web interface you can see a perfect
overview of all connected clients!!) :-(

>
> I can't find anywhere else where the MAC's might be listed. My usual
> brute force method is to connect with a known client, SNMPwalk the
> DOT11 part of the tree, and grep for the known MAC address of the
> client. It's in there, somewhere, maybe.

I allready did......for example in the rfc1213 mib, but not with the
ip-address. Another advantage of cDot11ClientAddress OID is that it
is always up to day.

>
> Whatever you're using as a MIB browser, did you grab *ALL* the MIB's?
> | http://tools.cisco.com/Support/SNMP/...SSOCIATION-MIB

I downloaded a tarball from cisco ftpserver with all the mibs in it:-)

>
> Ummm... I don't suppose you would also care to disclose the model
> number and IOS version of your Cisco access point? There are bugs
> here and there.

Do you know a website or where on the cisco site i could see a list of
known bugs for each IOS version? I'm now running IOS version 12.2(13)JA4


Frank Zwart

On Thu, 01 Dec 2005 00:00:39 +0100, Frank <(E-Mail Removed)> wrote:

>> What happens when you point a MIB browser at the top of the tree or
>> run SNMPwalk on:
>> .1.3.6.1.4.1.9.9.273.1.2.1.1
>> Do you MAC's under it? Probably not, but worth a try.

>I allready did an SNMPwalk, there are some other OID's that show a MAC
>address. But there are no other OID's that give such a great overview
>of mac- & ipaddresses.

It's unusual to see the IP's because an access point is suppose to do
everything at the MAC level (layer 2) and not get involved in IP layer
(layer 3) stuff. I'm kinda suprised that the IP address is even
listed. However, the AIR-AP1230A has a DHCP server, so I guess you're
looking at the ARP table from the DHCP server. If true, then I
suspect that clients with static IP's won't show up.

>> See:
>> | http://tools.cisco.com/Support/SNMP/....9.273.1.2.1.1
>> | http://tools.cisco.com/Support/SNMP/...1ClientAddress
>> Yep. not-accessible. Very strange.

>Very strange indeed, such a usefull table and only that collum
>not-accessible (by the web interface you can see a perfect
>overview of all connected clients!!) :-(

So it is written, so it shall be.
(Yul Brenner in the C.B. DeMille version of The 10 commandments)

Yeah, it is kinda weird because it would be the perfect place to list
the connections. I know you can dump ARP the table from IOS with:
show ip arp brief
show ip dhcp binding
I would think that could also be extracted via SNMP, but I guess not.

>Do you know a website or where on the cisco site i could see a list of
>known bugs for each IOS version? I'm now running IOS version 12.2(13)JA4

The release notes for each version of IOS has all the fixed bugs. I
don't think Cisco releases bug lists of unfixed bugs. (Note: I don't
do much Cisco). Of course, there's the various security mailing lists
and web piles:
http://www.securitytracker.com/search/search.html
http://search.cert.org
Searching CERT for +Cisco +SNMP yields 30 hits. Of course these are
security issues, not implimentation bugs.

You might try the same question in one of the Cisco specific
newsgroups and mailing lists. Sorry, I don't have a fix (or
explanation).


--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
831.336.2558 voice
http://www.LearnByDestroying.com AE6KS
http://802.11junk.com Skype: JeffLiebermann
(E-Mail Removed) (E-Mail Removed)

On Thu, 01 Dec 2005 02:28:43 GMT, Jeff Liebermann <(E-Mail Removed)> wrote:

~ >> What happens when you point a MIB browser at the top of the tree or
~ >> run SNMPwalk on:
~ >> .1.3.6.1.4.1.9.9.273.1.2.1.1
~ >> Do you MAC's under it? Probably not, but worth a try.
~
~ >I allready did an SNMPwalk, there are some other OID's that show a MAC
~ >address. But there are no other OID's that give such a great overview
~ >of mac- & ipaddresses.
~
~ It's unusual to see the IP's because an access point is suppose to do
~ everything at the MAC level (layer 2) and not get involved in IP layer
~ (layer 3) stuff. I'm kinda suprised that the IP address is even
~ listed. However, the AIR-AP1230A has a DHCP server, so I guess you're
~ looking at the ARP table from the DHCP server. If true, then I
~ suspect that clients with static IP's won't show up.

Actually, the AP sniffs the IP addresses in packets coming from the
client, so it would see a client with a static IP (assuming that it
emits packets.)


[ taking a pass on the SNMP oddities since I don't do much SNMP ]

Aaron

> ~
> ~ It's unusual to see the IP's because an access point is suppose to do
> ~ everything at the MAC level (layer 2) and not get involved in IP layer
> ~ (layer 3) stuff. I'm kinda suprised that the IP address is even
> ~ listed. However, the AIR-AP1230A has a DHCP server, so I guess you're
> ~ looking at the ARP table from the DHCP server. If true, then I
> ~ suspect that clients with static IP's won't show up.
>
> Actually, the AP sniffs the IP addresses in packets coming from the
> client, so it would see a client with a static IP (assuming that it
> emits packets.)
>

Thats correct, it does show the static ip's...
but not the MAC's and as Jeff says: So it is written, so it shall be.

So snmp does not seems to be an option in this case i've need try
it otherwise... I'm now trying to figure out how the code works the
webinterface uses to retrieve the combination mac-ip.


Frank

john doe wrote:
>
>> ~ ~ It's unusual to see the IP's because an access point is suppose to do
>> ~ everything at the MAC level (layer 2) and not get involved in IP layer
>> ~ (layer 3) stuff. I'm kinda suprised that the IP address is even
>> ~ listed. However, the AIR-AP1230A has a DHCP server, so I guess you're
>> ~ looking at the ARP table from the DHCP server. If true, then I
>> ~ suspect that clients with static IP's won't show up.
>>
>> Actually, the AP sniffs the IP addresses in packets coming from the
>> client, so it would see a client with a static IP (assuming that it
>> emits packets.)
>>
>
> Thats correct, it does show the static ip's...
> but not the MAC's and as Jeff says: So it is written, so it shall be.
>
> So snmp does not seems to be an option in this case i've need try
> it otherwise... I'm now trying to figure out how the code works the
> webinterface uses to retrieve the combination mac-ip.
>
>
> Frank
>
ow fuck, my laptop was configured as John doe but it's me Frank :-)

On Fri, 02 Dec 2005 14:33:14 +0100, john doe <(E-Mail Removed)> wrote:

>So snmp does not seems to be an option in this case i've need try
>it otherwise... I'm now trying to figure out how the code works the
>webinterface uses to retrieve the combination mac-ip.

Why use the web interface when the IOS command line is available?
Either of these IOS incantations can be run via telnet or SSH from an
Expect script, DOS batch file, shell script, Perl script, AWK/NAWK
script, VBS script, etc to parse the output into useable form.
show ip arp brief
show ip dhcp binding
Lots of examples of IOS scripting scattered all over the web.

You didn't really disclose what you were planning to do with the MAC
and IP addresses. Are you building something like "ARPwatch" or
"SNMPwatch"?
--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558