Find WPA1 clients?

Gary_Hahn
Conversationalist

Find WPA1 clients?

Hello!   I'd like to be able to quickly find/list clients operating as WPA1 and/or TKIP so I can hunt them down and eliminate the SSID setting to improve security and 802.11 operation.   Is there a way?  I cannot find this in any client listing (network-wide or per-AP).

 

Thanks!

 

Gary

2 REPLIES 2
MerakiDave
Meraki Employee
Meraki Employee

Hi Gary, I don't think there's a simple way to see that natively in Dashboard.  On the Network Wide > Clients page you can turn on columns for "Channel Width" and "Capabilities" and if you sort by those 2 columns you could quickly pick out which clients are single band versus dual band, 11n versus 11ac, and what channel widths they're capable of.  But no data there on if they might be WPA/TKIP versus WPA2/CCMP.  Same in the event log, you can go to Network Wide > Event Log and filter on "All WPA" but there too, it'll show you every WPA association, disassociation and auth/deauth, but doesn't differentiate TKIP/RC4 versus CCMP/AES.  

 

One thing that can tip you off might be the data rates, if everything's following and staying true to the standard, then data rates over 54Mbps won't be supported on TKIP clients, so devices getting the HT and VHT data rates would be your CCMP devices.  But you may need to check those one by one.  Never done it, sounds cumbersome.

 

Are you sure you even have legacy TKIP devices on the network?  If so, I would think it would be minimal.  So there's always the old fashioned method of forcing your SSID to be WPA2 Only and see which users complain!  Ok, I'm half joking, but half serious, I've seen customers actually do that, depends on the size of the deployment and mission critical nature of their work.  Perhaps a more gentle migration is setting up a new SSID as WPA2, perhaps even use AP tags and SSID availability to control which APs are broadcasting it, and plan a phased migration to the new WPA2 SSID before turning down the old SSID.  Then you can monitor the Network Wide > Clients page and turn on and sort by the SSID column as users are directed to the new SSID, might be a good way to weed out the few TKIP clients that can't make the association to the new SSID.

Thanks Dave.  All good workarounds, but... where's the puke bucket?   This type of info should be baseline reporting output for a wireless infrastructure product.   A 24/7 warehouse doesn't like us finding out from previously productive pickers and packers who complain.  😉     Thanks again for your insights.  -Gary

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels