Hi Gary, I don't think there's a simple way to see that natively in Dashboard.  On the Network Wide > Clients page you can turn on columns for "Channel Width" and "Capabilities" and if you sort by those 2 columns you could quickly pick out which clients are single band versus dual band, 11n versus 11ac, and what channel widths they're capable of.  But no data there on if they might be WPA/TKIP versus WPA2/CCMP.  Same in the event log, you can go to Network Wide > Event Log and filter on "All WPA" but there too, it'll show you every WPA association, disassociation and auth/deauth, but doesn't differentiate TKIP/RC4 versus CCMP/AES.  

One thing that can tip you off might be the data rates, if everything's following and staying true to the standard, then data rates over 54Mbps won't be supported on TKIP clients, so devices getting the HT and VHT data rates would be your CCMP devices.  But you may need to check those one by one.  Never done it, sounds cumbersome.

Are you sure you even have legacy TKIP devices on the network?  If so, I would think it would be minimal.  So there's always the old fashioned method of forcing your SSID to be WPA2 Only and see which users complain!  Ok, I'm half joking, but half serious, I've seen customers actually do that, depends on the size of the deployment and mission critical nature of their work.  Perhaps a more gentle migration is setting up a new SSID as WPA2, perhaps even use AP tags and SSID availability to control which APs are broadcasting it, and plan a phased migration to the new WPA2 SSID before turning down the old SSID.  Then you can monitor the Network Wide > Clients page and turn on and sort by the SSID column as users are directed to the new SSID, might be a good way to weed out the few TKIP clients that can't make the association to the new SSID.