CLEANACCESS Archives

December 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Gathering information from servers #2
From:
"Lanstein, Alex C" <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Wed, 6 Dec 2006 14:34:56 -0500
Content-Type:
text/plain
Parts/Attachments:
text/plain (134 lines) 
Presuming its on the same segment (and youre inband) you could look at the arp table then do lookups based of the mac addresses to get the data you want...
 
acl
 
________________________________

From: Cisco Clean Access Users and Administrators on behalf of John Truelove
Sent: Wed 12/6/2006 2:30 PM
To: [log in to unmask]
Subject: Re: Gathering information from servers #2


Oops forgot to answer second part of your question.
 
Role, CAS, VLAN, and Operating system.
 
Thanks
 
John
 


>>> "Jackie Cheng (jaccheng)" <[log in to unmask]> 12/6/2006 1:16 PM >>>

Hi John,
 
How do you define a "active user"? And what are the information you want to see from that user? 
 
Thanks,
 
--Jackie

________________________________

From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of John Truelove
Sent: Wednesday, December 06, 2006 7:31 AM
To: [log in to unmask]
Subject: Re: Gathering information from servers #2


That is what I discovered, a place for device filters active users but not others.
 
I did not include those numbers in the Perl scripts for Cacti because I did not want to have logged in users added together with
active users from the device filters.   The apples to apples thing, not apples to oranges... :)
 
John
 

>>> Kyle Evans <[log in to unmask]> 12/6/2006 10:20 AM >>>
Yes, I just tested it, and the entry in the intern_arpq table does not timeout in any reasonable amount of time when the device becomes inactive.  However, I did some testing to see how the active devices for device filters works and I found the following:

When a device has a filter and the device is inactive, entries for the mac address appear in the following two tables on the CAS:

/proc/click/mac_validation_table/table
/proc/click/mac_validation_table/up_bw_table

When the device becomes active, entries remain in those tables but also appear in these tables:

/proc/click/mac_validation_table/activetable
/proc/click/mac_validation_table/dn_bw_table
/proc/click/mac_validation_table/iptable

When the device becomes inactive again, the entries in those 3 tables disappear quickly, but not immediately.

This information is interesting but not that useful.  It shows that the CAS is keeping track specifically of active devices in device filters, but not for active devices overall.  The only other way I can think of is trying to create an interface in each managed subnet and using arping to check everyone in the online users list, but I'm not sure the CAS is set up to allow that.


Kyle


John Truelove wrote: 

	I have looked at the file before and it does not contain active users.
	I think it is the logged in users, instead.
	 
	wc -l table  and my number stays around 1353 which would be total logged in users for that CAS.
	 
	Thanks
	 
	John


	>>> Kyle Evans <[log in to unmask]> <mailto:[log in to unmask]>  12/6/2006 8:52 AM >>>
	You can look at the arp table on the CAS in /proc/click/intern_arpq/table with this command:
	
	cat /proc/click/intern_arpq/table
	
	Although unless I'm mistaken, this will give you all active devices for that CAS whether they are logged in or not or in device filters or not.  So to get a list of users that are logged in and active, you'd have to write a script to take the list from the arp table and compare it to the list of logged in users and only print the entries that occur in both.
	
	Now there is one caveat.  I'm not sure how long an entry stays in this arp table after a device has become inactive.  If the timeout is short, then this will work fairly well.  If the timeout is long, then this method will not work well.  However, this method is kind of complex, so it may not be worth it anyway.
	
	Kyle
	
	
	
	John Truelove wrote: 

		Prem, Nick, or others:
		 
		I have asked this in the past and still have not found a way to gather
		statistics on active users.
		 
		I can get the active users for the device filters and that is it.
		 
		Is there a location on the CAM or CAS that the active MAC, IP, or user
		information is stored ?
		 
		It has to be there somewhere for the session timers and heartbeat timers to function correctly ?  right  ?
		 
		I have been wanting that type of information since 3.4.5 and I still don't
		have a way to gather active users.  I know others would like to have that
		information as well by scripts or SNMP.
		 
		Thanks for any help you can provide.
		 
		John
		
		 
		 
		 
		John Truelove
		OIT Network Engineer - CCNP
		Indiana State University
		210 N 7th Street, Tirey Hall Rm 65
		Terre Haute, IN 47809
		812-237-4921
		
		*******************************************************************************************************************************************************
		This email, and any attachments, thereto, is intended only for use by the addressee(s) named herein and may contain privileged 
		and/or confidential information.  If you are not the intended recipient of this email, you are hereby notified that any dissemination, 
		distribution or copying of this email, and any attachments thereto, is strictly prohibited.
		*******************************************************************************************************************************************************

ATOM RSS1 RSS2