Cisco 9800 alert on MAC join using EEM

Just a small tidbit: I recently received a request to quickly alert when a specific MAC address joins our 802.1X WLAN and gives its approximate location.

There are a few possible ways to do this - alert on logs on RADIUS server, any MAC table, log concentrators, or SIEM solutions, but getting this quick and easy turned out to be very straightforward and uncomplicated using only out-of-the-box solutions on the Cisco 9800 controller, specifically EEM applets.

To see what we’re after, let’s look at a standard logline when a client joins our 802.1X SSID:

Mar 24 10:18:33.637: %CLIENT_ORCH_LOG-6-CLIENT_ADDED_TO_RUN_STATE: Chassis 1 R0/0: wncd: Username entry (thisisausername) joined with ssid (thisisanssid) for device with MAC: aabb.ccdd.1234

As we are focused on the MAC address, we see that we have it right there after the join at the end of the log line.

EEM is the embedded event manager and can trigger on many things, but one thing is to match on loglines and execute specific commands in the event of a match.

So, I came up with this applet:

event manager applet lookformac
 event syslog pattern "aabb.ccdd.1234"
 action 1.0 cli command "enable"
 action 2.0 cli command "term length 0"
 action 3.0 cli command "show wireless client mac-address aabb.ccdd.1234 detail"
 action 4.0 mail secure tls server "" to "" from "" subject "ALERT - MAC 1234 online" body "$_cli_result"

The first line defines the applet and gives it a name, and the second line specifies the pattern to watch for in the system log, which is just the MAC address I’m looking for.

As soon as this matches, the actions will be executed. These are the CLI commands to enable and set terminal parameters and then do a “show wireless client detail” on the MAC address in question because the name of the AP that this MAC joined to is right there in this output and will give me the approximate location. The output of this command is automatically placed in the variable “$_cli_result”, so we can use this in the next command.

The following command fires off an e-mail, specifying server and auth settings, to- and from-addresses, subject, and the result of the last command as body.

As soon as the MAC address appeared online, I got the expected e-Mail.

e-Mail received with client details, including AP