...
3. Assign the configuration to your master profile (or directly to CAP itself)
| Code Block | ||
|---|---|---|
| ||
/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius /radius add address=x.x.x.x secret=SecretUserPass service=wireless /caps-man configuration set security=radius |
Radius authentication with different radius servers for each SSID
...
4. Assign the configuration to your master profile (or directly to CAP itself)
| Code Block | ||
|---|---|---|
| ||
/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius /caps-man aaa set called-format=ssid /radius add address=x.x.x.x secret=SecretUserPass service=wireless called-id=SSID1 /radius add address=y.y.y.y secret=SecretUserPass service=wireless called-id=SSID2 /caps-man configuration set security=radius |
...
Now everyone connecting to CAP's with ssid=SSID1 will have their radius authentication requests sent to x.x.x.x and everyone connecting to CAP's with ssid=SSID2 will have their radius authentication requests sent to y.y.y.y
...
CAPsMAN interfaces are managed in /caps-man interface menu:
| Code Block | ||
|---|---|---|
| ||
[admin@CM] > /caps-man interface print |
...
|
...
Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running
|
...
# |
...
NAME RADIO-MAC MASTER-INTERFACE 0 M BR cap2 00:0C:42:1B:4E:F5 none 1 B cap3 |
...
00:00:00:00:00:00 cap2 |
//caps-man manager
| Property | Description |
|---|---|
| enabled (yes | no; Default: no) | Disable or enable CAPsMAN functionality |
| certificate (auto | certificate name | none; Default: none) | Device certificate |
| ca-certificate (auto | certificate name | none; Default: none) | Device CA certificate |
| require-peer-certificate (yes | no; Default: no) | Require all connecting CAPs to have a valid certificate |
| package-path (string |; Default: ) | Folder location for the RouterOS packages. For example, use "/upgrade" to specify the upgrade folder from the files section. If empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded. |
| upgrade-policy (none | require-same-version | suggest-same-upgrade; Default: none) | Upgrade policy options
|
...
When the DTLS connection with CAP is successfully established (which means that CAP identifier is known and valid), CAPsMAN makes sure there is no stale connection with CAP using the same identifier. Currently connected CAPs are listed in /caps-man remote-cap menu:
...
| Code Block | ||
|---|---|---|
| ||
[admin@CM] /caps-man> remote-cap print # ADDRESS IDENT STATE RADIOS 0 00:0C:42:00:C0: |
...
32/27044 MT-000C4200C032 Run 1 |
CAPsMAN distinguishes between actual wireless interfaces (radios) based on their builtin MAC address (radio-mac). This implies that it is impossible to manage two radios with the same MAC address on one CAPsMAN. Radios currently managed by CAPsMAN (provided by connected CAPs) are listed in /caps-man radio menu:
...
caps-man radio menu:
| Code Block | ||
|---|---|---|
| ||
[admin@CM] /caps-man> radio print
Flags: L - local, P - provisioned
# RADIO-MAC INTERFACE REMOTE-AP-IDENT
0 P 00:03:7F:48:CC:07 cap1 MT-000C4200C032 |
When CAP connects, CAPsMAN at first tries to bind each CAP radio to CAPsMAN master interface based on radio-mac. If an appropriate interface is found, radio gets set up using master interface configuration and configuration of slave interfaces that refer to particular master interface. At this moment interfaces (both master and slaves) are considered bound to radio and radio is considered provisioned.
...
To get the active provisioning matchers:
| Code Block | ||
|---|---|---|
| ||
[admin@CM] /caps-man provisioning> print Flags: X - disabled |
...
0 |
...
radio-mac=00:00:00:00:00:00 action=create-enabled master-configuration=main-cfg
|
...
slave-configurations=virtual-ap-cfg name-prefix="" |
...
For user's convenience there are commands that allow the re-execution of the provisioning process for some radio or all radios provided by some AP:
| Code Block | ||
|---|---|---|
| ||
[admin@CM] > caps-man radio provision 0 |
and
| Code Block | ||
|---|---|---|
| ||
[admin@CM] > caps-man remote-cap provision 0 |
/caps-man radio
see /caps-man provisioning
...
Registration table contains a list of clients that are connected to radios controlled by CAPsMAN and is available in /caps-man registration-table menu:
| Code Block | ||
|---|---|---|
| ||
[admin@CM] /caps-man> registration-table |
...
print # INTERFACE MAC-ADDRESS UPTIME RX-SIGNAL |
...
0 cap1 |
...
00:03:7F:48:CC:0B 1h38m9s210ms |
...
-36 |
/caps-man remote-cap
see /caps-man provisioning
/caps-man security
Example
Assuming that rest of the settings are already configured and only the "Security" part have been left.
Radius authentication with one server
1. Create CAPsMAN security configuration
2. Configure Radius server client
3. Assign the configuration to your master profile (or directly to CAP itself)
| Code Block | ||
|---|---|---|
| ||
/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius /radius add address=x.x.x.x secret=SecretUserPass service=wireless /caps-man configuration set security=radius |
...
Radius authentication with different radius servers for each SSID
1. Create CAPsMAN security configuration
2. Configure AAA settings
3. Configure Radius server clients
4. Assign the configuration to your master profile (or directly to CAP itself)
| Code Block | ||
|---|---|---|
| ||
/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius /caps-man aaa set called-format=ssid /radius add address=x.x.x.x secret=SecretUserPass service=wireless called-id=SSID1 /radius add address=y.y.y.y secret=SecretUserPass service=wireless called-id=SSID2 /caps-man configuration set security=radius |
...
Now everyone connecting to CAP's with ssid=SSID1 will have their radius authentication requests sent to x.x.x.x and everyone connecting to CAP's with ssid=SSID2 will have their radius authentication requests sent to y.y.y.y