...
Simple setup of a CAPsMAN system
Before deep-diving into the details of CAPsMAN operation, let us quickly illustrate how to set up the most basic system where you have a MikroTik router that manages two MikroTik AP devices. The benefit of CAPsMAN is that the CAP units don't need to be configured, all settings are done in the CAPsMAN server.
...
In the central device, which will be your CAPsMAN server, create a new "Configuration" template with only the basic settings (network name, country, the local LAN bridge interface, the wireless password):
1.
2. 3.Then create a new "Provisioning" rule, which will assign the created configuration template to the CAP devices:
4.
All that remains to do on the CAPsMAN, is to enable it:
5.
Most MikroTik AP devices already support CAP mode out of the box, all you need to do, is make sure they are on the same network as your CAPsMAN, and then boot them up, while holding the reset button.
...
Note that CAP can be manually "locked" to CAPsMAN by setting caps-man-certificate-common-names.
Auto Certificates
Anchor | ||||
---|---|---|---|---|
|
To simplify CAPsMAN and CAP configuration when certificates are required (e.g. for automatic locking feature), CAPsMAN can be configured to generate necessary certificates automatically and CAP can be configured to request certificate from CAPsMAN.
...
Property | Description |
---|---|
channel (list; Default: ) | User defined list taken from Channel names (/caps-man channels) |
channel.band (2ghz-b | 2ghz-b/g | 2ghz-b/g/n | 2ghz-onlyg | 2ghz-onlyn | 5ghz-a | 5ghz-a/n | 5ghz-onlyn | 5ghz-a/n/ac | 5ghz-only-ac; Default: ) | Defines set of used channels. |
channel.control-channel-width (40mhz-turbo | 20mhz | 10mhz | 5mhz; Default: ) | Defines set of used channel widths. |
channel.extension-channel (Ce | Ceee | eC | eCee | eeCe | eeeC | xx | xxxx | disabled; Default: ) | Extension channel configuration. (E.g. Ce = extension channel is above Control channel, eC = extension channel is below Control channel) |
channel.frequency (integer [0..4294967295]; Default: ) | Channel frequency value in MHz on which AP will operate. If left blank, CAPsMAN will automatically determine the best frequency that is least occupied. |
channel.reselect-interval (time [00:00:00]; [00:00:00..00:00:00]; Default Default: ) | Interval The interval after which the least occupied frequency is chosen, can be defined as a random interval, ex. as "30m..60m". Works only if channel.frequency is left blank. |
channel.save-selected (yes | no; Default: no) | If channel frequency is chosen automatically and channel.reselect-interval is used, then saves the last picked frequency. |
channel.secondary-frequency (integer [0..4294967295]; Default: auto) | Specifies the second frequency that will be used for 80+80MHz configuration. Set it to Disabled in order to disable 80+80MHz capability. |
channel.skip-dfs-channels (yes | no; Default: no) | If channel.frequency is left blank, the selection will skip DFS channels |
channel.tx-power (integer [-30..40]; Default: ) | TX Power for CAP interface (for the whole interface not for individual chains) in dBm. It is not possible to set higher than allowed by country regulations or interface. By default max allowed by country or interface is used. |
channel.width (; Default: ) | Sets Channel Width in MHz. |
comment (string; Default: ) | Short description of the Configuration profile |
country (name of the country | no_country_set; Default: no_country_set) | Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of scan-list. Value no_country_set is an FCC compliant set of channels. |
datapath (list; Default: ) | User defined list taken from Datapath names (/caps-man datapath) |
datapath.bridge (list; Default: ) | Bridge to which particular interface should be automatically added as port |
datapath.bridge-cost (integer [01..4294967295200000000]; Default: ) | bridge port cost to use when adding as bridge port |
datapath.bridge-horizon (integer [0..4294967295]; Default: ) | bridge horizon to use when adding as bridge port |
datapath.client-to-client-forwarding (yes | no; Default: no) | controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by CAP, otherwise it is performed by CAPsMAN |
datapath.interface-list (; Default: ) | |
datapath.l2mtu (; Default: ) | set Layer2 MTU size |
datapath.local-forwarding (yes | no; Default: no) | controls forwarding mode |
datapath.mtu (; Default: ) | set MTU size |
datapath.openflow-switch (; Default: ) | OpenFlow switch port (when enabled) to add interface to |
datapath.vlan-id (integer [1..4095]; Default: ) | VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging |
datapath.vlan-mode (use-service-tag | use-tag; Default: ) | Enables and specifies the type of VLAN tag to be assigned to the interface (causes all received data to get tagged with VLAN tag and allows the interface to only send out data tagged with given tag) |
disconnect-timeout (; Default: ) | |
distance (; Default: ) | |
frame-lifetime (; Default: ) | |
guard-interval (any | long; Default: any) | Whether to allow the use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). "any" will use either short or long, depending on data rate, "long" will use long only. |
hide-ssid (yes | no; Default: ) |
|
hw-protection-mode (; Default: ) | |
hw-retries (; Default: ) | |
installation (any | indoor | outdoor; Default: any) | |
keepalive-frames (enabled | disabled; Default: enabled) | |
load-balancing-group (string; Default: ) | Tags the interface to the load balancing group. For a client to connect to interface in this group, the interface should have the same number of already connected clients as all other interfaces in the group or smaller. Useful in setups where ranges of CAPs mostly overlap. |
max-sta-count (integer [1..2007]; Default: ) | Maximum number of associated clients. |
mode (; Default: ap) | Set operational mode. Only ap currently supported. |
multicast-helper (default | disabled | full; Default: default) | When set to full multicast packets will be sent with unicast destination MAC address, resolving multicast problem on a wireless link. This option should be enabled only on the access point, clients should be configured in station-bridge mode. Available starting from v5.15.
|
name (string; Default: ) | Descriptive name for the Configuration Profile |
rates (; Default: ) | User defined list taken from Rates names (/caps-man rates) |
rates.basic (1Mbps | 2Mbps | 5.5Mbps | 6Mbps | 11Mbps | 11Mbps | 12Mbps | 18Mbps | 24Mbps | 36Mbps | 48Mbps | 54Mbps; Default: ) | |
rates.supported (1Mbps | 2Mbps | 5.5Mbps | 6Mbps | 11Mbps | 11Mbps | 12Mbps | 18Mbps | 24Mbps | 36Mbps | 48Mbps | 54Mbps; Default: ) | |
rates.ht-basic-mcs (list of (mcs-0 | mcs-1 | mcs-2 | mcs-3 | mcs-4 | mcs-5 | mcs-6 | mcs-7 | mcs-8 | mcs-9 | mcs-10 | mcs-11 | mcs-12 | mcs-13 | mcs-14 | mcs-15 | mcs-16 | mcs-17 | mcs-18 | mcs-19 | mcs-20 | mcs-21 | mcs-22 | mcs-23); Default: mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7) | Modulation and Coding Schemes that every connecting client must support. Refer to 802.11n for MCS specification. |
rates.ht-supported-mcs (list of (mcs-0 | mcs-1 | mcs-2 | mcs-3 | mcs-4 | mcs-5 | mcs-6 | mcs-7 | mcs-8 | mcs-9 | mcs-10 | mcs-11 | mcs-12 | mcs-13 | mcs-14 | mcs-15 | mcs-16 | mcs-17 | mcs-18 | mcs-19 | mcs-20 | mcs-21 | mcs-22 | mcs-23); Default: mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23) | Modulation and Coding Schemes that this device advertises as supported. Refer to 802.11n for MCS specification. |
rates.vht-basic-mcs (none | MCS 0-7 | MCS 0-8 | MCS 0-9; Default: none) | Modulation and Coding Schemes that every connecting client must support. Refer to 802.11ac for MCS specification. You can set MCS interval for each of Spatial Stream
|
rates.vht-supported-mcs (none | MCS 0-7 | MCS 0-8 | MCS 0-9; Default: none) | Modulation and Coding Schemes that this device advertises as supported. Refer to 802.11ac for MCS specification. You can set MCS interval for each of Spatial Stream
|
rx-chains (list of integer [0..2]; Default: 0) | Which antennas to use for receive. |
security (string; Default: none) | Name of security configuration from /caps-man security |
security.authentication-types (list of string; Default: none) | Specify the type of Authentication from wpa-psk, wpa2-psk, wpa-eap or wpa2-eap |
security.disable-pmkid (; Default: ) | |
security.eap-methods (eap-tls | passthrough; Default: none) |
|
security.eap-radius-accounting (; Default: ) | |
security.encryption (aes-ccm | tkip; Default: aes-ccm) | Set type of unicast encryption algorithm used |
security.group-encryption (aes-ccm | tkip; Default: aes-ccm) | Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.
|
security.group-key-update (time: 30s..1h; Default: 5m) | Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points. |
security.passphrase (string; Default: ) | WPA or WPA2 pre-shared key |
security.tls-certificate (none | name; Default: ) | Access Point always needs a certificate when configured when security.tls-mode is set to verify-certificate, or is set to dont-verify-certificate. |
security.tls-mode (verify-certificate | dont-verify-certificate | no-certificates; Default: ) | This property has effect only when security.eap-methods contains eap-tls.
|
ssid (string (0..32 chars); Default: ) | SSID (service set identifier) is a name broadcast in the beacons that identifies wireless network. |
tx-chains (list of integer [0..2]; Default: 0) | Which antennas to use for transmit. |
...
- client matching parameters:
- address - MAC address of client (or, if mask is specified, only those parts will be checked as per the mask, so to match vendor D8 from "D8:1C:79:6E:1E:FE", simply enter a bogus entry, such as "D8:00:00:00:00" and then use the mask as per next line)
- mask - MAC address mask to apply when comparing client address. For example, use FF:00:00:00:00:00 to match only the first octet of the specified MAC address. In above example, regardless of entered MAC, it will match only first octet. Similarly, entering 00:00:00:00:FF will only match the last octet (FE) of a hypotetical MAC "D8:1C:79:6E:1E:FE"). So in the mac line, you could just enter 00:00:00:00:00:FE, if you would use such a mask.
- interface - optional interface to compare with interface to which client actually connects to
- time - time of day and days when rule matches
- signal-range - range in which client signal must fit for rule to match
- action parameter - specifies action to take when client matches:
- accept - accept client
- reject - reject client
- query-radius - query RADIUS server if particular client is allowed to connect
- connection parameters:
- ap-tx-limit - tx speed limit in direction to client
- client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
- client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface
- private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
- radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
- vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
- vlan-id - VLAN ID to use if doing VLAN tagging.
...