Versions Compared

Old Version 68

changes.mady.by.user Testing Department

Saved on

compared with

New Version 76

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PropertyDescription

chains (list of integer 0..7 )

Radio chains to use for receiving signals. Defaults to all chains available to the corresponding radio hardware.

client-isolation (no | yes)

  • yes - AP will not forward traffic between client devices connected to it
  • no -  AP will forward traffic between client devices connected to it

Default: no

country (name of a country)

Determines, which regulatory domain restrictions are applied to an interface. Defaults to "United States".

Note: It is important to set this value correctly to comply with local regulations and ensure interoperability with other devices.

hide-ssid (no | yes)

  • yes - AP does not include its SSID in beacon frames, and does not reply to probe requests that have broadcast SSID.

  • no - AP includes its SSID in the beacon frames, and replies to probe requests that have broadcast SSID.

Default: no

mode (ap | station)

Interface operation mode

  • ap (default) - interface operates as an access point
  • station - interface acts as a client device, scanning for access points advertising the configured SSID
rrm (no | yes)
  • yes - enable support for 802.11k radio resource measurement
  • no - disable  support for 802.11k radio resource measurement

Default: yes

ssid (string)The name of the wireless network, aka the (E)SSID. No default value.
tx-chains (list of integer 0..7)Radio chains to use for transmitting signals. Defaults to all chains available to the corresponding radio hardware.
tx-power (integer 0..40)A limit on the transmit power (in dBm) of the interface. Can not be used to set power above limits imposed by the regulatory profile. Unset by default.

Security properties

Parameters relating to authentication.

...

authentication-types (list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192)

...

Authentication types to enable on the interface.

The default value is an empty list (no authenticaion, an open network).

Configuring a passphrase, adds to the default list the wpa2-psk authentication method (if the interface is an AP) or both wpa-psk and wpa2-psk (if the interface is a station).

Configuring an eap-username and an eap-password adds to the default list wpa-eap and wpa2-eap authentication methods.

...

Identifiers of elliptic curve cryptography groups to use in SAE (WPA3) authentication.

...

  • yes - Do not include PMKID in EAPOL frames.
  • no (default) - include PMKID in EAPOL frames.

...

Note
Properties related to EAP, are only relevant to interfaces in station mode. APs delegate EAP authentication to the RADIUS server.

...

Policy for handling the TLS certificate of the RADIUS server.

  • verify-certificate - require server to have a valid certificate. Check that it is signed by a trusted certificate authority.
  • dont-verify-certificate (default) - Do not perform any checks on the certificate.
  • no-certificates - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange. To be used if the RADIUS server has no certificate at all.
  • verify-certificate-with-crl - Same as verify-certificate, but also checks if the certificate is valid by checking the Certificate Revocation List.

...

Warning

Take care when configuring encryption ciphers.

All client devices MUST support the group encryption cipher used by the AP to connect, and some client devices (notably, Intel® 8260) will also fail to connect if the list of unicast ciphers includes any they don't support.

...

A list of ciphers to support for encrypting unicast traffic.

Defaults to ccmp.

Note

Properties related to 802.11r fast BSS transition only apply to interfaces in AP mode. Wifiwave2 interfaces in station mode do not support 802.11r.

The initial implementation of 802.11r introduced in RouterOS 7.4beta4 only supports fast transition of client devices between the interfaces which are local to each AP.

...

Whether to enable 802.11r fast BSS transitions. Default: no.

...

The fast BSS transition mobility domain ID. Default: 44484 (0xADC4).

...

Fast BSS transition PMK-R0 key holder identifier. Default: MAC address of the interface.

...

 Whether to enable fast BSS transitions over DS (distributed system). Default: no.

...

Lifetime of the fast BSS transition PMK-R0 encryption key. Default: 600000s (~7 days)

...

Fast BSS transition reassociation deadline. Default: 20s.

...

Cipher to use for encrypting multicast traffic.

Defaults to ccmp.

...

Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 5 minutes.

...

Cipher to use for encrypting protected management frames. Defaults to cmac.

...

management-protection (allowed | disabled | required)

...

Whether to use 802.11w management frame protection. Incompatible with management frame protection in standard wireless package.

Default value depends on value of selected authentication type (WPA (1) does not support MFP, while WPA3 requires it).

...

owe-transition-interface (interface)

...

Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode.

Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See configuration example below.

...

Passphrase to use for PSK authentication types. Defaults to an empty string - "".

WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have minimum passphrase length.

...

Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack.

This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests which contain valid cookies.

Default: disabled.

...

  • push-button (default) - AP will accept WPS authentication for 2 minutes after 'wps-push-button' command is called. Physical WPS button functionality not yet implemented.
  • disabled - AP will not accept WPS authentication

Miscelaneous properties

...

  • disabled - the interface will not use ARP
  • enabled - the interface will use ARP (default)
  • local-proxy-arp - the router performs proxy ARP on the interface and sends replies to the same interface
  • proxy-arp - the router performs proxy ARP on the interface and sends replies to other interfaces
  • reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the ARP table. No dynamic entries will be automatically stored in the ARP table. Therefore for communications to be successful, a valid static entry must already exist.

...

  • yes - interface's running property will be true whenever the interface is not disabled

  • no (default) - interface's running property will only be true when it has established a link to another device

...

disabled (no | yes) (X)

...

Hardware interfaces are disabled by default. Virtual interfaces are not.

...

mac-address (MAC)

...

MAC address (BSSID) to use for an interface.

Hardware interfaces default to the MAC address of the associated radio interface.

Default MAC addresses for virtual interfaces are generated by

  1. Taking the MAC address of the associated master interface

  2. Setting the second-least-significant bit of the first octet to 1, resulting in a locally administered MAC address

  3. If needed, incrementing the last octet of the address to ensure it doesn't overlap with the address of another interface on the device

...

master-interface (interface)

...

Multiple interface configurations can be run simultaneously on every wireless radio.

Only one of them determines the radio's state (whether it is enabled, what frequency it's using, etc). This  'master' interface, is bound  to a radio with the corresponding radio-mac.

To create additional ('virtual') interface configurations on a radio, they need to be bound to the corresponding master interface.

No default value.

...

name (string)

...

A name for the interface. Defaults to wifiN, where N is the lowest integer that has not yet been used for naming an interface.

Read-only properties

...

Always true for master interfaces (configurations linked to radio hardware).

True for a virtual interface (configurations linked to a master interface) when both the interface itself and its master interface are not disabled.

...

False for interfaces in AP mode when they've selected a channel for operation (i.e. configuration has been successfully applied).

False for interfaces in station mode when they've connected to an AP (i.e. configuration has been successfully applied, an with AP with matching settings has been found).

True otherwise.

...

True, when an interface has established a link to another device.

If disable-running-check is set to 'yes', true whenever the interface is not disabled.

Configuration profiles

Configuration settings for wifiwave2 interfaces can be grouped in profiles according to the parameter sections listed above. These profiles - aaa, channel, configuration and security, can then be assigned to interfaces. Configuration profiles can include other profiles as well as separate parameters from other categories.

This optional flexibility is meant to allow each user to arrange their configuration in a way that makes the most sense for them, but it also means that each parameter may have different values assigned to it in different sections of the configuration.

The following priority determines, which value is used:

  1. Value in interface settings
  2. Value in profile assigned to interface
  3. Value in configuration profile assigned to interface
  4. Value in profile assigned to configuration profile (which in turn is assigned to interface).

If you are at any point unsure of which parameter value will be used for an interface, consult the actual-configuration menu. For an example of configuration profile usage, see following example.

...

manager (capsman | capsman-or-local | local)

capsman - the interface will act as CAP only

capsman-or-local - the interface will get configuration via CAPsMAN or use its own, if /interface/wifiwave2/cap is not enabled.

local - interface won't contact CAPsMAN in order to get configuration.

Datapath properties

Parameters relating to forwarding packets to and from wireless client devices.

PropertyDescription
bridge (bridge interface)Bridge interface to add interface to, as a bridge port. No default value.
bridge-cost (integer)Bridge port cost to use when adding as bridge port. Default: 10
bridge-horizon (none | integer)Bridge horizon to use when adding as bridge port Default: none.
client-isolation  (no | yes)
  • yes - AP will not forward traffic between client devices connected to it
  • no -  AP will forward traffic between client devices connected to it

Default: no

interface-list (interface list)
List to which add the interface as a member. No default value.
openflow-switch (interface)OpenFlow switch to add interface to, as port when enabled. No default value
vlan-id (none | integer 1..4096)Default VLAN id to assign to clients connecting on the interface. Default: none.

Security properties

Parameters relating to authentication.

PropertyDescription

authentication-types (list of wpa-psk, wpa2-psk, wpa-eap, wpa2-eap, wpa3-psk, owe, wpa3-eap, wpa3-eap-192)

Authentication types to enable on the interface.

The default value is an empty list (no authenticaion, an open network).

Configuring a passphrase, adds to the default list the wpa2-psk authentication method (if the interface is an AP) or both wpa-psk and wpa2-psk (if the interface is a station).

Configuring an eap-username and an eap-password adds to the default list wpa-eap and wpa2-eap authentication methods.

dh-groups (list of 19, 20, 21)

Identifiers of elliptic curve cryptography groups to use in SAE (WPA3) authentication.

disable-pmkid (no | yes)For interfaces in AP mode, disables inclusion of a PMKID in EAPOL frames. Disabling PMKID can cause compatibility issues with client devices which make use of it.
  • yes - Do not include PMKID in EAPOL frames.
  • no (default) - include PMKID in EAPOL frames.
eap-accounting (no | yes)Send accounting information to RADIUS server for EAP-authenticated peers. Default: no.


Note
Properties related to EAP, are only relevant to interfaces in station mode. APs delegate EAP authentication to the RADIUS server.


eap-anonymous-identity (string)Optional anonymous identity for EAP outer authentication. No default value.
eap-certificate-mode (dont-verify-certificate | no-certificates | verify-certificate | verify-certificate-with-crl)

Policy for handling the TLS certificate of the RADIUS server.

  • verify-certificate - require server to have a valid certificate. Check that it is signed by a trusted certificate authority.
  • dont-verify-certificate (default) - Do not perform any checks on the certificate.
  • no-certificates - Attempt to establish the TLS tunnel by performing anonymous Diffie-Hellman key exchange. To be used if the RADIUS server has no certificate at all.
  • verify-certificate-with-crl - Same as verify-certificate, but also checks if the certificate is valid by checking the Certificate Revocation List.
eap-methods (list of peap, tls, ttls)EAP methods to consider for authentication. Defaults to all supported methods.
eap-password (string)Password to use, when the chosen EAP method requires one. No default value.
eap-tls-certificate (certificate)Name or id of a certificate in the device's certificate store to use, when the chosen EAP authentication method requires one. No default value.
eap-username (string)Username to use when the chosen EAP method requires one. No default value.


Warning

Take care when configuring encryption ciphers.

All client devices MUST support the group encryption cipher used by the AP to connect, and some client devices (notably, Intel® 8260) will also fail to connect if the list of unicast ciphers includes any they don't support.


encryption (list of  ccmp, ccmp-256, gcmp, gcmp-256, tkip)

A list of ciphers to support for encrypting unicast traffic.

Defaults to ccmp.


Note

Properties related to 802.11r fast BSS transition only apply to interfaces in AP mode. Wifiwave2 interfaces in station mode do not support 802.11r.

The initial implementation of 802.11r introduced in RouterOS 7.4beta4 only supports fast transition of client devices between the interfaces which are local to each AP.


ft (no | yes)

Whether to enable 802.11r fast BSS transitions. Default: no.

ft-mobility-domain (integer 0..65535

The fast BSS transition mobility domain ID. Default: 44484 (0xADC4).

ft-nas-identifier (string of 2..96 hex characters)

Fast BSS transition PMK-R0 key holder identifier. Default: MAC address of the interface.

ft-over-ds (no | yes)  

 Whether to enable fast BSS transitions over DS (distributed system). Default: no.

ft-r0-key-lifetime (time interval 1s..6w3d12h15m)

Lifetime of the fast BSS transition PMK-R0 encryption key. Default: 600000s (~7 days)

ft-reassociation-deadline (time interval 0..70s

Fast BSS transition reassociation deadline. Default: 20s.

group-encryption (ccmp | ccmp-256 | gcmp | gcmp-256 | tkip)

Cipher to use for encrypting multicast traffic.

Defaults to ccmp.

group-key-update (time interval 30s..1h)

Interval at which the group temporal key (key for encrypting broadcast traffic) is renewed. Defaults to 5 minutes.

management-encryption (cmac | cmac-256 | gmac | gmac-256)

Cipher to use for encrypting protected management frames. Defaults to cmac.

management-protection (allowed | disabled | required)

Whether to use 802.11w management frame protection. Incompatible with management frame protection in standard wireless package.

Default value depends on value of selected authentication type (WPA (1) does not support MFP, while WPA3 requires it).

owe-transition-interface (interface)

Name or internal id of an interface whose MAC address and SSID to advertise as the matching AP when running in OWE transition mode.

Required for setting up open APs that offer OWE, but also work with older devices that don't support the standard. See configuration example below.

passphrase (string of up to 63 characters)

Passphrase to use for PSK authentication types. Defaults to an empty string - "".

WPA-PSK and WPA2-PSK authentication requires a minimum of 8 chars, while WPA3-PSK does not have minimum passphrase length.

sae-anti-clogging-threshold ('disabled' | integer)

Due to SAE (WPA3) associations being CPU resource intensive, overwhelming an AP with bogus authentication requests makes for a feasible denial-of-service attack.

This parameter provides a way to mitigate such attacks by specifying a threshold of in-progress SAE authentications, at which the AP will start requesting that client devices include a cookie bound to their MAC address in their authentication requests. It will then only process authentication requests which contain valid cookies.

Default: disabled.

sae-max-failure-rate ('disabled' | integer)Rate of failed SAE (WPA3) associations per minute, at which the AP will stop processing new association requests. Defaults to disabled.
sae-pwe (both | hash-to-element | hunting-and-pecking)Methods to support for deriving SAE password element. Default: both.
wps (disabled | push-button)
  • push-button (default) - AP will accept WPS authentication for 2 minutes after 'wps-push-button' command is called. Physical WPS button functionality not yet implemented.
  • disabled - AP will not accept WPS authentication

Miscellaneous properties

PropertyDescription
arp (disabled | enabled | local-proxy-arp  | proxy-arp | reply-only)Address Resolution Protocol mode:
  • disabled - the interface will not use ARP
  • enabled - the interface will use ARP (default)
  • local-proxy-arp - the router performs proxy ARP on the interface and sends replies to the same interface
  • proxy-arp - the router performs proxy ARP on the interface and sends replies to other interfaces
  • reply-only - the interface will only reply to requests originated from matching IP address/MAC address combinations which are entered as static entries in the ARP table. No dynamic entries will be automatically stored in the ARP table. Therefore for communications to be successful, a valid static entry must already exist.
arp-timeout (time interval | 'auto')Determines how long a dynamically added ARP table entry is considered valid since the last packet was received from the respective IP address.
Value auto equals to the value ofarp-timeout in/ip settings, which defaults to 30s.
disable-running-check (no | yes)

  • yes - interface's running property will be true whenever the interface is not disabled

  • no (default) - interface's running property will only be true when it has established a link to another device

disabled (no | yes) (X)

Hardware interfaces are disabled by default. Virtual interfaces are not.

mac-address (MAC)

MAC address (BSSID) to use for an interface.

Hardware interfaces default to the MAC address of the associated radio interface.

Default MAC addresses for virtual interfaces are generated by

  1. Taking the MAC address of the associated master interface

  2. Setting the second-least-significant bit of the first octet to 1, resulting in a locally administered MAC address

  3. If needed, incrementing the last octet of the address to ensure it doesn't overlap with the address of another interface on the device

master-interface (interface)

Multiple interface configurations can be run simultaneously on every wireless radio.

Only one of them determines the radio's state (whether it is enabled, what frequency it's using, etc). This  'master' interface, is bound  to a radio with the corresponding radio-mac.

To create additional ('virtual') interface configurations on a radio, they need to be bound to the corresponding master interface.

No default value.

name (string)

A name for the interface. Defaults to wifiN, where N is the lowest integer that has not yet been used for naming an interface.

Read-only properties

PropertyDescription
bound (boolean) (B)

Always true for master interfaces (configurations linked to radio hardware).

True for a virtual interface (configurations linked to a master interface) when both the interface itself and its master interface are not disabled.

default-name (string)The default name for an interface.
inactive (boolean) (I)

False for interfaces in AP mode when they've selected a channel for operation (i.e. configuration has been successfully applied).

False for interfaces in station mode when they've connected to an AP (i.e. configuration has been successfully applied, an with AP with matching settings has been found).

True otherwise.

master (boolean) (M)True for interface configurations, which are bound to radio hardware. False for virtual interfaces.
radio-mac (MAC)The MAC address of the associated radio.
running (boolean) (R)

True, when an interface has established a link to another device.

If disable-running-check is set to 'yes', true whenever the interface is not disabled.

Configuration profiles

Configuration settings for wifiwave2 interfaces can be grouped in profiles according to the parameter sections listed above. These profiles - aaa, channel, configuration and security, can then be assigned to interfaces. Configuration profiles can include other profiles as well as separate parameters from other categories.

This optional flexibility is meant to allow each user to arrange their configuration in a way that makes the most sense for them, but it also means that each parameter may have different values assigned to it in different sections of the configuration.

The following priority determines, which value is used:

  1. Value in interface settings
  2. Value in profile assigned to interface
  3. Value in configuration profile assigned to interface
  4. Value in profile assigned to configuration profile (which in turn is assigned to interface).

If you are at any point unsure of which parameter value will be used for an interface, consult the actual-configuration menu. For an example of configuration profile usage, see following example.

Code Block
languageros
titleExample for dual-band home AP
# Creating a security profile, which will be common for both interfaces
/interface wifiwave2 security
add name=common-auth authentication-types=wpa2-psk,wpa3-psk passphrase="diceware makes good passwords" wps=disable
# Creating a common configuration profile and linking the security profile to it
/interface wifiwave2 configuration
add name=common-conf ssid=MikroTik country=Latvia security=common-auth
# Creating separate channel configurations for each band
/interface wifiwave2 channel
add name=ch-2ghz frequency=2412,2432,2472 width=20mhz
add name=ch-5ghz frequency=5180,5260,5500 width=20/40/80mhz
# Assigning to each interface the common profile as well as band-specific channel profile
/interface wifiwave2
set wifi1 channel=ch-2ghz configuration=common-conf disabled=no
set wifi2 channel=ch-5ghz configuration=common-conf disabled=no

/interface/wifiwave2/actual-configuration print
 0 name="wifi1" mac-address=74:4D:28:94:22:9A arp-timeout=auto radio-mac=74:4D:28:94:22:9A
   configuration.ssid="MikroTik" .country=Latvia 
   security.authentication-types=wpa2-psk,wpa3-psk .passphrase="diceware makes good passwords" .wps=disable
   channel.frequency=2412,2432,2472 .width=20mhz

 1 name="wifi2" mac-address=74:4D:28:94:22:9B arp-timeout=auto radio-mac=74:4D:28:94:22:9B   
   configuration.ssid="MikroTik" .country=Latvia
   security.authentication-types=wpa2-psk,wpa3-psk .passphrase="diceware makes good passwords" .wps=disable
   channel.frequency=5180,5260,5500 .width=20/40/80mhz

...

Wireless peers can be manually de-authenticated (forcing re-association) by removing them from the registration table.

Code Block
languageros
/interface/wifiwave2/registration-table remove [find where mac-address=02:01:02:03:04:05]

Regulatory domain information

Information about your regulatory domain, such as allowed frequencies, transmit power and DFS requirements can be found in the info menu.

...

languageros

...

them from the registration table.

Code Block
languageros
/interface/wifiwave2/registration-table remove [find where mac-address=02:01:02:03:04:05]

Regulatory domain information

Information about your regulatory domain, such as allowed frequencies, transmit power and DFS requirements can be found in the info menu.

Code Block
languageros
/interface/wifiwave2/info country-info Latvia

WifiWave2 CAPsMAN

WifiWave2 CAPsMAN allows applying wireless settings to multiple MikroTik WifiWave2 AP devices from a central configuration interface.

More specifically, the Controlled Access Point system Manager (CAPsMAN) allows the centralization of wireless network management. When using the CAPsMAN feature, the network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless connectivity and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication.

WifiWave2 CAPsMAN only passes wireless configuration to the CAP, all forwarding decisions are left to the CAP itself - there is no CAPsMAN forwarding mode.

Requirements:

  • Any RouterOS device, that supports the WifiWave2 package, can be a controlled wireless access point (CAP) as long as it has at least a Level 4 RouterOS license.
  • WifiWave2 CAPsMAN server can be installed on any RouterOS device that supports the WifiWave2 package, even if the device itself does not have a wireless interface
  • Unlimited CAPs (access points) supported by CAPsMAN

CAPsMAN Global Configuration

Menu: /interface/wifiwave2/capsman

PropertyDescription
ca-certificate (auto | certificate name )Device CA certificate, CAPsMAN server requires a certificate, certificate on CAP is optional.
certificate (auto | certificate name | none; Default: none)Device certificate
enabled (no | yes)

Disable or enable CAPsMAN functionality

package-path (string |; Default: )

Folder location for the RouterOS packages. For example, use "/upgrade" to specify the upgrade folder from the files section. If an empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded.

require-peer-certificate (yes | no; Default: no)

Require all connecting CAPs to have a valid certificate

upgrade-policy (none | require-same-version | suggest-same-upgrade; Default: none)

Upgrade policy options

  • none - do not perform upgrade
  • require-same-version - CAPsMAN suggest to upgrade the CAP RouterOS version and, if it fails it will not provision the CAP. (Manual provision is still possible)
  • suggest-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and if it fails it will still be provisioned
interfaces (all | interface name | none; Default: all)Interfaces on which CAPsMAN will listen for CAP connections

CAPsMAN Provisioning

Provisioning rules for matching radios are configured in /interface/wifiwave2/provisioning/ menu:

PropertyDescription
action (create-disabled | create-enabled | create-dynamic-enabled | none; Default: none)Action to take if rule matches are specified by the following settings:
  • create-disabled - create disabled static interfaces for radio. I.e., the interfaces will be bound to the radio, but the radio will not be operational until the interface is manually enabled;
  • create-enabled - create enabled static interfaces. I.e., the interfaces will be bound to the radio and the radio will be operational;
  • create-dynamic-enabled - create enabled dynamic interfaces. I.e., the interfaces will be bound to the radio, and the radio will be operational;
  • none - do nothing, leaves radio in the non-provisioned state;
comment (string; Default: )Short description of the Provisioning rule
common-name-regexp (string; Default: )Regular expression to match radios by common name. Each CAP's common name identifier can be found under "/interface/wifiwave2/radio" as value "REMOTE-CAP-NAME"
supported-bands (2ghz-ax | 2ghz-g | 2ghz-n | 5ghz-a | 5ghz-ac | 5ghz-ax | 5ghz-n; Default: )Match radios by supported wireless modes
identity-regexp (string; Default: )Regular expression to match radios by router identity
address-ranges (IpAddressRange[,IpAddressRanges] max 100x; Default: "")Match CAPs with IPs within configured address range.
master-configuration (string; Default: )If action specifies to create interfaces, then a new master interface with its configuration set to this configuration profile will be created
name-format (cap | identity ; Default: cap)specify the syntax of the CAP interface name creation
  • "example1-%I" - cap identity
  • "example2-%C "- cap common name
name-prefix (string; Default: )name prefix which can be used in the name-format for creating the CAP interface names
radio-mac (MAC address; Default: 00:00:00:00:00:00)MAC address of radio to be matched, empty MAC (00:00:00:00:00:00) means match all MAC addresses
slave-configurations (string; Default: )

If action specifies to create interfaces, then a new slave interface for each configuration profile in this list is created.

disabled (yes | no; Default: no

Specifies if the provision rule is disabled.

CAP configuration

Menu: /interface/wifiwave2/cap

PropertyDescription
caps-man-addresses (list of IP addresses; Default: empty)List of Manager IP addresses that CAP will attempt to contact during discovery
caps-man-names ()An ordered list of CAPs Manager names that the CAP will connect to, if empty - CAP does not check Manager name
discovery-interfaces (list of interfaces;)List of interfaces over which CAP should attempt to discover Manager

lock-to-caps-man (no | yes; Default: no)

Sets, if CAP should lock to the first CAPsMAN it connects to

slaves-static ()


caps-man-certificate-common-names ()

List of Manager certificate CommonNames that CAP will connect to, if empty - CAP does not check Manager certificate CommonName
certificate ()Certificate to use for authenticating
enabled (yes | no; Default: no)Disable or enable the CAP feature
slaves-datapath ()


Info

The interface that should act as CAP needs additional configuration under "interface/wifiwave2/set wifiX configuration.manager="

CAPsMAN - CAP configuration example:

CAPsMAN in WifiWave2 uses the same menu as a regular WifiWave2 interface, meaning when you pass configuration to CAPs, you have to use the same configuration, security, channel configuration, etc. as you would for regular WifiWave2 interfaces.

Info
You can configure sub configuration menus, directly under "/interface/wifiwave2/configuration" or reference previously created profiles in the main configuration profile

CAPsMAN:

Code Block
languageros
#create a security profile
/interface wifiwave2 security
add authentication-types=wpa3-psk name=sec1 passphrase=HaveAg00dDay

#create configuraiton profiles to use for provisioning
/interface wifiwave2 configuration
add country=Latvia name=5ghz security=sec1 ssid=CAPsMAN_5
add name=2ghz security=sec1 ssid=CAPsMAN2
add country=Latvia name=5ghz_v security=sec1 ssid=CAPsMAN5_v

#configure provisioning rules, configure band matching as needed
/interface wifiwave2 provisioning
add action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz_v supported-bands=\
    5ghz-n
add action=create-enabled master-configuration=2ghz supported-bands=2ghz-n

#enable CAPsMAN service
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes

CAP:

Code Block
languageros
#enable CAP service, in this case CAPsMAN is on same LAN, but you can also specify "caps-man-addresses=x.x.x.x" here
/interface/wifiwave2/cap set enabled=yes

#set configuration.manager= on the WifiWave2 interface that should act as CAP
/interface/wifiwave2/set wifi1,wifi2 configuration.manager=capsman-or-local

Replacing stock wireless

The wifiwave2 package can be installed on some products, which ship with the bundled 'wireless' package, replacing it.

Warning

Installing the wifiwave2 package disables other means of configuring wireless interfaces. Before installation, make sure to back up any wireless and regular CAPsMAN configuration you may want to retain.

...

The following notable features of the bundled wireless package do not yet have equivalents in the wifiwave2 package

...

  • Station-bridging or other 4-address modes
  • Nstreme and Nv2 wireless protocols

...