/caps-man aaa
Settings to configure CAPsMAN AAA functionality are found in /caps-man aaa menu:
| Property | Description |
|---|---|
| mac-format (string; Default: XX:XX:XX:XX:XX:XX) | Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests. |
| mac-mode (as-username | as-username-and-password; Default: as username) | By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to as-username-and-password, Access Point will use the same value for User-Password attribute as for the User-Name attribute. |
| mac-caching (disabled | time-interval; Default: disabled) | If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value disabled will disable cache, Access Point will always contact RADIUS server. |
| interim-update (disabled | time-interval; Default: disabled) | When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using the Acct-Interim-Interval attribute. |
| called-format (mac | mac:ssid | ssid; Default: mac:ssid) | Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires. |
Example
Assuming that rest of the settings are already configured and only the "Security" part have been left.
Radius authentication with one server
1. Create CAPsMAN security configuration
2. Configure Radius server client
3. Assign the configuration to your master profile (or directly to CAP itself)
/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius /radius add address=x.x.x.x secret=SecretUserPass service=wireless /caps-man configuration set security=radius
Radius authentication with different radius servers for each SSID
1. Create CAPsMAN security configuration
2. Configure AAA settings
3. Configure Radius server clients
4. Assign the configuration to your master profile (or directly to CAP itself)
/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius /caps-man aaa set called-format=ssid /radius add address=x.x.x.x secret=SecretUserPass service=wireless called-id=SSID1 /radius add address=y.y.y.y secret=SecretUserPass service=wireless called-id=SSID2 /caps-man configuration set security=radius
Now everyone connecting to CAP's with ssid=SSID1 will have their radius authentication requests sent to x.x.x.x and everyone connecting to CAP's with ssid=SSID2 will have their radius authentication requests sent to y.y.y.y
/caps-man access-list
/caps-man actual-interface-configuration
/caps-man channel
/caps-man configuration
/caps-man datapath
/caps-man interface
/caps-man manager
| Property | Description |
|---|---|
| enabled (yes | no; Default: no) | Disable or enable CAPsMAN functionality |
| certificate (auto | certificate name | none; Default: none) | Device certificate |
| ca-certificate (auto | certificate name | none; Default: none) | Device CA certificate |
| require-peer-certificate (yes | no; Default: no) | Require all connecting CAPs to have a valid certificate |
| package-path (string |; Default: ) | Folder location for the RouterOS packages. For example, use "/upgrade" to specify the upgrade folder from the files section. If empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded. |
| upgrade-policy (none | require-same-version | suggest-same-upgrade; Default: none) | Upgrade policy options
|