You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

/caps-man aaa

Settings to configure CAPsMAN AAA functionality are found in /caps-man aaa menu:

PropertyDescription
mac-format (string; Default: XX:XX:XX:XX:XX:XX)Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.
mac-mode (as-username | as-username-and-password; Default: as username)By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to as-username-and-password, Access Point will use the same value for User-Password attribute as for the User-Name attribute.
mac-caching (disabled | time-interval; Default: disabled)If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value disabled will disable cache, Access Point will always contact RADIUS server.
interim-update (disabled | time-interval; Default: disabled)When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using the Acct-Interim-Interval attribute.
called-format (mac | mac:ssid | ssid; Default: mac:ssid)Format of how the "called-id" identifier will be passed to RADIUS. When configuring radius server clients, you can specify "called-id" in order to separate multiple entires.

Example

Assuming that rest of the settings are already configured and only the "Security" part have been left.

Radius authentication with one server

1. Create CAPsMAN security configuration

2. Configure Radius server client

3. Assign the configuration to your master profile (or directly to CAP itself)

/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius
/radius add address=x.x.x.x secret=SecretUserPass service=wireless
/caps-man configuration set security=radius


Radius authentication with different radius servers for each SSID

1. Create CAPsMAN security configuration

2. Configure AAA settings

3. Configure Radius server clients

4. Assign the configuration to your master profile (or directly to CAP itself)

/caps-man security add authentication-types=wpa2-eap eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=radius
/caps-man aaa set called-format=ssid
/radius add address=x.x.x.x secret=SecretUserPass service=wireless called-id=SSID1
/radius add address=y.y.y.y secret=SecretUserPass service=wireless called-id=SSID2
/caps-man configuration set security=radius

Now everyone connecting to CAP's with ssid=SSID1 will have their radius authentication requests sent to x.x.x.x and everyone connecting to CAP's with ssid=SSID2 will have their radius authentication requests sent to y.y.y.y

/caps-man access-list

Access list on CAPsMAN is an ordered list of rules that is used to allow/deny clients to connect to any CAP under CAPsMAN control. When client attempts to connect to a CAP that is controlled by CAPsMAN, CAP forwards that request to CAPsMAN. As a part of registration process, CAPsMAN consults access list to determine if client should be allowed to connect. The default behaviour of the access list is to allow connection.

Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.

Access list is configured in /caps-man access-list menu. There are the following parameters for access list rules:

  • client matching parameters:
    • address - MAC address of client
    • mask - MAC address mask to apply when comparing client address
    • interface - optional interface to compare with interface to which client actually connects to
    • time - time of day and days when rule matches
    • signal-range - range in which client signal must fit for rule to match
    • allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval
  • action parameter - specifies action to take when client matches:
    • accept - accept client
    • reject - reject client
    • query-radius - query RADIUS server if particular client is allowed to connect
  • connection parameters:
    • ap-tx-limit - tx speed limit in direction to client
    • client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
    • client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface
    • private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
    • radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
    • vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
    • vlan-id - VLAN ID to use if doing VLAN tagging.

/caps-man actual-interface-configuration

/caps-man channel

/caps-man configuration

/caps-man datapath

/caps-man interface

/caps-man manager

PropertyDescription
enabled (yes | no; Default: no)Disable or enable CAPsMAN functionality
certificate (auto | certificate name | none; Default: none)Device certificate
ca-certificate (auto | certificate name | none; Default: none)Device CA certificate
require-peer-certificate (yes | no; Default: no)Require all connecting CAPs to have a valid certificate
package-path (string |; Default: )Folder location for the RouterOS packages. For example, use "/upgrade" to specify the upgrade folder from the files section. If empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded.
upgrade-policy (none | require-same-version | suggest-same-upgrade; Default: none)Upgrade policy options
  • none - do not perform upgrade
  • require-same-version - CAPsMAN suggest to upgrade the CAP RouterOS version and if it fails it will not provision the CAP. (Manual provision is still possible)
  • suggest-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and if it fails it will still be provisioned

/caps-man provisioning

/caps-man radio

/caps-man rates

/caps-man registration-table

/caps-man remote-cap

/caps-man security

  • No labels