new capsman client works on hAP ac2 but not on wAP ac

harenber · Sat Feb 10, 2024 6:55 pm

Dear all,

I have - among others - one hAP ac2 and two wAP ac in my network, plus a 4011 which serves as the central server holding the CAPsMAN configurations.

Wanted to upgrade to WPA3, so I upgraded to the newest routeros and installed the wifi-qcom-ac package to those devices. In addition, I configured the new CAPsMAN on the 4011. All that went well, configured the clients (hAP ac2 and wAP ac) with:

[admin@wAP_1OG] /interface/wifi/cap> export 

/interface wifi cap
set caps-man-addresses=192.168.188.2 enabled=yes

The hAP ac2 configures its Wifi devices just fine:

[admin@hAP_ac2] /interface/wifi> print 
Flags: M - MASTER; D - DYNAMIC; B - BOUND; R - RUNNING
Columns: NAME, MASTER-INTERFACE, CONFIGURATION.MODE
#      NAME   MASTER-INTERFACE  CONFIGURATION.MODE
;;; managed by CAPsMAN
;;; mode: AP, SSID: KWERTH, channel: 2427/n/Ce
0 M BR wifi1                    ap                
                                                  
;;; managed by CAPsMAN
;;; mode: AP, SSID: KWERTH, channel: 5560/ac/eeeC
1 M BR wifi2                    ap                
                                                  
;;; managed by CAPsMAN
;;; mode: AP, SSID: KWERTH-neu-guest
2  DBR wifi5  wifi1                               
                                                  
;;; managed by CAPsMAN
;;; mode: AP, SSID: KWERTH-neu-guest
3  DBR wifi6  wifi2

on the wAP ac, however, the Wifi devices do not get configured:

[admin@wAP_1OG] /interface/wifi> print 
Flags: M - MASTER; B - BOUND; I - INACTIVE
Columns: NAME, CONFIGURATION.MODE
#     NAME   CONFIGURATION.MODE
;;; SSID not set
0 MBI wifi1  ap                
;;; SSID not set
1 MBI wifi2  ap

although the CAPsMAN reports both devices:

[admin@main] /interface/wifi/capsman/remote-cap> print 
Columns: ADDRESS, IDENTITY, STATE, BOARD-NAME, VERSION
#  ADDRESS        IDENTITY  STATE  BOARD-NAME        VERSION
0  192.168.188.5  hAP_ac2   Ok     RBD52G-5HacD2HnD  7.13.4 
1  192.168.188.4  wAP_1OG   Ok     RBwAPG-5HacD2HnD  7.13.4

The CAPsMAN configuration on the 4011 is:

[admin@main] /interface/wifi> export hide-sensitive 
# 2024-02-10 17:49:26 by RouterOS 7.13.4
# software id = WHLS-MP2M
#
# model = RB4011iGS+
# serial number = D4480D447A7F
/interface wifi datapath
add bridge=bridge disabled=no name=GUEST vlan-id=2
add bridge=bridge disabled=no name=DEFAULT vlan-id=none
/interface wifi security
add authentication-types=wpa2-eap,wpa3-psk disabled=no ft=yes ft-over-ds=yes \
    name=KWERTH-sec
add authentication-types=wpa3-psk disabled=no ft=yes ft-over-ds=yes name=\
    KWERTH-guest-sec
/interface wifi configuration
add country=Germany datapath=DEFAULT disabled=no mode=ap name=KWERTH security=\
    KWERTH-sec security.ft=yes .ft-over-ds=yes ssid=KWERTH
add country=Germany datapath=GUEST disabled=no mode=ap name=KWERTH-Guest \
    security=KWERTH-guest-sec security.ft=yes .ft-over-ds=yes ssid=\
    KWERTH-neu-guest
/interface wifi capsman
set ca-certificate=auto enabled=yes package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=KWERTH \
    name-format=cap-wifi-%I slave-configurations=KWERTH-Guest
[admin@main] /interface/wifi>

Nothing in the log of the non-working wAP ac. Only

 17:37:18 caps,info selected CAPsMAN main@192.168.188.2
 17:37:18 caps,info connected to main@192.168.188.2

Any idea what goes wrong here?

Sat Feb 10, 2024 8:26 pm

Try to delete certificates on capsman controller.

harenber · Sat Feb 10, 2024 9:06 pm

Thanks for the quick reply.

Deleted both certificates and disabled+re-enabled capsman:

[admin@main] /interface/wifi/capsman> print 
                   enabled: yes
            ca-certificate: auto
  require-peer-certificate: no
              package-path: 
            upgrade-policy: none
  generated-ca-certificate: WiFi-CAPsMAN-CA-085531FA5602
     generated-certificate: WiFi-CAPsMAN-085531FA5602
     
 [admin@main] /interface/wifi/capsman> /certificate/
[admin@main] /certificate> print 
Flags: K - PRIVATE-KEY; A - AUTHORITY; I - ISSUED; T - TRUSTED
Columns: NAME, COMMON-NAME, SKID
#      NAME                          COMMON-NAME                   SKID                                    
0    T quad9-net.pem_0               DigiCert Global Root CA       03de503556d14cbb66f0a3e21b1bc397b23dd155
1 KA T WiFi-CAPsMAN-CA-085531FA5602  WiFi-CAPsMAN-CA-085531FA5602  347c566ec3606287ed0c200d27bc1781eb6582dd
2 K I  WiFi-CAPsMAN-085531FA5602     WiFi-CAPsMAN-085531FA5602     8098ddcdc0b75e6461ff6525c4a0d21f4cef2102

[admin@main] /certificate> remove 2  
[admin@main] /certificate> remove 1
[admin@main] /certificate> /interface/wifi/capsman/
[admin@main] /interface/wifi/capsman> print 
                   enabled: yes
            ca-certificate: auto
  require-peer-certificate: no
              package-path: 
            upgrade-policy: none
  generated-ca-certificate: *2
     generated-certificate: *3
[admin@main] /interface/wifi/capsman>set enabled=no
[admin@main] /interface/wifi/capsman> set ca-certificate=auto 
[admin@main] /interface/wifi/capsman> set enabled=yes
[admin@main] /interface/wifi/capsman> print 
                   enabled: yes
            ca-certificate: auto
  require-peer-certificate: no
              package-path: 
            upgrade-policy: none
  generated-ca-certificate: WiFi-CAPsMAN-CA-085531FA5602
     generated-certificate: WiFi-CAPsMAN-085531FA5602
[admin@main] /interface/wifi/capsman> /certificate/print 
Flags: K - PRIVATE-KEY; A - AUTHORITY; I - ISSUED; T - TRUSTED
Columns: NAME, COMMON-NAME, SKID
#      NAME                          COMMON-NAME                   SKID                                    
0    T quad9-net.pem_0               DigiCert Global Root CA       03de503556d14cbb66f0a3e21b1bc397b23dd155
1 KA T WiFi-CAPsMAN-CA-085531FA5602  WiFi-CAPsMAN-CA-085531FA5602  8790dddd561131b586ce9f2946f74275d8c60dd7
2 K I  WiFi-CAPsMAN-085531FA5602     WiFi-CAPsMAN-085531FA5602     516a3d4d3fae51af01bc3d6072d3ef4e9c446a26
[admin@main] /interface/wifi/capsman>

Unfortunetely, this didn't change the situation on the clients. The wAP ac is still not configuring its wifi devices.

[admin@wAP_1OG] /interface/wifi/cap> print 
             enabled: yes
  caps-man-addresses: 192.168.188.2
[admin@wAP_1OG] /interface/wifi/cap> set caps-man-addresses=""
[admin@wAP_1OG] /interface/wifi/cap> print                    
             enabled: yes
  caps-man-addresses: 
[admin@wAP_1OG] /interface/wifi/cap> set enabled=no 
[admin@wAP_1OG] /interface/wifi/cap> print 
             enabled: no
  caps-man-addresses: 
[admin@wAP_1OG] /interface/wifi/cap> ..

[admin@wAP_1OG] /interface/wifi> print 
Flags: M - MASTER; B - BOUND; X - DISABLED, I - INACTIVE
Columns: NAME
#     NAME 
0 MBX wifi1
1 MBX wifi2
[admin@wAP_1OG] /interface/wifi> reset 0,1
[admin@wAP_1OG] /interface/wifi> cap/
[admin@wAP_1OG] /interface/wifi/cap> set caps-man-addresses=192.168.188.2
[admin@wAP_1OG] /interface/wifi/cap> set enabled=yes
[admin@wAP_1OG] /interface/wifi/cap> ..
[admin@wAP_1OG] /interface/wifi> print detail 
Flags: M - master; D - dynamic; B - bound; X - disabled, I - inactive, R - running 
 0 M BX default-name="wifi1" name="wifi1" l2mtu=1560 mac-address=08:55:31:E2:2F:F2 arp-timeout=auto radio-mac=08:55:31:E2:2F:F2 

 1 M BX default-name="wifi2" name="wifi2" l2mtu=1560 mac-address=08:55:31:E2:2F:F3 arp-timeout=auto radio-mac=08:55:31:E2:2F:F3

harenber · Sat Feb 10, 2024 10:04 pm

Just see that the device is complaining about a problem after installing the wifi-qcom-ac package.

 20:47:51 system,info installed wifi-qcom-ac-7.13.4
 20:47:51 system,info router rebooted
 20:47:53 script,error script error: error - contact MikroTik support and send a supout file (2)
 20:48:01 bridge,info hardware offloading activated on bridge "bridge" ports: ether1,ether2
 20:48:04 interface,info ether1 link up (speed 1G, full duplex)
 20:48:07 caps,info selected CAPsMAN main@192.168.188.2
 20:48:07 caps,info connected to main@192.168.188.2
 20:49:06 system,critical,info ntp change time Feb/10/2024 20:48:12 => Feb/10/2024 20:49:06
 20:49:07 system,info,account user admin logged in from 192.168.188.19 via ssh

Opened a ticket and will roll back to the old driver now ...

erlinden · Sun Feb 11, 2024 3:29 pm

Is the wAP ac a mipsbe or a arm device? Only the latter is supported.

harenber · Sun Feb 11, 2024 4:48 pm

Perfectly ARM:

[admin@wAP_1OG] > /system/resource/print
                   uptime: 18h38m40s
                  version: 7.13.4 (stable)
               build-time: Feb/07/2024 09:59:26
         factory-software: 6.44.6
              free-memory: 57.8MiB
             total-memory: 128.0MiB
                      cpu: ARM
                cpu-count: 4
            cpu-frequency: 448MHz
                 cpu-load: 0%
           free-hdd-space: 860.0KiB
          total-hdd-space: 15.2MiB
  write-sect-since-reboot: 407
         write-sect-total: 158324
        architecture-name: arm
               board-name: wAP ac
                 platform: MikroTik
[admin@wAP_1OG] >

Sun Feb 11, 2024 4:58 pm

Just see that the device is complaining about a problem after installing the wifi-qcom-ac package.

Since the device is used in caps mode, can you reset to default config and then enable caps mode again ?
Does it show the same error ?

Anyhow, the error message indicates support should be contacted (which you already did).

Amm0 · Sun Feb 11, 2024 6:01 pm

I have not tested the wAPac with capsman2 (e.g. new drivers with ZeroTier don't fit).

There were changes in the default configuration for the hAPac2 in some recent release that fixed this problem. They might not have fixed the defconf on the wAPac, dunno.

You can check this by comparing out from the following between wAPac and hAPac2:

/system/default-configuration/caps-mode-script/print

But you should be able to enable CAP mode manually in config ...if you only had a few units.

shahjaufar · Sun Feb 11, 2024 8:23 pm

same, wap ac not working in new capsman

harenber · Mon Feb 12, 2024 9:44 am

Already got a reply from Mikrotik support:

We are aware of this issue, and we look forward to fixing it on upcoming RouterOS versions.

(SUP-143488)

erlinden · Mon Feb 12, 2024 9:52 am

I have wAP ac's running perfectly fine on two different locations. Used the reset-default with CAPS-Mode and afterwards did some magic to support VLAN's and multiple SSID's. Came from version 7.13.2 and upgraded to 7.13.3 and 7.13.4.

Any steps from this help page that you didn't do?
https://help.mikrotik.com/docs/display/ ... ionexample:

harenber · Wed Feb 14, 2024 4:07 pm

@shahjaufar glad to hear that I'm not alone...

So.. I also have a brand-new wAP R ac here. It was on default config (never used before, still with RouterOS 6). Upgraded the official way (first to the latest v6, then to 7.12.1, then to 7.13.4).

Result:

As soon as you install the wifi-qcom-ac package, you'll have the

 13:29:05 script,error script error: error - contact MikroTik support and send a s
upout file (2)

error message in the log.

Then, the **only** change to the default config I made was to set the caps-man-address.

Result, as before, the caps-man server has the new device in its list of remote-cap:

[admin@main] /interface/wifi/capsman/remote-cap> print 
Columns: ADDRESS, IDENTITY, STATE, BOARD-NAME, VERSION
#  ADDRESS         IDENTITY  STATE  BOARD-NAME         VERSION
0  192.168.188.5   hAP_ac2   Ok     RBD52G-5HacD2HnD   7.13.4 
1  192.168.188.4   wAP_1OG   Ok     RBwAPG-5HacD2HnD   7.13.4 
2  192.168.188.34  MikroTik  Ok     RBwAPGR-5HacD2HnD  7.13.4 
[admin@main] /interface/wifi/capsman/remote-cap>

But as before, the Wifi devices stay unconfigured. The same caps-man server configures, however, my hAP ac^2 just fine.

The apporach brought up by @Amm0 sounds interesing.

I compared the two scripts, they seem to only differ in a CR being at a different place:

$ diff hap wap
135,136c135,136
<                         :local removeDatapath [:parse "/interface $wirelessMenu datapath remove [find comment=\"defconf\
< "]"]
---
>                         :local removeDatapath [:parse "/interface $wirelessMenu datapath remove [find comment=\
> "defconf\"]"]

So.. next step as adviced by @erlinden: reset to default (which is somehow silly, as the wAP is brand new) with caps-mode on. This, however, surprisingly worked. Funny enough, afterwards the script error does not re-appear.

I hope that this rather lengthy post (sorry for that) help others. Would still consider the current wAP ac driver being buggy, as my initial approach without a full reset should be valid, worked with the old CAPsMAN and also still works with the hAP ac^2.

new capsman client works on hAP ac2 but not on wAP ac [SOLVED]

new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac

Re: new capsman client works on hAP ac2 but not on wAP ac [SOLVED]

Re: new capsman client works on hAP ac2 but not on wAP ac

Who is online