Hello there!
I recently got a single cAP ax for my homelab and am currently evaluating CAPsMAN for our office network. I got CAPsMAN setup with 3 cAP ax and everything is running smoothly so far. However, when it comes to steering neighbour groups with CAPsMAN, I am unsure if this is exptected behaviour or a possible bug. The documentation states that without explicitly configuring a steering neighbour group, a dynamic group is created with all APs with the same SSID. While this is true for my single AP setup at home, the office setup shows no neighbour group at all unless I explicitly configure it. Is this expected behaviour?
Re: No default steering neighbour group with CAPsMAN
Default following parameters are set in steering:
neighbour-group based on SSID
rrm = yes
wnm = yes
It's not because you do not see it that it is not working.
That's the whole point of default values.
Put it otherwise, how do you know it is not working ?
Tip:
open terminal and use /interface/wifi/steering/neighbor-group/print
I think you will see something there. A dynamic entry.
neighbour-group based on SSID
rrm = yes
wnm = yes
It's not because you do not see it that it is not working.
That's the whole point of default values.
Put it otherwise, how do you know it is not working ?
Tip:
open terminal and use /interface/wifi/steering/neighbor-group/print
I think you will see something there. A dynamic entry.
Re: No default steering neighbour group with CAPsMAN
Hi holvoetn,
that's exactly what I did. With the single AP setup at home, I can see the dynamic group when executing '/interface/wifi/steering/neighbor-group/print'. With the CAPsMAN setup, the list is empty unless I configure a neighbor-group explictly.
My (sanitized) config looks like this:
With 'steering.neighbor-group=ng1' a group is created and I can see all MAC addresses that are part of this group. Without this setting, no dynamic group is created.
that's exactly what I did. With the single AP setup at home, I can see the dynamic group when executing '/interface/wifi/steering/neighbor-group/print'. With the CAPsMAN setup, the list is empty unless I configure a neighbor-group explictly.
My (sanitized) config looks like this:
Code: Select all
[admin@ap001.of.kdk.network] > interface/wifi/actual-configuration/print
0 name="ap001.of.kdk.network-2G" l2mtu=1560 mac-address=<mac> arp-timeout=auto radio-mac=<mac>
configuration.mode=ap .ssid="KDK-mt" .country=Germany .multicast-enhance=enabled
security.authentication-types=wpa2-eap,wpa3-eap .ft=yes .ft-over-ds=yes .connect-priority=0
datapath.bridge=bridge
channel.frequency=2452 .band=2ghz-ax .width=20mhz
steering.neighbor-group=ng1 .rrm=yes .wnm=yes
1 name="ap001.of.kdk.network-5G" l2mtu=1560 mac-address=<mac> arp-timeout=auto radio-mac=<mac>
configuration.mode=ap .ssid="KDK-mt" .country=Germany .multicast-enhance=enabled
security.authentication-types=wpa2-eap,wpa3-eap .ft=yes .ft-over-ds=yes .connect-priority=0
datapath.bridge=bridge
channel.frequency=5500 .band=5ghz-ax .width=20/40/80mhz
steering.neighbor-group=ng1 .rrm=yes .wnm=yes
2 name="ap002.of.kdk.network-2G" mac-address=<mac> arp-timeout=auto radio-mac=<mac>
configuration.mode=ap .ssid="KDK-mt" .country=Germany .multicast-enhance=enabled
security.authentication-types=wpa2-eap,wpa3-eap .ft=yes .ft-over-ds=yes .connect-priority=0/1
datapath.bridge=bridge
channel.frequency=2412 .band=2ghz-ax .width=20mhz
steering.neighbor-group=ng1 .rrm=yes .wnm=yes
3 name="ap002.of.kdk.network-5G" mac-address=<mac> arp-timeout=auto radio-mac=<mac>
configuration.mode=ap .ssid="KDK-mt" .country=Germany .multicast-enhance=enabled
security.authentication-types=wpa2-eap,wpa3-eap .ft=yes .ft-over-ds=yes .connect-priority=0/1
datapath.bridge=bridge
channel.frequency=5260 .band=5ghz-ax .width=20/40/80mhz
steering.neighbor-group=ng1 .rrm=yes .wnm=yes
4 name="ap003.of.kdk.network-2G" mac-address=<mac> arp-timeout=auto radio-mac=<mac>
configuration.mode=ap .ssid="KDK-mt" .country=Germany .multicast-enhance=enabled
security.authentication-types=wpa2-eap,wpa3-eap .ft=yes .ft-over-ds=yes .connect-priority=0/1
datapath.bridge=bridge
channel.frequency=2427 .band=2ghz-ax .width=20mhz
steering.neighbor-group=ng1 .rrm=yes .wnm=yes
5 name="ap003.of.kdk.network-5G" mac-address=<mac> arp-timeout=auto radio-mac=<mac>
configuration.mode=ap .ssid="KDK-mt" .country=Germany .multicast-enhance=enabled
security.authentication-types=wpa2-eap,wpa3-eap .ft=yes .ft-over-ds=yes .connect-priority=0/1
datapath.bridge=bridge
channel.frequency=5580 .band=5ghz-ax .width=20/40/80mhz
steering.neighbor-group=ng1 .rrm=yes .wnm=yes
Re: No default steering neighbour group with CAPsMAN
Silly question: the command which returns an empty list is issued on the capsman device?
Code: Select all
/interface/wifi/steering/neighbor-group/printRe: No default steering neighbour group with CAPsMAN
Yes, in which case it is 'ap001'
Re: No default steering neighbour group with CAPsMAN
If you use capsman, you should check this on capsman controller.
Don't set anything manual on AP since it will overwrite capsman settings.
Don't set anything manual on AP since it will overwrite capsman settings.
Re: No default steering neighbour group with CAPsMAN
All configuration is done on the CAPsMAN controller and, like I said, did issue the command on the controller as well. Basically all I did on the CAPs was setting it into caps-mode and changed the password.
Re: No default steering neighbour group with CAPsMAN
Thus, am I right if I say that one of the cAP ax is the capsman controller (ap001) and the other twos are CAPs? (Sorry, I imagined that there was a 4th device involved.)
Another probably silly question: how are the wifi interfaces configured on ap001? Using capsman or by directly applying the configurations to the interfaces?
Moreover, do you mind to share your exported configuration?
Another probably silly question: how are the wifi interfaces configured on ap001? Using capsman or by directly applying the configurations to the interfaces?
Moreover, do you mind to share your exported configuration?
Re: No default steering neighbour group with CAPsMAN
No problem, I could have been more specific with the general setup in the first place. Just to make this clear, you are correct: 'ap001' is the CAPsMAN controller, the other two cAP ax's are configured as CAPs, no other MT components involved. Configuration profiles of 'ap001' are configured directly on the interfaces.
Here's a config export:
Here's a config export:
Code: Select all
[admin@ap001.of.kdk.network] /interface/wifi> /export
# 2024-03-12 14:41:57 by RouterOS 7.14
# software id = LNBX-T6UL
#
# model = cAPGi-5HaxD2HaxD
# serial number = <serialnumber>
/interface bridge
add admin-mac=<mac> auto-mac=no comment=defconf name=bridge port-cost-mode=short vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412 name=2G_ch1 width=20mhz
add band=2ghz-ax disabled=no frequency=2427 name=2G_ch6 width=20mhz
add band=2ghz-ax disabled=no frequency=2452 name=2G_ch11 width=20mhz
add band=5ghz-ax disabled=no frequency=5260 name=5G_ch58 width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5500 name=5G_ch106 width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5580 name=5G_ch122 width=20/40/80mhz
/interface wifi datapath
add bridge=bridge disabled=no name=dyn_vlan
/interface wifi security
add authentication-types=wpa2-eap,wpa3-eap connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes name=wpa-eap
/interface wifi steering
add disabled=no name=steering1 neighbor-group=ng1 rrm=yes wnm=yes
/interface wifi configuration
add channel=2G_ch1 country=Germany datapath=dyn_vlan mode=ap multicast-enhance=enabled name=KDK_2G_ch1 security=wpa-eap ssid=KDK-mt steering=steering1
add channel=2G_ch6 country=Germany datapath=dyn_vlan mode=ap multicast-enhance=enabled name=KDK_2G_ch6 security=wpa-eap ssid=KDK-mt steering=steering1
add channel=2G_ch11 country=Germany datapath=dyn_vlan mode=ap multicast-enhance=enabled name=KDK_2G_ch11 security=wpa-eap ssid=KDK-mt steering=steering1
add channel=5G_ch58 country=Germany datapath=dyn_vlan mode=ap multicast-enhance=enabled name=KDK_5G_ch58 security=wpa-eap ssid=KDK-mt steering=steering1
add channel=5G_ch106 country=Germany datapath=dyn_vlan mode=ap multicast-enhance=enabled name=KDK_5G_ch106 security=wpa-eap ssid=KDK-mt steering=steering1
add channel=5G_ch122 country=Germany datapath=dyn_vlan mode=ap multicast-enhance=enabled name=KDK_5G_ch122 security=wpa-eap ssid=KDK-mt steering=steering1
/interface wifi
set [ find default-name=wifi2 ] configuration=KDK_2G_ch11 configuration.mode=ap disabled=no name=ap001.of.kdk.network-2G security.connect-priority=0
set [ find default-name=wifi1 ] configuration=KDK_5G_ch58 configuration.mode=ap disabled=no name=ap001.of.kdk.network-5G security.connect-priority=0
/interface bridge port
add bridge=bridge comment=defconf interface=ap001.of.kdk.network-5G internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf interface=ap001.of.kdk.network-2G internal-path-cost=10 path-cost=10
add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge comment=kdk-of-cl01-303 tagged=ether1,ap001.of.kdk.network-5G,ap001.of.kdk.network-2G vlan-ids=303
add bridge=bridge comment=kdk-of-dvc-305 tagged=ether1,ap001.of.kdk.network-2G,ap001.of.kdk.network-5G vlan-ids=305
/interface dot1x client
add eap-methods=eap-peap identity="ap001\$" interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=bridge package-path="" require-peer-certificate=no upgrade-policy=suggest-same-version
/interface wifi provisioning
add action=create-dynamic-enabled comment=ap002_2G disabled=no identity-regexp=ap002.of.kdk.network master-configuration=KDK_2G_ch1 name-format=%I-2G supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=ap002_5G disabled=no identity-regexp=ap002.of.kdk.network master-configuration=KDK_5G_ch106 name-format=%I-5G supported-bands=5ghz-ax
add action=create-dynamic-enabled comment=ap003_2G disabled=no identity-regexp=ap003.of.kdk.network master-configuration=KDK_2G_ch6 name-format=%I-2G supported-bands=2ghz-ax
add action=create-dynamic-enabled comment=ap003_5G disabled=no identity-regexp=ap003.of.kdk.network master-configuration=KDK_5G_ch122 name-format=%I-5G supported-bands=5ghz-ax
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/radius
add address=10.200.1.101 comment=com01.of.kdk.network service=wireless
add address=10.200.1.102 comment=com02.of.kdk.network service=wireless
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=ap001.of.kdk.network
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp01.of.kdk.network
add address=ntp02.of.kdk.network
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANRe: No default steering neighbour group with CAPsMAN
If you go in Wifi / Steering, the button on the top with neighbor groups, doesn't it show a dynamic group ?
I have nothing configured in steering nor configuration and all radios with the same SSID nicely come together in one single dynamic steering group.
I have nothing configured in steering nor configuration and all radios with the same SSID nicely come together in one single dynamic steering group.
Re: No default steering neighbour group with CAPsMAN
No, there are 0 items if I don't explicitly configure a neighbor-group.
Re: No default steering neighbour group with CAPsMAN
I don't have any specific suspect, as your configuration seems similar to mine (with 2 APs instead of 3) and I do have the expected dynamic neighbor groups.
One possible (unrelated) error is the configuration of the dhcp client (which you probably have to remove)
Some random pointers to check (probably unrelated, just the main differences with my config):
One possible (unrelated) error is the configuration of the dhcp client (which you probably have to remove)
Some random pointers to check (probably unrelated, just the main differences with my config):
- You are using EAP, while I am using PSK. Can you try to change to WPA2-PSK?
- The SSID has a - Can you try to remove? (Maybe there is some bug...)
- I cannot understand your topology (how are the other APs connected? Via a switch?) and how you configured the VLANs/datapaths
Re: No default steering neighbour group with CAPsMAN
What exactly do you mean with configuration error of the DHCP client?
The topology is as follows:
The topology is as follows:
- all APs are managed within the same VLAN, which is the native VLAN configured on the switch ports
- all APs are getting a static DHCP lease
- VLAN IDs for wireless clients are dynamically assigned by RADIUS attributes
Re: No default steering neighbour group with CAPsMAN
I apologize if I was not clear. Your configuration includes
while ether1 is part of the bridge. And I don't see how your APs (at least ap001) get their lease.
I am not experienced enough to assess if your VLAN config is correct. I am expecting something different (for example, vlan-ids set in datapath, since you are using ax devices), but I cannot conclude that there are errors in the config. I apologize if my observation added noise to the discussion.
Apart from my previous list (quite vague), I am out of ideas.
Code: Select all
/ip dhcp-client
# DHCP client can not run on slave or passthrough interface!
add comment=defconf interface=ether1
I am not experienced enough to assess if your VLAN config is correct. I am expecting something different (for example, vlan-ids set in datapath, since you are using ax devices), but I cannot conclude that there are errors in the config. I apologize if my observation added noise to the discussion.
Apart from my previous list (quite vague), I am out of ideas.
Re: No default steering neighbour group with CAPsMAN
Aaand you got 100 points! As soon as I configured WPA-PSK as authentication mechanism, a dynamic neighbor-group is created. Thank you for helping me to pinpoint the problem! The next question is: What now? Is this something where I can open a support ticket at MT?
- You are using EAP, while I am using PSK. Can you try to change to WPA2-PSK?
Re: No default steering neighbour group with CAPsMAN
Definitely.
support AT mikrotik DOT com
support AT mikrotik DOT com
Re: No default steering neighbour group with CAPsMAN
And please report back the outcome! 
Re: No default steering neighbour group with CAPsMAN
Thank you guys, I will report back as soon as I have a reply. And thank you for pointing out the configuration error with the DHCP client. Now all I have to do is figure out a way to change the config without locking myself out xD
Re: No default steering neighbour group with CAPsMAN
It's been three weeks now without any response of MT support. Is this to be expected??
Will keep you posted as soon as I know more.
Will keep you posted as soon as I know more.
Who is online
Users browsing this forum: gigabyte091 and 7 guests