Can't Get Dynamic VLAN Assignment Working via CAPsMAN (hAP ax³ + CCR2004)

RouterOS Wireless Networking
1

Hi everyone,

I’ve been trying to set up dynamic VLAN assignment over CAPsMAN and hit a wall. Hoping someone here has ideas or maybe sees what I’ve missed.

Setup:

  • CAPsMAN is running on a CCR2004
  • CAP is a hAP ax³
  • Using wifiwave2 interfaces with WPA2/3-EAP (PEAP-MSCHAPv2)
  • RADIUS is handled by User Manager on the CCR
  • Certificates (CA and server) are created and trusted
  • VLAN 11 is used for control communication between CAP and CAPsMAN

What I want:

  • Clients connect to a WPA2/3-EAP SSID.
  • Based on RADIUS reply, they get assigned to VLAN 100, 101, etc.
  • I want this to be fully dynamic — no VLAN hardcoded in the datapath.

What’s working:

  • Wired dynamic VLAN assignment works perfectly.
    • I’ve tested laptops and PCs plugged into access ports.
    • They get the right VLAN from RADIUS and receive DHCP leases just fine.
  • In wireless:
  • The CAP registers under CAPsMAN.
    • EAP auth completes successfully.
    • RADIUS replies look good and include all required VLAN attributes.
    • If I hardcode VLAN ID in the datapath, client gets IP and connects fine.
    • So DHCP, RADIUS, VLANs, bridges — all work individually.

Problem:

  • If I don’t set a VLAN ID in the datapath, the client associates and gets authenticated,
    but then hangs at “Obtaining IP address”.
  • No DHCP traffic reaches the intended VLAN.
  • No errors in CAPsMAN or CAP logs.
  • It’s like the VLAN from RADIUS never actually gets applied to the wireless interface.

A few extra notes:

  • All bridges are in admit-only-vlan-tagged mode.
  • VLANs are properly defined on all bridges.
  • DHCP servers are running and known to work on all relevant VLANs.
  • RADIUS reply includes:
  • Tunnel-Type = VLAN
    • Tunnel-Medium-Type = IEEE-802
    • Tunnel-Private-Group-ID = 100 (example)

Questions:

  • Has anyone actually gotten dynamic VLANs working with CAPsMAN + wifiwave2?
  • Is there something special I need to do in the datapath, or something I’m missing?
  • Does this feature work at all on hAP ax³ as CAP?
  • Is a separate VLAN for data (not just CAPsMAN control) required?
  • Or… am I chasing something that just isn’t supported yet?

Would really appreciate any working examples, gotchas, or general insight. I’ve already lost way too many hours on this.

Thanks,

2

I think you would have to activate VLAN filtering on the CAP device. Can you share your current CAP config?

/export file=cap-device

Remove serial and any other private info, post between code tags by using the </> button.

3

Current CAP Device Configuration (Sanitized)

# 2025-05-28 by RouterOS 7.19
# model = C53UiG+5HPaxD2HPaxD

/interface bridge
add admin-mac=FA:2B:68:3C:55:7D auto-mac=no comment=defconf frame-types=admit-only-vlan-tagged name=bridge vlan-filtering=yes

/interface wifi
# managed by CAPsMAN FA:2B:68:CF:B7:E5%vlan-11-caps-control
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN FA:2B:68:CF:B7:E5%vlan-11-caps-control
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no

/interface vlan
add comment=vlan-10-management interface=bridge name=vlan-10-management vlan-id=10
add interface=bridge name=vlan-11-caps-control vlan-id=11
add interface=bridge name=vlan-100-kid-main vlan-id=100

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wifi channel
add band=5ghz-ax disabled=no frequency=5180-5320 name=ch-5ghz-ax width=20/40mhz

/interface wifi datapath
add disabled=no name=datapath1 vlan-id=100

/interface wifi security
add authentication-types=wpa2-eap,wpa3-eap disabled=no eap-accounting=yes eap-certificate-mode=dont-verify-certificate eap-methods=peap name=sec-eap

/interface wifi configuration
add channel=ch-5ghz-ax datapath=datapath1 disabled=no mode=ap name=cfg-main security=sec-eap ssid=ssid-main

/interface bridge port
add bridge=bridge comment=vlan-21-alarm-access frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=21
add bridge=bridge comment=vlan-22-camera-access frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=22
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=vlan-10-management-access frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridge comment=trunk-wifi1 frame-types=admit-only-untagged-and-priority-tagged interface=*7 pvid=100
add bridge=bridge comment=trunk-wifi2 frame-types=admit-only-untagged-and-priority-tagged interface=*8
add bridge=bridge comment=trunk-uplink frame-types=admit-only-vlan-tagged interface=ether1

/interface bridge vlan
add bridge=bridge comment=vlan-10-management tagged=bridge,ether1 untagged=ether5 vlan-ids=10
add bridge=bridge comment=vlan-21-alarm tagged=bridge,ether1 untagged=ether2 vlan-ids=21
add bridge=bridge comment=vlan-22-camera tagged=bridge,ether1 untagged=ether3 vlan-ids=22
add bridge=bridge comment=vlan-30-iot-security tagged=bridge,ether1 vlan-ids=30
add bridge=bridge comment=vlan-31-iot-general tagged=bridge,ether1 vlan-ids=31
add bridge=bridge comment=vlan-32-iot-entertainment tagged=bridge,ether1 vlan-ids=32
add bridge=bridge comment=vlan-33-iot-kitchen tagged=bridge,ether1 vlan-ids=33
add bridge=bridge comment=vlan-34-iot-bathroom tagged=bridge,ether1 vlan-ids=34
add bridge=bridge comment=vlan-39-iot-homeassistant tagged=bridge,ether1 vlan-ids=39
add bridge=bridge comment=vlan-40-family-shared tagged=bridge,ether1 vlan-ids=40
add bridge=bridge comment=vlan-41-trusted-shared tagged=bridge,ether1 vlan-ids=41
add bridge=bridge comment=vlan-42-untrusted-shared tagged=bridge,ether1 vlan-ids=42
add bridge=bridge comment=vlan-69-testing tagged=bridge,ether1 vlan-ids=69
add bridge=bridge comment=vlan-70-kid1 tagged=bridge,ether1 vlan-ids=70
add bridge=bridge comment=vlan-80-kid2 tagged=bridge,ether1 vlan-ids=80
add bridge=bridge comment=vlan-90-kid3 tagged=bridge,ether1 vlan-ids=90
add bridge=bridge comment=vlan-100-kid-main tagged=bridge,ether1 vlan-ids=100
add bridge=bridge comment=vlan-101-kid-main-vm tagged=bridge,ether1 vlan-ids=101
add bridge=bridge comment=vlan-102-kid-main-dev tagged=bridge,ether1 vlan-ids=102
add bridge=bridge comment=vlan-103-kid-main-phd tagged=bridge,ether1 vlan-ids=103
add bridge=bridge comment=vlan-230-guest-trusted tagged=bridge,ether1 vlan-ids=230
add bridge=bridge comment=vlan-231-guest-untrusted tagged=bridge,ether1 vlan-ids=231
add bridge=bridge comment=vlan-254-unused-devices tagged=bridge,ether1 vlan-ids=254
add bridge=bridge comment=vlan-11-caps-control tagged=bridge,ether1 vlan-ids=11

/interface wifi cap
set caps-man-addresses=192.168.11.1 certificate=request discovery-interfaces=vlan-11-caps-control enabled=yes lock-to-caps-man=yes slaves-static=no

/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none

/ip address
add address=192.168.10.10/24 comment=vlan-10-management interface=vlan-10-management network=192.168.10.0
add address=192.168.11.2/24 comment=vlan-11-caps-control interface=vlan-11-caps-control network=192.168.11.0

/ip dns
set servers=192.168.10.1

/radius
add address=192.168.10.1 service=wireless,dhcp src-address=192.168.10.10

/system identity
set name=hap-ax3

/system clock
set time-zone-name=Europe/Istanbul

/system logging
add topics=wireless
add topics=system
add topics=radius
add topics=dhcp
add topics=caps,debug
add topics=wireless,debug

/tool romon
set enabled=yes id=FA:2B:68:3C:55:7C
4

Remove wifi interfaces from bridge. Also, remove all non essential wifi settings. Only /interface wifi datapath (without vlan id) and /interface wifi cap should be set, besides /interface wifi.