cAP ax3 i cAP ac3 Capsman2

eugenq · April 15, 2024, 7:02am

Good morning

The questions are probably trivial, but these topics are probably too new.
I have cAP ax3, cAP ax2 and cAP ax and cAP ac3 routers. Capsman2 works on cAP ax3, cAP ax2 and cAP ax devices. I don’t want to connect cAP ac3.
He read the Mikrotik documentation and Capsman examples and nothing happened.
I tried version 7.14.2 or 7.15b9
Perhaps there are still errors in RouterOS

What should I pay attention to when setting operating parameters?
I can export the settings.

PS
There was already a similar topic
The ABC of CAPsMAN v2 (with updates)

Thank you for help

holvoetn · April 15, 2024, 8:31am

Probably a language issue but your request is really not clear.

From what I understand:
AX3, AX2 and AX are working. Yes ?

AC3 should NOT be connected or it should but doesn’t work ?? What is it ?

In the last case: did you install wifi-qcom-ac drivers on that AC3 ? After that, it will behave exactly as the other devices. Everything will have wifiwave2 drivers then.

erlinden · April 15, 2024, 8:36am

Having some difficulties understanding your problem.

I assume you want to have the hAP ac3 (is this the correct model?) controlled by CAPsMAN2 as well?
To accomplish this, you have to uninstall the wireless package and install the wifi-qcom-ac driver. Then you will be able to manage it through CAPsMAN.

Be aware that there are some quirks that have to be handled manually (search for wifi-qcom-ac):
https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-WiFiCAPsMAN

Can you correct the model numbers in your opening post? I only know of hAP ax2, hAP ax3, cAP ax and hAP ac3.
And if the above approach doesn’t anwer your question, can you please add config?

And why is @holvoetn (always) a step ahead of me!?

eugenq · April 16, 2024, 11:15am

The so-called cAPsMAN2 runs on cAPax3, Cap interfaces on cAPax2 and cAPax devices.. However, the cAPac3 device cannot connect to cAPsMAN2, which runs on cAPax3. The cAPac3 device cannot start the wi-fi interfaces. The cAPax3, cAPax2, and cAPax devices have wi-fi -qcom installed, while the cAPac3 device has wi-fi-qcom-ac installed

holvoetn · April 16, 2024, 11:17am

Just to make this clear:

Capax3 doesn’t exist.
Neither does capax2.
You’re referring to HAP AX3 and HAP AX2, yes ?
https://mikrotik.com/product/hap_ax3
https://mikrotik.com/product/hap_ax2

Capac3 doesn’t exist either.
Probably HAP AC3 ?
https://mikrotik.com/product/hap_ac3

erlinden · April 16, 2024, 11:30am

Can you post the config of this device?

/export file=anynameyoulike

Post the config between code tags by using the </> button. And remove serial and any other private info.

eugenq · April 17, 2024, 3:09pm

hAP ax3 hAP ax2 hAP ax working maybe not perect but good

hAP ax3

# 2024-04-17 16:41:05 by RouterOS 7.14.2
# software id = 3K51-Q0D9
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = H..............
/interface bridge
add name=caps_mgmt-LAN priority=0x7999
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
/interface vlan
add disabled=yes interface=caps_mgmt-LAN name=vlan-10-Home vlan-id=10
add disabled=yes interface=caps_mgmt-LAN name=vlan-20-Guest vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface wifi channel
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=2G-N width=\
    20/40mhz-Ce
add band=5ghz-ac disabled=no frequency=5180 name=5G-AC width=20/40mhz-Ce
add band=5ghz-ax disabled=no frequency=5180 name=5G-AX width=20/40mhz-Ce
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2G-AX width=\
    20/40mhz-Ce
/interface wifi datapath
add bridge=caps_mgmt-LAN disabled=no interface-list=LAN name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no group-encryption=ccmp \
    group-key-update=1h name=sec2G
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no \
    group-encryption=ccmp group-key-update=5m management-encryption=cmac \
    name=sec5G
/interface wifi configuration
add channel=2G-AX country=Poland datapath=datapath1 disabled=no mode=ap name=\
    2G-AX security=sec2G ssid="Wifi Biuro 2G AX Cap2"
add channel=5G-AX country=Poland datapath=datapath1 datapath.bridge=\
    caps_mgmt-LAN disabled=no mode=ap name=5G-AX security=sec5G security.ft=\
    yes .ft-over-ds=yes ssid="Wifi Biuro 5G AX Cap2"
add channel=2G-N country=Poland datapath=datapath1 disabled=no mode=ap name=\
    2G-N security=sec2G ssid="Wifi Biuro 2G N Cap2"
add channel=5G-AC country=Poland datapath=datapath1 datapath.bridge=\
    caps_mgmt-LAN disabled=no mode=ap name=5G-AC security=sec5G security.ft=\
    no ssid="Wifi Biuro 5G AC Cap2"
/interface wifi
add channel=2G-AX configuration=2G-AX configuration.mode=ap datapath=\
    datapath1 disabled=no name=cap-wifi_2G-cAP_AX radio-mac=78:9A:18:C9:B0:77 \
    security=sec2G
add channel=2G-AX configuration=2G-AX configuration.mode=ap datapath=\
    datapath1 disabled=no name=cap-wifi_2G-hAP_ax2 radio-mac=\
    48:A9:8A:CD:34:E2 security=sec2G
add channel=5G-AC channel.frequency=5180 configuration=5G-AX \
    configuration.mode=ap datapath=datapath1 disabled=no name=\
    cap-wifi_5G-cAP_AX radio-mac=78:9A:18:C9:B0:76 security=sec5G \
    security.ft=no
add channel=5G-AC channel.band=5ghz-ac .frequency=5180 configuration=5G-AC \
    configuration.mode=ap datapath=datapath1 disabled=no name=\
    cap-wifi_5G-hAP_ax2 radio-mac=48:A9:8A:CD:34:E1 security=sec5G
set [ find default-name=wifi2 ] channel=2G-AX configuration=2G-AX \
    configuration.manager=local .mode=ap datapath=datapath1 \
    datapath.interface-list=LAN disabled=no name=wifi_2G-hAP_ax3 security=\
    sec2G
set [ find default-name=wifi1 ] channel=5G-AC channel.band=5ghz-ac \
    configuration=5G-AX configuration.manager=local .mode=ap datapath=\
    datapath1 disabled=no name=wifi_5G-hAP_ax3 security=sec5G \
    security.authentication-types=wpa3-psk
/interface wifi steering
add disabled=no name=steering2 neighbor-group="dynamic-wifi 5ghz-a80d8a44" \
    rrm=yes wnm=yes
add disabled=no name=steering1 neighbor-group="dynamic-wifi 2ghz-a80d8a44" \
    rrm=yes wnm=yes
/ip pool
add name=dhcp-LAN ranges=192.168.66.2-192.168.66.200
add name=dhcpl-WIFI ranges=192.168.77.2-192.168.77.200
/ip dhcp-server
add address-pool=dhcp-LAN interface=caps_mgmt-LAN lease-time=1d name=\
    dhcp1_LAN
/interface bridge port
add bridge=caps_mgmt-LAN interface=ether2-LAN
add bridge=caps_mgmt-LAN interface=ether3-LAN
add bridge=caps_mgmt-LAN interface=ether4-LAN
add bridge=caps_mgmt-LAN interface=ether5-LAN
add bridge=caps_mgmt-LAN interface=wifi_5G-hAP_ax3
add bridge=caps_mgmt-LAN fast-leave=yes interface=wifi_2G-hAP_ax3
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=caps_mgmt-LAN tagged=\
    caps_mgmt-LAN,ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN vlan-ids=10
add bridge=caps_mgmt-LAN tagged=\
    caps_mgmt-LAN,ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN vlan-ids=20
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    LAN wan-interface-list=WAN
/interface list member
add interface=ether1-WAN list=WAN
add interface=caps_mgmt-LAN list=LAN
add interface=ether2-LAN list=LAN
add interface=ether3-LAN list=LAN
add interface=ether4-LAN list=LAN
add interface=ether5-LAN list=LAN
add interface=wifi_2G-hAP_ax3 list=LAN
add interface=lo list=LAN
add interface=wifi_5G-hAP_ax3 list=LAN
/interface wifi cap
set caps-man-addresses=192.168.66.1 certificate=request discovery-interfaces=\
    caps_mgmt-LAN enabled=yes lock-to-caps-man=yes slaves-datapath=datapath1 \
    slaves-static=no
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-48A98AEACE4D enabled=yes interfaces=\
    caps_mgmt-LAN package-path="" require-peer-certificate=yes \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=5G-AX name-format=\
    5G-%| supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=2G-AX name-format=\
    2G-%| supported-bands=2ghz-ax
add action=create-enabled disabled=no master-configuration=5G-AC name-format=\
    5G-%| supported-bands=5ghz-ac
add action=create-enabled disabled=no master-configuration=2G-N name-format=\
    2G-%| supported-bands=2ghz-n
/ip address
add address=192.168.66.1/24 interface=caps_mgmt-LAN network=192.168.66.0
add address=127.0.0.1 interface=lo network=127.0.0.1
add address=192.168.77.1/24 interface=*11 network=192.168.77.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.66.169 client-id=1:30:c9:ab:5:58:61 mac-address=\
    30:C9:AB:05:58:61 server=dhcp1_LAN
add address=192.168.66.167 client-id=1:c8:d7:78:a4:79:73 mac-address=\
    C8:D7:78:A4:79:73 server=dhcp1_LAN
add address=192.168.66.166 mac-address=C4:77:AF:27:3F:CF server=dhcp1_LAN
add address=192.168.66.165 client-id=1:9c:3e:53:8:5c:69 mac-address=\
    9C:3E:53:08:5C:69 server=dhcp1_LAN
add address=192.168.66.181 client-id=1:64:95:6c:3c:f2:2c mac-address=\
    64:95:6C:3C:F2:2C server=dhcp1_LAN
add address=192.168.66.178 mac-address=C4:77:AF:3F:52:DE server=dhcp1_LAN
/ip dhcp-server network
add address=192.168.66.0/24 dns-server=192.168.66.1 gateway=192.168.66.1 \
    netmask=24
add address=192.168.77.0/24 dns-server=192.168.66.1 gateway=192.168.77.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.66.1,192.168.73.10
/ip firewall filter
add action=reject chain=forward disabled=yes dst-address-list=OfficeWLAN \
    reject-with=icmp-network-unreachable src-address-list=Guest-WLAN
add action=reject chain=input disabled=yes dst-address-list=OfficeWLAN \
    reject-with=icmp-host-unreachable src-address-list=Guest-WLAN
add action=reject chain=forward disabled=yes dst-address-list=FB-HomeLan \
    reject-with=icmp-network-unreachable src-address-list=Guest-WLAN
add action=reject chain=input disabled=yes dst-address-list=FB-HomeLan \
    reject-with=icmp-host-unreachable src-address-list=Guest-WLAN
add action=reject chain=forward disabled=yes dst-address-list=\
    Guest-WLAN-Clients reject-with=icmp-host-prohibited src-address-list=\
    Guest-WLAN
add action=accept chain=input dst-port=5246,5247 protocol=udp
add action=accept chain=input dst-address=127.0.0.1
add action=accept chain=input dst-address=127.0.0.1 port=5246,5247 protocol=\
    udp src-address=127.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=CAPsMan2Controller
/system note
set show-at-login=no
/system package update
set channel=testing
/tool romon
set enabled=yes

hAP ax2

# 2024-04-17 16:41:43 by RouterOS 7.14.2
# software id = PTQA-B3Z5
#
# model = C52iG-5HaxD2HaxD
# serial number = H...........
/interface bridge
add admin-mac=48:A9:8A:CD:34:DD auto-mac=no ingress-filtering=no name=\
    caps_mgmt-LAN priority=0x7999 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=ether1-TRUNK
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
/interface vlan
add disabled=yes interface=caps_mgmt-LAN name=vlan-10-Home vlan-id=10
add disabled=yes interface=caps_mgmt-LAN name=vlan-20-Guest vlan-id=20
/interface list
add name=LAN
add name=WAN
/interface wifi aaa
add disabled=no name=aaa1
/interface wifi channel
add band=2ghz-n disabled=yes frequency=2716,2737,2762 name=channelAC width=\
    20mhz
/interface wifi datapath
add bridge=caps_mgmt-LAN disabled=yes name=wlan-AX-Office vlan-id=10
add bridge=caps_mgmt-LAN client-isolation=yes disabled=yes name=wlan-AX-Guest \
    vlan-id=20
add bridge=caps_mgmt-LAN disabled=yes name=wlan-AC-Office
add bridge=caps_mgmt-LAN client-isolation=yes disabled=yes name=wlan-AC-Guest
add bridge=caps_mgmt-LAN disabled=no name=datapath1
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Wifi Biuro 5G AC Cap2, channel: 5180/ac/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=datapath1 disabled=no name=wifi1-hAP_a2 security.ft=yes
# managed by CAPsMAN
# mode: AP, SSID: Wifi Biuro 2G AX Cap2, channel: 2437/ax/Ce
set [ find default-name=wifi2 ] channel.frequency=2716,2737,2762 \
    configuration.manager=capsman .mode=ap datapath=datapath1 disabled=no \
    name=wifi2-hAP_a2 security.ft=yes
/interface wifi security
add authentication-types=wpa2-psk disabled=yes encryption=ccmp ft=yes \
    ft-over-ds=yes name=Sec-Office
add authentication-types=wpa2-psk disabled=yes encryption=ccmp name=Sec-Guest
add authentication-types=wpa2-psk disabled=yes ft=yes name=sec1
/interface wifi configuration
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AX-Office \
    disabled=yes mode=ap name=cfg-AX-Office security=Sec-Office security.ft=\
    yes .ft-over-ds=yes ssid=MT-Office
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AX-Guest \
    disabled=yes mode=ap name=cfg-AX-Guest security=Sec-Guest security.ft=yes \
    .ft-over-ds=yes ssid=MT-Guest
add channel.skip-dfs-channels=all country=Poland datapath=wlan-AC-Office \
    disabled=yes mode=ap name=cfg-AC-Office security=Sec-Office security.ft=\
    yes .ft-over-ds=yes ssid=MT-Office
add channel.skip-dfs-channels=all country=Germany datapath=wlan-AC-Guest \
    disabled=yes mode=ap name=cfg-AC-Guest security=Sec-Guest security.ft=yes \
    .ft-over-ds=yes ssid=MT-Guest
/ip pool
add name=dhcp_pool0-vlan10 ranges=10.10.10.20-10.10.10.200
add name=dhcp_pool1-vlan20 ranges=20.20.20.20-20.20.20.200
/ip dhcp-server
add address-pool=dhcp_pool0-vlan10 disabled=yes interface=vlan-10-Home \
    lease-time=3d name=dhcp-vlan10
add address-pool=dhcp_pool1-vlan20 disabled=yes interface=vlan-20-Guest \
    lease-time=8h name=dhcp-vlan20
/queue type
add kind=pcq name=PCQ-Download-40Mbit pcq-classifier=dst-address pcq-rate=41M
add kind=pcq name=PCQ-Upload-15Mbit pcq-classifier=src-address pcq-rate=15M
add kind=pcq name=PCQ-Download-25Mbit pcq-classifier=dst-address pcq-rate=25M
add kind=pcq name=PCQ-Upload-05Mbit pcq-classifier=src-address pcq-rate=6M
/queue simple
add max-limit=30M/75M name=queue-GuestWLan queue=\
    PCQ-Upload-05Mbit/PCQ-Download-25Mbit target=vlan-20-Guest total-queue=\
    PCQ-Download-25Mbit
add max-limit=35M/85M name=queue-WLan priority=7/7 queue=\
    PCQ-Upload-15Mbit/PCQ-Download-40Mbit target=vlan-10-Home total-queue=\
    PCQ-Download-40Mbit
/interface bridge port
add bridge=caps_mgmt-LAN interface=ether2-LAN
add bridge=caps_mgmt-LAN interface=ether3-LAN
add bridge=caps_mgmt-LAN interface=ether4-LAN
add bridge=caps_mgmt-LAN interface=ether5-LAN
add bridge=caps_mgmt-LAN interface=wifi1-hAP_a2
add bridge=caps_mgmt-LAN interface=wifi2-hAP_a2
add bridge=caps_mgmt-LAN interface=ether1-TRUNK
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=caps_mgmt-LAN tagged=\
    caps_mgmt-LAN,ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN vlan-ids=10
add bridge=caps_mgmt-LAN tagged=\
    caps_mgmt-LAN,ether2-LAN,ether3-LAN,ether4-LAN,ether5-LAN vlan-ids=20
/interface list member
add interface=ether1-TRUNK list=WAN
add interface=caps_mgmt-LAN list=LAN
add interface=ether2-LAN list=LAN
add interface=ether3-LAN list=LAN
add interface=ether4-LAN list=LAN
add interface=wifi1-hAP_a2 list=LAN
add interface=wifi2-hAP_a2 list=LAN
/interface wifi cap
set caps-man-addresses=192.168.66.1 certificate=request discovery-interfaces=\
    caps_mgmt-LAN enabled=yes lock-to-caps-man=no slaves-datapath=datapath1
/interface wifi capsman
set interfaces="" package-path=/capsman require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment="default 2GHz AX" disabled=yes \
    master-configuration=cfg-AX-Office name-format="2GHz ax wifi-%I" \
    slave-configurations=cfg-AX-Guest supported-bands=2ghz-ax
add action=create-dynamic-enabled comment="default 5GHz AX" disabled=yes \
    master-configuration=cfg-AX-Office name-format="5GHz ax wifi-%I" \
    slave-configurations=cfg-AX-Guest supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="default 2GHz N (none AX)" \
    disabled=yes master-configuration=cfg-AC-Office name-format=\
    "hAPac 2GHz wifi-%C" slave-configurations=cfg-AC-Guest supported-bands=\
    2ghz-n
add action=create-dynamic-enabled comment="default 5GHz ac (none AX)" \
    disabled=yes master-configuration=cfg-AC-Office name-format=\
    "hAPac 5GHz wifi-%C" slave-configurations=cfg-AC-Guest supported-bands=\
    5ghz-ac
add action=create-enabled disabled=no
/ip address
add address=10.10.10.1/24 disabled=yes interface=vlan-10-Home network=\
    10.10.10.0
add address=20.20.20.1/24 disabled=yes interface=vlan-20-Guest network=\
    20.20.20.0
/ip dhcp-client
add interface=caps_mgmt-LAN
/ip dns
set allow-remote-requests=yes servers=192.168.66.1
/ip firewall address-list
add address=20.20.20.0/24 list=Guest-WLAN
add address=10.10.10.0/24 list=OfficeWLAN
add address=192.168.178.2-192.168.178.255 list=FB-HomeLan
add address=20.20.20.20-20.20.20.255 list=Guest-WLAN-Clients
/ip firewall filter
add action=reject chain=forward dst-address-list=OfficeWLAN reject-with=\
    icmp-network-unreachable src-address-list=Guest-WLAN
add action=reject chain=input dst-address-list=OfficeWLAN reject-with=\
    icmp-host-unreachable src-address-list=Guest-WLAN
add action=reject chain=forward dst-address-list=FB-HomeLan reject-with=\
    icmp-network-unreachable src-address-list=Guest-WLAN
add action=reject chain=input dst-address-list=FB-HomeLan reject-with=\
    icmp-host-unreachable src-address-list=Guest-WLAN
add action=reject chain=forward dst-address-list=Guest-WLAN-Clients \
    reject-with=icmp-host-prohibited src-address-list=Guest-WLAN
add action=reject chain=input dst-address-list=Guest-WLAN-Clients \
    reject-with=icmp-host-prohibited src-address-list=Guest-WLAN
add action=reject chain=forward reject-with=icmp-host-prohibited
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=guest-conn \
    passthrough=yes src-address-list=Guest-WLAN
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1-TRUNK) is slave - use master instead (caps_mgmt-LAN)
add action=masquerade chain=srcnat out-interface=ether1-TRUNK
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=Mikrotik_hAP_ax2
/system note
set show-at-login=no
/tool romon
set enabled=yes

hAP ax

# 2024-04-17 16:42:12 by RouterOS 7.14.2
# software id = EI3M-9MTI
#
# model = cAPGi-5HaxD2HaxD
# serial number = H...........
/interface bridge
add admin-mac=78:9A:18:C9:B0:74 auto-mac=no name=caps_mgmt-LAN
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Wifi Biuro 2G AX Cap2, channel: 2437/ax/Ce
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no name=wifi2-cAP_AX security.ft=yes
/interface wifi datapath
add bridge=caps_mgmt-LAN comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
# mode: AP, SSID: Wifi Biuro 5G AX Cap2, channel: 5180/ac/Ce
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    datapath=capdp disabled=no name=wifi1-cAP_AX security.ft=no
/interface bridge port
add bridge=caps_mgmt-LAN interface=ether1
add bridge=caps_mgmt-LAN interface=ether2
add bridge=caps_mgmt-LAN interface=wifi1-cAP_AX
add bridge=caps_mgmt-LAN interface=wifi2-cAP_AX
/ip firewall connection tracking
set udp-timeout=10s
/interface wifi cap
set caps-man-addresses=192.168.66.1 certificate=request discovery-interfaces=\
    caps_mgmt-LAN enabled=yes lock-to-caps-man=no
/interface wifi capsman
set ca-certificate=auto interfaces=wifi1-cAP_AX,wifi2-cAP_AX package-path="" \
    require-peer-certificate=no upgrade-policy=none
/ip dhcp-client
add interface=caps_mgmt-LAN
/ip dns
set servers=195.3.203.3,195.66.73.10
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MikroTik_cAP_ax
/system note
set show-at-login=no

hAP ac3 can’t conect to CAPsMAN on hAP ax3
hAP ac3

# 2024-04-17 16:43:53 by RouterOS 7.14.2
# software id = WBTJ-LEM6
#
# model = RBD53iG-5HacD2HnD
# serial number = D.........
/interface bridge
add name=caps_mgmt-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-LAN
/interface list
add name=WAN
add name=LAN
/interface wifi channel
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=channel2G width=\
    20mhz
add band=5ghz-ac disabled=no frequency=5180 name=channel5G width=20mhz
/interface wifi datapath
add bridge=caps_mgmt-LAN disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk disabled=no group-encryption=ccmp name=sec1
/interface wifi configuration
add channel=channel2G country=Poland datapath=datapath1 disabled=no mode=ap \
    name=wifi_haCP_2G security=sec1 ssid=Mikrotik_2G_D
add channel=channel5G country=Poland datapath=datapath1 disabled=no mode=ap \
    name=wifi_haCP_5G security=sec1 ssid=Mikrotik_5G_D
/interface wifi
# no connection to CAPsMAN
add channel=channel2G channel.frequency=2412,2437,2462 configuration=\
    wifi_haCP_2G configuration.manager=capsman .mode=ap datapath=datapath1 \
    disabled=no name=wifi1-haP_ac3_2G radio-mac=48:8F:5A:AA:3B:0C security=\
    sec1
# no connection to CAPsMAN
add channel.frequency=5180 configuration=wifi_haCP_5G configuration.manager=\
    capsman .mode=ap disabled=no name=wifi2-haP_ac3_5G radio-mac=\
    48:8F:5A:AA:3B:0D security.ft=yes
/ip pool
add name=dhcp_pool0 ranges=192.168.66.1-192.168.66.181
/interface bridge port
add bridge=caps_mgmt-LAN interface=ether2-LAN
add bridge=caps_mgmt-LAN interface=ether3-LAN
add bridge=caps_mgmt-LAN interface=ether4-LAN
add bridge=caps_mgmt-LAN interface=ether5-LAN
add bridge=caps_mgmt-LAN interface=wifi1-haP_ac3_2G
add bridge=caps_mgmt-LAN interface=wifi2-haP_ac3_5G
add bridge=caps_mgmt-LAN interface=ether1-WAN
/interface list member
add interface=ether1-WAN list=WAN
add interface=caps_mgmt-LAN list=LAN
add interface=ether2-LAN list=LAN
add interface=ether3-LAN list=LAN
add interface=ether4-LAN list=LAN
add interface=ether5-LAN list=LAN
add interface=wifi2-haP_ac3_5G list=LAN
add interface=wifi1-haP_ac3_2G list=LAN
/interface wifi cap
set caps-man-addresses=192.168.66.1 certificate=WiFi-CAPsMAN-488F5AAA3B07 \
    discovery-interfaces=caps_mgmt-LAN enabled=yes slaves-static=yes
/interface wifi capsman
set interfaces=caps_mgmt-LAN package-path="" require-peer-certificate=no \
    upgrade-policy=none
/interface wifi provisioning
add action=create-enabled disabled=no master-configuration=wifi_haCP_2G \
    supported-bands=2ghz-n
add action=create-enabled disabled=no master-configuration=wifi_haCP_5G \
    supported-bands=5ghz-ac
/ip dhcp-client
add interface=caps_mgmt-LAN
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input dst-port=5246,5247 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=caps_mgmt-LAN
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name=MikroTik_D
/system note
set show-at-login=no

holvoetn · April 17, 2024, 4:13pm

On the working devices you have this:

certificate=request

But on AC3, I see this:

/interface wifi cap
set caps-man-addresses=192.168.66.1 certificate=WiFi-CAPsMAN-488F5AAA3B07 \
    discovery-interfaces=caps_mgmt-LAN enabled=yes slaves-static=yes

Maybe best to set it the same as the devices which work.
certificate=request

eugenq · April 17, 2024, 8:41pm

hAP ac3 has error log
selected CAPsMAN CAPsMan2Controller@48:A9:8A:EA:CE:4E%*a
failed to connect to CAPsMan2Controller@48:A9:8A:EA:CE:4E%*a, ssl: fatal alert received

This is true problem

good log (hAP ax)
selected CAPsMAN CAPsMan2Controller@48:A9:8A:EA:CE:4E%*5
connected to CAPsMan2Controller@48:A9:8A:EA:CE:4E%*5

holvoetn · April 17, 2024, 8:45pm

Can you try to recreate certificates ?
Or even for test, don’t use them at all.

eugenq · April 17, 2024, 8:53pm

I think this is a RouterOS bug

holvoetn · April 17, 2024, 8:54pm

Why that ?
It should work.

eugenq · April 17, 2024, 9:23pm

Thank you for help.

I re-created the certificate on hAP ac3
Everything works good