CAPsMAN Access List Private Passphrase

RouterOS Wireless Networking
1

Question
Can CAPsMAN Access List CAPs Access Rule matching work with multiple rules that use MAC Address wildcard with different Private Passphrase?

Background
We use the CAPsMAN Access List MAC Address, SSID Regexp and Private Passphrase to individually control device access by matching each device’s MAC and a generated unique passphrase.
When we are on boarding a new device, we add a rule with no MAC into the access list with the new device’s passphrase.
We then look in the registration table for the new device when it is connected and update the access list entry with the MAC address, so that it locks that passphrase to that device.
This works fine until somebody doesn’t complete the on boarding process and we now have multiple devices that are trying to connect that aren’t already in the list.
This causes all the devices that aren’t explicitly in the access list, even if they have the incorrect passphrase, to appear in the registration table (briefly) for that rule, so we cannot determine which device is the one we are on boarding.
I think we can get around this by waiting for the Uptime value in the registration table being sufficiently long that a connection with incorrect passphrase would have been disconnected, so assuming that works, we move on to the next problem:

No device will ever connect to subsequent rule after the first MAC wildcard entries, even if they match all conditions in a later CAPs Access Rule.

My observation leads me to assume that this is the sequence of events within CAPsMAN:

  1. Device tries to connect to SSID
  2. Device MAC matches MAC address [blank]
  3. Device SSID matches SSID Regexp
  4. Device added to Registration Table
  5. CAPsMAN realises they have the wrong Private Passphrase
  6. Device access denied
  7. Device removed from Registration Table
  8. Device does not get checked against any further Access List entries

From this I assume that only the things above Action when viewed in winbox are actually checked before the device appears in the Registration Table.
CAPsMAN Onboarding.png
With all this in mind, how can we provision and manage devices with unique passphrases? Do I have to add another server in to what is otherwise a self contained system, use RADIUS and completely manage this elsewhere?

Note: the helpdesk see all this through a web interface that does everything through API calls for us.
CAPsMAN Onboarding Web.png
CAPsMAN Access List Web.png

2

Did you ever figure this out? We’re running into the same challenge. We’ve also tried a RADIUS server (userman), but it can’t handle username pattern matches…

3

Just a “me too” post. Didn’t realise this post existed, it explains it very well.

I logged a new request a few weeks back here for the same thing : http://forum.mikrotik.com/t/feature-request-wireless-private-passphrase-as-a-match-in-access-list/110423/4

No feedback from Mikrotik on whether this is technically possible so I’m not sure if it’s worth pursuing or not. If I come up with any workarounds then I’ll let you know.