CapsMan and Cap on the same device

I have configured a wifi with CapsMAN on Hap Ax and Cap Ax. The CAP Ax pick up the configuration as expected, but The Hap AX don’t. It shows managed by CapMAN, the log shows select, connect, joined to the CapsMAN. I tired to add lo interface for testing but the provision not push the configuration to the local CAP
Can sombody help me to find what could be the problem in my configuration

/interface bridge
add admin-mac=F4:1E:57:4E:CD:B8 auto-mac=no fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman-or-local .mode= ap disabled=no
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman-or-local .mode= ap disabled=no
/interface wifi channel
add band=2ghz-n disabled=no frequency=2437 name=CH24-6 skip-dfs-channels=all width=20mhz
add band=2ghz-n disabled=no frequency=2412 name=CH24-1 skip-dfs-channels=all width=20mhz
add band=5ghz-ax disabled=no frequency=5220 name=CH50-44 skip-dfs-channels=all width=20/40mhz
add band=5ghz-ax disabled=no frequency=5280 name=CH50-56 skip-dfs-channels=all width=20/40mhz
/interface wifi datapath
add bridge=LAN disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no ft=yes ft-over-ds=yes group-encryption=ccmp group-key-update=1h name=TESTSEC
/interface wifi configuration
add channel=CH24-1 country=Hungary datapath=datapath1 disabled=no mode=apname=CF24-1 security=TESTSEC security.ft=yes .ft-over-ds=yes ssid=TEST
add channel=CH24-6 country=Hungary datapath=datapath1 disabled=no mode=ap name=CF24-6 security=TESTSEC ssid=TEST
add channel=CH50-44 country=Hungary datapath=datapath1 disabled=no mode=ap name=CF50-44 security=TESTSEC ssid=TEST
add channel=CH50-56 country=Hungary datapath=datapath1 disabled=no mode=ap name=CF50-56 security=TESTSEC ssid=TEST
/ip pool
add name=dhcp_pool0 ranges=192.168.76.1-192.168.76.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp1
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether5
add bridge=LAN interface=ether4
add bridge=LAN interface=wifi1
add bridge=LAN interface=wifi2
/interface wifi cap
set caps-man-addresses=192.168.76.254 certificate=WiFi-CAPsMAN-F41E574ECDB7 discovery-interfaces=LAN enabled=yes lock-to-caps-man=no
/interface wifi capsman
set ca-certificate=WiFi-CAPsMAN-CA-F41E574ECDB7 certificate=WiFi-CAPsMAN-F41E574ECDB7 enabled=yes interfaces=LAN package-path="" require-peer-certificate=yes upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no identity-regexp=CAP1 master-configuration=CF24-1 name-format=CAP-Teszt24 supported-bands=2ghz-n
add action=create-dynamic-enabled common-name-regexp="" disabled=no identity-regexp=CAP1 master-configuration=CF50-44 name-format=CAP-Teszt50 supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no identity-regexp=Router master-configuration=CF50-56 name-format=Router-Test50
add action=create-dynamic-enabled disabled=no identity-regexp=Router master-configuration=CF24-6 name-format=Router-Test24
/ip address
add address=192.168.76.254/24 interface=LAN network=192.168.76.0
/ip dhcp-client
add interface=WAN
/ip dhcp-server network
add address=192.168.76.0/24 gateway=192.168.76.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN src-address=192.168.76.0/24
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=Router
/system note
set show-at-login=no
/system ntp client
set enabled=yes mode=manycast
/system ntp client servers
add address=192.168.200.254

Local wifi interfaces aren’t provisioned as CAPS:

CAPsMAN cannot manage it’s own wifi interfaces using configuration.manager=capsman, it is enough to just set the same configuration profile on local interfaces manually as you would with provisioning rules, and the end result will be the same as if they were CAPs. That being said, it is also possible to provision local interfaces via /interface/wifi/radio menu, it should be noted that to regain control of local interfaces after provisioning, you will need to disable the matching provisioning rules and press “provision” again, which will return local interfaces to an unconfigured state.

Though I have to admit that the second part of the documentation is a bit unclear.

you can use

/interface/wifi/radio provision

to provision you local radios according to your provisioning rules.

Thats it. Also documented. https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-RadioProvisioning

Aah, thanks @infabo! That makes sense (from the quote I posted).

PS: provisioning local radios is only needed once. They pick up changes as any other radios managed by capsman automatically.

Woah !
I wasn’t aware of that option.
Nice !

But there is a caveat

That being said, it is also possible to provision local interfaces via /interface/wifi/radio menu, it should be noted that to regain control of local interfaces after provisioning, you will need to disable the matching provisioning rules and press “provision” again, which will return local interfaces to an unconfigured state.

yes, but why would you want to disconnect local radios again?

Not necessarily something I plan to do but just a pitfall to keep in mind when things are not going as foreseen when you used that method before.

You saved my day,

Thanks infabo