Can somebody please help me understand why the security profiles for standalone wireless AP configuration allows group ciphers to be “multiple choice” (both tkip and aes-ccm) while CAPsMAN security profiles only allow you to specify one or the other?
I will note that in the RouterOS Wiki documentation for Security Profiles, for unicast-ciphers, it says that “access point advertises that it supports specified ciphers”, while for group-ciphers, it says that “access point advertises ONE of these ciphers” (emphasis mine), so that is interesting. If the access point only advertises one cipher for broadcast and multicast, why does it give you the ability to check both? Is the “multiple choice” feature intended for stations and not APs (so that a station can associate to either kind of AP using a single profile)? If so, then if you check both tkip and aes-ccm for a security profile that you apply to an AP interface, which cipher type will the AP advertise and use?
I would not be surprised to learn that it is only possible to use one cipher type or the other for broadcast and multicast traffic, otherwise an AP would have to transmit every broadcast or multicast packet TWICE. But nothing explains why the standard interface ALLOWS you to select both for group-cipher while CAPsMAN forces you to choose one or the other, nor does anything explain what the defined behavior of a standalone AP is when both are checked. This really should be spelled out more explicitly in the documentation than it is (that is to say, not at all).
Thanks,
– Nathan