Since weeks we struggling with enabled WPA3-PSK. Our setup while we did the tests:
CAPsMAN on CRS326-24S+2Q+/r3 / 7.19.2
37 cAP ax (cAPGi-5HaxD2HaxD) / 7.19.2
~135 Clients
While we didn’t had any problems 1:1 with the same configuration in the lab with 2 AP’s, we can’t bring it up in the production environment.
The last two days we did a lot of tests in the night…
We had a look on the process list with /tool/profile while we did the tests in the prod.
enabling WPA2-PSK only, all clients dropping the connection and came back after 1-3 minutes. Total CPU goes up for a minute to 100%, the wireless tasks was 20-50% in the first minute, after 3-4 minutes it was more relaxed, some peeks at 42%.
enabling WPA2-PSK and WPA3-PSK, all clients dropping the connection again, but they never came back after 10 minutes. CPU total is 100%, wireless process between 60 and 80%, peeks up the 89%, also after 5 minutes.
disconnecting all AP’s and bring up only 11 AP’s, the clients can connect with WPA3-PSK. 23 AP’s are too much, same like 37 AP’s, CPU always 100% after 10 minutes and >60% for the wireless process.
I can’t find any limits about CAPsMAN, but it looks, there are limitations.
I dont have much to contribute, besides to suggest you open a ticket with MikroTik support. Unsure how much help you’ll get here. Support will have internal answers, which they withhold from us power users and those doing enterprise type deployments.
Another member tried a large deployment and it failed, they switched to another vendor and all issues went away…
Only real suggestion is have you, or do you have any other MT Router which you can move the CAPsMAN server to? I feel the CRS326-24 will be under-powered for your needs.
That’s what I was going to suggest. This is probably the lowest powered device that can run capsman at all in the Mikrotik line-up. I’m sure some optimizations might be possible, but it seems like the poor device is simply overwhelmed.
EDIT: I’m not sure that jumping straight to the big devices is the answer. Every single AP is basically 10x more powerful.
Well yes, this was also my conclusion, but Mikrotik’s recommendations, say’s “no limit”:
Requirements
Any RouterOS device can be a controlled wireless access point (CAP) as long as it has at least a Level 4 RouterOS license
CAPsMAN server can be installed on any RouterOS device, even if the device itself does not have a wireless interface
→ Unlimited CAPs (access points) supported by CAPsMAN ←
32 Radios per CAP maximum
32 Virtual interfaces per master radio interface maximum
Not possible to use Nv2 and NStreme proprietary protocols
So this is wrong and far away from “unlimited”. But think, this is not an issue about numbers of AP’s, but numbers of clients where try to connect in parallel.
How we have to plan an environment and do a dimension without any evidences?
We opened a ticket, but we wait weeks for an answer.
/tool/profile on which device? You mention wireless process but are there actually any on capsman? Capsman, as of now only traffic processing on cap os possible, does only distribute configuration. Can’t imagine why it would be the bottleneck.
Well, CAPsMAN is also responsible for authentication: More specifically, the Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network management and if necessary, data processing. When using the CAPsMAN feature, the network will consist of a number of ‘Controlled Access Points’ (CAP) that provide wireless connectivity and a ‘system Manager’ (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication and optionally, data forwarding.
is Unlimited in licensing, performance depends of hardware used mostly cpu
you are using for capsmanager one of the less cpu performant devices, is a switch with a small 1 core cpu suitable mostly only for managing the switch, so is no surprise you reached a performance limit
you have options, for example you can use one of the cAP-ax (which has 6x the cpu performance of the switch cpu) to manage the others AP’s, try to choose one with low load and good chances to stay available, also you can choose another cAP-ax with same status to provide some kind of redundancy as a second capsmanager
Please be sure to do the forwarding on the AP’s not, do not do centralized forwarding
As others mentioned, test moving the CAPsMAN server to one of the less loaded Access Points. Export / import your config lines to the new AP controller. Enable CAPsMAN – do NOT do centralized forwarding.
Existing caps config [ on the CSR switch] add the new CAPsController IP as secondary.
Disable Controller on CRS. You should see, or hopefully see the AP’s “failover” and provision themselves on the new AP derived controller…
it is perfectly possible to use one of the cap ax as capsman. capsman can manage/provision local radios like it were remote cap radios. So this one would be capsman and cap in one. Give it a try.
I agree that wording should be better and you are browsing old capsman documentation, so new and old capsman needs better separation and explanation to understand what is what.
As colleagues mention, unlimited is meant as licensing term, and you can run capsman server on (almost) any ROS device, but its needs processing power. If deployment is small, station count is low, even low end devices can be used, but as AP count increases, station count increases, more power will be required. As this will be solved wpa3 should work.
I also tried setting up server on one of switches (CRS317) at school (over 50 APs deployed) and quite quickly noticed that its not working. I needed a temp server while main server is reinstalled and configured.
Okay - interesting, this is related to licensing, but then I miss any technical limitations or recommendations. This horrible to plan a network.
As I know, we use the new CAPsMAN (started at /interface/wifi/capsman/), the old CAPsMAN didn’t support WPA3.
So, maybe we think about a VM with the RouterOS ans let CAPsMAN running there. Let CAPsMAN running on an dedicated AP is a bit too dangerous for us, maybe for testing, but I think it goes in the direction of a VM…
For CHR, you’ll still need a license. You might be better off having a physical RB5009 or similar running the server. Unless you already have a hypervisor environment with appropriate resources, networking and redundancy built-out.