CAPsMAN child interface association timeout

All,

Okay, I’ve setup CAPsMAN several times, but just recently 3 different setups, with the most recent ROS releases (6.37.1 - 6.37.3), I’m getting something strange…

I usually setup a parent interface, which has local forwarding, and for the most part is not used (at least not by end users). This works fine.
I then setup a child interface, which has the SSID and other settings that I actually want the users to associate with.

For what ever reason this seems to have stopped working, or at least on these new deployments (completely fresh), never worked. I’m sure it’s something simple, and I’ve compared my configs against other working configs, but I can’t see it.

I need another set of eyes on it, to see if I’ve missed something…
(This is all sitting on the bench within a few meters of each other…)

So… AP config:-

/interface wireless
# managed by CAPsMAN
# channel: 2427/20/b(36dBm), SSID: local-ssid, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface wireless cap
# 
set bridge=br.lan1 certificate=request discovery-interfaces=ether1 enabled=yes \
    interfaces=wlan1

CAPsMAN config:-

/caps-man channel
add band=2ghz-b frequency=2427 name=ch.2427.20.b width=20

/caps-man datapath
add local-forwarding=yes name=local.ssid

/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm group-encryption=\
    aes-ccm name=sec.TESTME passphrase=scb8239scb
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap encryption=aes-ccm \
    group-encryption=aes-ccm name=sec.lcoal.ssid passphrase=local-ssid

/caps-man configuration
add channel=ch.2427.20.b country=australia datapath=local.ssid mode=ap name=\
    cfg.local.ssid security=sec.lcoal.ssid ssid=local-ssid

/caps-man interface
add arp=enabled configuration=cfg.local.ssid disabled=no l2mtu=1600 \
    mac-address=4C:5E:0C:D4:7B:7C master-interface=none mtu=1500 name=\
    "CAPs MAN AP1-2.4Ghz" radio-mac=4C:5E:0C:D4:7B:7C

/caps-man datapath
add bridge=br.lan1 local-forwarding=no name=dp.br.lan1

/caps-man configuration
add datapath=dp.br.lan1 name=cfg.TESTME security=sec.TESTME ssid="TEST ME"

/caps-man interface
add arp=enabled configuration=cfg.TESTME disabled=no l2mtu=1600 mac-address=\
    4C:5E:0C:D4:7B:7C master-interface="CAPs MAN AP1-2.4Ghz" mtu=1500 name=\
    "CAPs MAN AP1-1-TEST-ME" radio-mac=00:00:00:00:00:00

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg.local.ssid \
    name-format=prefix-identity name-prefix=Local.

And a sample client (which is as basic as it gets):-

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
    allowed mode=dynamic-keys name=stn.profile supplicant-identity="" \
    wpa-pre-shared-key=scb8239scb wpa2-pre-shared-key=scb8239scb

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b disabled=no frequency=2427 \
    security-profile=stn.profile ssid="TEST ME" wireless-protocol=802.11

And I see the following in it’s logs:-

dec/14 02:51:05 wireless,info 4C:5E:0C:D4:7B:7C@wlan1: failed to connect, on 2427/20/b, association timeout 
dec/14 02:51:18 wireless,info 4C:5E:0C:D4:7B:7C@wlan1: failed to connect, on 2427/20/b, association timeout 
dec/14 02:51:32 wireless,info 4C:5E:0C:D4:7B:7C@wlan1: failed to connect, on 2427/20/b, association timeout 
dec/14 02:51:46 wireless,info 4C:5E:0C:D4:7B:7C@wlan1: failed to connect, on 2427/20/b, association timeout

I’m sure I’ve missed something but I just can’t spot it.

Anyone out there see what it is?

Thanks ahead…

W.

I may have forgotten to mention, it works find off the parent interface.
So it only doesn’t work from the virtual AP’s / secondary SSID’s…

Anyone see what I’m doing wrong?

Any pointers appreciated.

Rgds,
W.