Good afternoon guys, could you help me with a question? I’m trying to configure a CRS326-24-2S+ Version 6.49.3 as CASPMAN to manage my cAP ax Version 7.15.3. Although the capsman documentation says that any RB that has a Router OS, with or without a Wireless interface, can be configured as CAPSMAN. Can you tell me which equipment is most suitable for applying Capsman to manage cAP ax?
How many cAPs are we talking about?
That question is already a very good one.
Also, that help page you saw is correct but you missed some important piece of info.
Overview
The ‘WiFi’ configuration menu, introduced in RouterOS 7.13, is a RouterOS menu for managing Wi-Fi 5 wave2 and newer WiFi interfaces.
You need to upgrade that CRS to at least ROS 7.13 before it can be used as capsman manager for any AX (or wifi-qcom-ac) device.
Prior to that, you also needed to included wifi-qcom package (which on its own also means at least ROS7) but since 7.13, that’s not needed anymore (hooks for managing wifi for main ROS changed from legacy wireless to wifi-qcom radios with that version)
If you have multiple cAP AX devices and you do not want to upgrade that CRS, one of the cAP AX device themselves can be used as capsmanager.
They have plenty of performance to add that function.
Just be aware for the device being used as capsman manager, there is a small quirk related to the local radios.
But if needed, we can get to that later.
I have a similar setup with one CRS326 and two cAP-ax. I struggled quite a bit, but in hindsight it is very simple. One remark: On the CRS326, do not use the “Wireless” menu if you have it, that’s the old capsman, only needed for non-qcom devices. Everything you need for the cAP AX is in webfig is under the wifi menu.
On the capsman, you need
# a security config per access method. the first is an example for wpa-eap (with a radius, needs additional config of course)
/interface wifi security add authentication-types=wpa3-eap disabled=no eap-certificate-mode=no-certificates eap-methods=tls encryption=ccmp,gcmp,ccmp-256,gcmp-256 ft=yes ft-over-ds=yes ft-preserve-vlanid=yes group-encryption=ccmp name=eap_tls_profile
# the second is an example for wpa3-psk
/interface wifi security add authentication-types=wpa2-psk,wpa3-psk disabled=no ft=yes ft-over-ds=yes ft-preserve-vlanid=yes name=wpa_psk_profile passphrase=12345
configuration(s) for the interfaces, references above security profile:
/interface wifi configuration add country=Switzerland disabled=no mode=ap name=wifi1 security=eap_tls_profile ssid=this_is_for_eap
/interface wifi configuration add disabled=no mode=ap name=wifi2 security=wpa_psk_profile ssid=and_this_for_psk
provisioning rule(s), below example has 5ghz on wifi1 and 2ghz on wifi2:
/interface wifi provisioning add action=create-enabled master-configuration=wifi1 supported-bands=5ghz-ax,5ghz-a,5ghz-n,5ghz-ac
/interface wifi provisioning add action=create-enabled disabled=no master-configuration=wifi2 supported-bands=2ghz-g,2ghz-n,2ghz-ax
and to enable the caps:
/interface wifi capsman set ca-certificate=auto enabled=yes
On each cap, you need the non-wifi configs so that the caps have connectivity to the capsman, nothing special here. Note that the cAPs come prefonfigured as routers, so if you don’t need that there is a lot of stuff you should disable, like dhcp-server, nat firewall rules, WAN interface and firewall rules for WAN and the one that blocks access to !LAN. My settings, as an example, not all is required:
# timezone
/system clock set time-zone-name=Europe/Zurich time-zone-autodetect=no
# enable ntp client (server is assigned by dhcp)
/system/ntp/client set enabled=yes
# disable services except www, ssh
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ip service set winbox disabled=yes
/ip service set api-ssl disabled=yes
/ip smb users set [ find default=yes ] disabled=yes
# disable wan fw
/ip/firewall/filter set [ find in-interface-list=!LAN ] disabled=yes
/ip/firewall/filter remove [ find in-interface-list=WAN ]
# remove NAT rule
/ip/firewall/nat remove [ find comment="defconf: masquerade" ]
# remove WAN from interface list
/interface list member remove [ find interface=ether1 ]
/interface/list remove WAN
# disable dhcp server
/ip/dhcp-server disable 0
Then you need to enable the caps:
/interface wifi cap set caps-man-addresses=192.168.1.2 enabled=yes
/interface/wifi/set wifi1,wifi2 configuration.manager=capsman
If it works, on the cAPs unter interfaces you see remarks in red that the wifi interfaces are managed by capsman.