CAPsMAN Provisioning Issue

Xwioch · April 16, 2019, 8:35am

Hi All,
I’m pretty new with CAPsMAN, I followed this guide for configure a new AP on my office: https://mum.mikrotik.com/presentations/MM15/presentation_2709_1444122809.pdf
The scope is to create an internal Wifi network that can access the LAN and a guest network with hotspot and captive portal.
You can see my configurations in attachments.
I have only one AP with 2 wlan (2Ghz and 5Ghz) and I’m using CAPsMAN manager from our firewall that is a VM on VMWare.
The problem is that if I set the wifi config in the cap configuration on the wireless tab everything works fine but with the provisioning not. I tried different configurations and none worked.
I want to use provisioning because I wish to handle multiple SSID on the same CAP.

Thanks in advance.

security cfg.PNG

Xwioch · April 16, 2019, 12:26pm

UPDATE:
I did a few more tries without success. It seems that there is something deeply wrong with my configuration.
What I want to do (just to be clear) is use my AP with both the wlan (2Ghz and 5Ghz) for create a “normal” wifi network and a guest network.
The first one is accessible using a simple WPA key and can have full access to the LAN, the second must use a captive portal and can only access the internet.
SSID must be different (Inoptim-WIFI and Inoptim-GUEST).
Another mandatory thing is to use CAPsMAN, how can I do this?

Exiver · April 16, 2019, 1:27pm

Can you please post your full capsman configuration as well as the caps client configurations?

On your capsmanager device:

 /cap export hide-sensitive

On the Client:

 /export hide-sensitive

Xwioch · April 16, 2019, 2:37pm

Sure:

Caps manager

# apr/16/2019 16:26:46 by RouterOS 6.44.2
# software id = 
#
#
#
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=CH1
/caps-man datapath
add client-to-client-forwarding=yes comment=Inoptim-WIFI local-forwarding=yes name=VLAN1 vlan-id=1 vlan-mode=use-tag
add comment=Inoptim-GUEST local-forwarding=yes name=VLAN2 vlan-id=2 vlan-mode=use-tag
/caps-man configuration
add country=italy datapath=VLAN2 mode=ap name=VLAN2 ssid=Inoptim-GUEST
/caps-man interface
add comment=2Ghz disabled=no l2mtu=1600 mac-address=74:4D:28:12:9D:22 master-interface=none name=InoptimAP1 radio-mac=74:4D:28:12:9D:22 radio-name=744D28129D22
add comment=5Ghz disabled=no l2mtu=1600 mac-address=74:4D:28:12:9D:23 master-interface=none name=InoptimAP2 radio-mac=74:4D:28:12:9D:23 radio-name=744D28129D23
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment=Inoptim-WIFI encryption=aes-ccm group-encryption=aes-ccm name=VLAN1
/caps-man configuration
add country=italy datapath=VLAN1 mode=ap name=VLAN1 security=VLAN1 ssid=Inoptim-WIFI
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=VLAN1 name-format=prefix name-prefix=InoptimAP radio-mac=74:4D:28:12:9D:23 slave-configurations=VLAN2
add action=create-dynamic-enabled master-configuration=VLAN1 name-format=prefix name-prefix=InoptimAP radio-mac=74:4D:28:12:9D:22 slave-configurations=VLAN2
add action=create-dynamic-enabled disabled=yes identity-regexp=InoptimAP* master-configuration=VLAN1

Client

# apr/16/2019 16:28:48 by RouterOS 6.42.10
#
# model = RouterBOARD cAP Gi-5acD2nD
/interface bridge
add admin-mac=74:4D:28:12:9D:20 auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2442/20-Ce/gn(30dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan1 ] mode=bridge name=Inoptim-WIFI ssid=NamaWifi
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac(17dBm), SSID: , CAPsMAN forwarding
set [ find default-name=wlan2 ] name="Inoptim-WIFI 5GHz" ssid=NamaWifi
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=10.2.10.2-10.2.10.254
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=Inoptim-WIFI
add bridge=bridge comment=defconf interface="Inoptim-WIFI 5GHz"
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface="Inoptim-WIFI 5GHz" list=LAN
add interface=Inoptim-WIFI list=LAN
/interface wireless cap
# 
set bridge=bridge caps-man-certificate-common-names=CAPsMAN-000C298C1D06 certificate=CAP-7F36728D1D5E discovery-interfaces=bridge enabled=yes interfaces="Inoptim-WIFI,Inoptim-WIFI 5GHz" lock-to-caps-man=yes
/ip address
add address=10.2.25.241/24 interface=ether1 network=10.2.25.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=bridge
/ip dhcp-server network
add address=10.2.10.0/24 dns-server=10.2.10.1 gateway=10.2.10.1
/ip dns
set servers=10.2.25.250
/ip route
add distance=1 gateway=10.2.25.254
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=NamaWifi
/system routerboard settings
set silent-boot=no
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf name=dark-mode owner=*sys policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
    "\r\
    \n   :if ([system leds settings get all-leds-off] = \"never\") do={\r\
    \n     /system leds settings set all-leds-off=immediate \r\
    \n   } else={\r\
    \n     /system leds settings set all-leds-off=never \r\
    \n   }\r\
    \n "

Exiver · April 16, 2019, 3:29pm

Okay, there are a few things which are odd in my opinion..

First: You specify the slave-configurations in your provisioning rule:

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=VLAN1 name-format=prefix name-prefix=InoptimAP radio-mac=74:4D:28:12:9D:23 slave-configurations=VLAN2
add action=create-dynamic-enabled master-configuration=VLAN1 name-format=prefix name-prefix=InoptimAP radio-mac=74:4D:28:12:9D:22 slave-configurations=VLAN2

but there is no “VLAN2” configuration in your capsman config, just “VLAN1”:

/caps-man configuration
add country=italy datapath=VLAN1 mode=ap name=VLAN1 security=VLAN1 ssid=Inoptim-WIFI

Secondly the datapath options on your capsmanager are normally not needed when using “local-forwarding” (see: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#Datapath_Configuration).
You should set the bridge where your wifi-interfaces should be added to on your clients under /int wire cap, for example: “/int wire cap set bridge=bridge”. Additionally you should not add the wifi-interfaces manually to your bridge on your clients:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=Inoptim-WIFI
add bridge=bridge comment=defconf interface="Inoptim-WIFI 5GHz"

Please delete those two interfaces from that bridge since they will get added dynamically when the client connects to capsman and the configuration has implemented the “bridge-setting” under /int wire cap.

I need to mention that im not sure if the VLAN configuration will work with local forwarding! Maybe you will need to use capsman-forwarding. Not sure since we dont use client-forwarding with VLAN in our setups.

After you have made the changes please reconnect the client to your capsmanager and try it again

Edit: One more thing: I would suggest you to use the same software version (manager has 6.44.2, client has 6.42.10 in your case)