CAPsMAN Provisioning Not sending SSID's - SOLVED

Hi there,

To start I’m a beginner and have general knowledge on RouterOS setups and learning as I go on.

I have the following setups:

Mikrotik RB5009UPr+S+ Router connected to an external LTE router, I’m using the RB5009 router to manage my local home / office network.
Mikrotik NetMetal AX - for outdoor longrange Wifi
cAP ax - for my Office
wAP ax - for Wifi on my patio
Mikrotik OmniTIK 5 PoE ac - This I will be using as a POE switch outdoor for some cameras as well as a WiFi ap for my workers

I’m also using my RB5009 Router as the CAPsMAN to manage my Wifi on the above ap’s. But this is where I need additional assistance. The normal Wifi works but I want to add extra WiFi SSID’s to only 2 devices and this is not working. These are my Wifi SSID’s I need

All AX Devices to have the WiFi 6 configs - This is working 100% on all the AX devices

cfg_WiFi2GHz_AX - SSID “KoekiesWiFi” (Master)
cfg_WiFi5GHz_AX - SSID “KoekiesWiFi” (Master)
Appliance2G - SSID “Appliance2G” (Slave)

THIS PORTION IS NOT WORKING
Now I need to add 1 additional SSID to the 1 cAP ax - for my Office / Home

cfg_WiFi5GHz_AX_5G_Office - SSID - “KoekiesWiFiOffice” (Slave) - I used the IP Address in the Provision to only provision to this AP this SSID

I also tried to send a dedicated config to the Omnitik, but the Omnitik is not receiving any SSID’s, but must only get the following config:

WekersWiFi - SSID - Outdoor5G (Master) - I used the IP Address in the Provision to only provision to this AP this SSID

Please help me to tell me where and What I did wrong, below is the scripts from my rouer and the Omnitik. I’m using Winbox to setup everything

Router

# 2025-02-26 17:26:36 by RouterOS 7.17.2
# software id = FC9Z-1KWF
#
# model = RB5009UPr+S+
# serial number = 
/interface bridge
add name=bridge1
/interface ethernet
# poe-out status: voltage_too_high
set [ find default-name=ether1 ] comment=WAN name="ether1[internet]"
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2432,2472 name="2Ghz AX" width=\
    20mhz
add band=5ghz-ax disabled=no frequency=5130-5850 name="5Ghz AX" width=\
    20/40/80mhz
add band=5ghz-n disabled=no name=5G width=20/40/80mhz
/interface wifi datapath
add bridge=bridge1 disabled=no name=datapath1
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=secKoekWiFi
/interface wifi configuration
add channel="2Ghz AX" country="South Africa" datapath=datapath1 disabled=no \
    mode=ap name=cfg_WiFi2GHz_AX security=secKoekWiFi ssid=KoekiesWiFi \
    station-roaming=no
add channel="5Ghz AX" country="South Africa" datapath=datapath1 disabled=no \
    mode=ap name=cfg_WiFi5GHz_AX security=secKoekWiFi security.connect-group=\
    "" ssid=KoekiesWiFi
add channel="5Ghz AX" country="South Africa" datapath=datapath1 disabled=no \
    mode=ap name=cfg_WiFi5GHz_AX_5G_Office security=secKoekWiFi ssid=\
    KoekiesWiFiOffice station-roaming=no
add channel="2Ghz AX" country="South Africa" datapath=datapath1 disabled=no \
    mode=ap name=Appliance2G security=secKoekWiFi ssid=Appliance2G
add channel=5G channel.frequency=2300-7300 country="South Africa" datapath=\
    datapath1 disabled=no mode=ap name=WekersWiFi security=secKoekWiFi ssid=\
    Outdoor5G
/ip pool
add name=dhcp_pool0 ranges=192.168.11.100-192.168.11.199
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1 lease-time=8h name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp-sfpplus1
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ovpn-server server
add mac-address=FE:CF:53:3F:1E:27 name=ovpn-server1
/interface wifi capsman
set ca-certificate=none certificate=auto enabled=yes interfaces=all \
    package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled comment="Wifi Settings 5G" disabled=no \
    master-configuration=cfg_WiFi5GHz_AX supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Wifi Settings 2G" disabled=no \
    master-configuration=cfg_WiFi2GHz_AX slave-configurations=Appliance2G \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled address-ranges=192.168.11.41- comment=\
    "Office 5G" disabled=no slave-configurations=cfg_WiFi5GHz_AX_5G_Office \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled address-ranges=192.168.11.45- comment=\
    "Wekers 5G" disabled=no master-configuration=WekersWiFi
/ip address
add address=192.168.11.1/24 comment="LAN IP" interface=bridge1 network=\
    192.168.11.0
/ip dhcp-client
add comment="Internet WAN" interface="ether1[internet]"
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.1
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-nat-state="" connection-state=\
    invalid
add action=drop chain=forward connection-mark="" connection-nat-state=!dstnat \
    connection-state=new in-interface="ether1[internet]"
/ip firewall nat
add action=masquerade chain=srcnat comment="Internet Connection Rule" \
    out-interface="ether1[internet]"
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip kid-control
add name=Mariska
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="MikroTik Router"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp server
set broadcast=yes enabled=yes
/system ntp client servers
add address=0.pool.ntp.org
add address=1.pool.ntp.org
add address=time.google.com
/system scheduler
add interval=1d name="Daily Reboot" policy=reboot start-date=2025-02-26 \
    start-time=01:30:00

Omnitik

# 2025-02-23 11:14:28 by RouterOS 7.18
# software id = 2BNL-80T8
#
# model = RBOmniTikPG-5HacD
# serial number = *****
/interface bridge
add name=bridge1
/interface wireless
set [ find default-name=wlan1 ] disabled=no ssid=""
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=all
/interface wifi cap
set caps-man-addresses=192.168.11.1 enabled=yes
/interface wireless cap
set bridge=bridge1 caps-man-addresses=192.168.11.1 interfaces=wlan1
/ip address
add address=192.168.11.45/24 interface=bridge1 network=192.168.11.0
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="WerkersWifi\
    \n"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.11.1

You are mixing things up.

There is no such thing as “cAP ac AX”, it is cAP ac or cAP XL ac or cAP ax. Basically same applies for “wAP ac AX”.

There are two versions of drivers. Wireless (old) and WiFi (new). Both versions of drivers have their version of CAPsMAN. Wireless CAPsMAN and WiFi CAPsMAN.

WiFi CAPsMAN can not control devices with Wireless drivers and vice versa… You can use WiFi drivers on some older AC devices, but they must be based on ARM architecture. RBOmniTikPG-5HacD is not compatible…

You have configured WiFi CAPsMAN and you are trying to control Wireless device. That’s the issue.

Thank you for pointing out my type on the AX, I have corrected it in my original post.

You comment on the Omni explaine why this does not work. I have setup the WiFi directly on this devices and will manage it there. Thank you for explaining the reason.

Comming back to the cAP ax, why will the “1 additional SSID to the 1 cAP ax - for my Office / Home” not deploy where the other configs deployed to the units work. All the devices have the same Firmware version 7.17.2 (RouterOS and WiFi) except the Omnitik has 7.18 (RouterOS and Wireless)

Below is my cAP ax script

# 2025-02-27 07:55:05 by RouterOS 7.17.2
# software id = WWE0-FFJ0
#
# model = cAPGi-5HaxD2HaxD
# serial number = 
/interface bridge
add name=bridge1
/interface wifi
# managed by CAPsMAN 192.168.11.1, traffic processing on CAP
# mode: AP, SSID: KoekiesWiFi, channel: 5680/ax/eCee/D
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
# managed by CAPsMAN 192.168.11.1, traffic processing on CAP
# mode: AP, SSID: KoekiesWiFi, channel: 2472/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface bridge port
add bridge=bridge1 interface=all
/interface wifi cap
set caps-man-addresses=192.168.11.1 enabled=yes
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no
/ip address
add address=192.168.11.41/24 interface=bridge1 network=192.168.11.0
/ip dhcp-client
add disabled=yes interface=bridge1
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="WiFi Kantoor"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.11.1
/system scheduler
add interval=1d name="Daily Reboot" policy=reboot start-date=2025-02-26 \
    start-time=02:00:00

/interface bridge port
add bridge=bridge1 interface=all

Change this from all to ether1 (or what name is used).
That should do the trick.

I made the change, but still it does not create the extra virtual SSID

# 2025-02-27 08:25:48 by RouterOS 7.17.2
# software id = WWE0-FFJ0
#
# model = cAPGi-5HaxD2HaxD
# serial number = 
/interface bridge
add name=bridge1
/interface wifi
# managed by CAPsMAN 192.168.11.1, traffic processing on CAP
# mode: AP, SSID: KoekiesWiFi, channel: 5680/ax/eCee/D
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap \
    disabled=no
# managed by CAPsMAN 192.168.11.1, traffic processing on CAP
# mode: AP, SSID: KoekiesWiFi, channel: 2472/ax
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap \
    disabled=no
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=wifi1
add bridge=bridge1 interface=wifi2
/interface wifi cap
set caps-man-addresses=192.168.11.1 enabled=yes
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no
/ip address
add address=192.168.11.41/24 interface=bridge1 network=192.168.11.0
/ip dhcp-client
add disabled=yes interface=bridge1
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name="WiFi Kantoor"
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.11.1
/system scheduler
add interval=1d name="Daily Reboot" policy=reboot start-date=2025-02-26 \
    start-time=02:00:00

this is what my Provisioning order looks like from a visual perspective.

Provisioning ID 0 & 1 works 100%, but ID-2, dedicated to only deploy to a specific IP does not deploy

If you want multiple SSID’s on an interface, you have to use “slave-configurations” besides “master-configuration” which is mandatory.
From the CAPsMAN documentation (https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi#WiFi-CAPsMAN-CAPsimpleconfigurationexample:):

#create a security profile
/interface wifi security
add authentication-types=wpa3-psk name=sec1 passphrase=HaveAg00dDay

#create configuraiton profiles to use for provisioning
/interface wifi configuration
add country=Latvia name=5ghz security=sec1 ssid=CAPsMAN_5
add name=2ghz security=sec1 ssid=CAPsMAN2
add country=Latvia name=5ghz_v security=sec1 ssid=CAPsMAN5_v

#configure provisioning rules, configure band matching as needed
/interface wifi provisioning
add action=create-dynamic-enabled master-configuration=5ghz slave-configurations=5ghz_v supported-bands=\
    5ghz-n
add action=create-dynamic-enabled master-configuration=2ghz supported-bands=2ghz-n

#enable CAPsMAN service
/interface wifi capsman
set ca-certificate=auto enabled=yes

In your config you did:

add action=create-dynamic-enabled comment="Wifi Settings 5G" disabled=no \
    master-configuration=cfg_WiFi5GHz_AX supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Wifi Settings 2G" disabled=no \
    master-configuration=cfg_WiFi2GHz_AX slave-configurations=Appliance2G \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled address-ranges=192.168.11.41- comment=\
    "Office 5G" disabled=no slave-configurations=cfg_WiFi5GHz_AX_5G_Office \
    supported-bands=5ghz-ax

And should be something like:

add action=create-dynamic-enabled comment="Wifi Settings 5G" disabled=no \
    master-configuration=cfg_WiFi5GHz_AX slave-configurations=cfg_WiFi5GHz_AX_5G_Office supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Wifi Settings 2G" disabled=no \
    master-configuration=cfg_WiFi2GHz_AX slave-configurations=Appliance2G \
    supported-bands=2ghz-ax

Or:

add action=create-dynamic-enabled comment="Wifi Settings 5G" disabled=no \
    master-configuration=cfg_WiFi5GHz_AX supported-bands=5ghz-ax
add action=create-dynamic-enabled comment="Wifi Settings 2G" disabled=no \
    master-configuration=cfg_WiFi2GHz_AX slave-configurations=Appliance2G \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled address-ranges=192.168.11.41- comment=\
    "Office 5G" disabled=no master-configuration=cfg_WiFi5GHz_AX_5G_Office \
    supported-bands=5ghz-ax

Where I would prefer, instead of using IP address, to use the MAC address of the CAP.

Ok got it to work, but don’t know if this is a bug or I’m using CAPsMAN wrong. This is what I have done

1.)Added a master config and slave to the cAP ax provisioning record
2.)Removed the specific IP for the specific device and added the Radio Mac of the device. If I use the IP of the Device nothing happens. I sit with this problem the virtual SSID to the 5G does not deploy, but when I delete the IP and capture the Mac then it works

So my next question is, is this a bug or am I understaniding the Address Ranges function incorrecty

Address ranges only work when you set the cap device itself to search for controller using IP address.
If you let them find controller on their own, it will be using MAC.
And then those address ranges will not work.

Personally I always use MAC address to provision. Then I am sure about the radio as well.

Thank you. Yes Radio do make more sence as IP can easily be canged as well