I’m testing out capsman… As it seems to introduce a single point of failure (if the capsman goes down, all CAPs are disabled) I’m trying to setup a second CAPsMAN. The idea is that the CAPs will use the second one when the primary goes down.
So I did /capsman export compact on the one running, using that to configure the second.
I let the second one generate new certificates.
Now when the CAPs try to connect to the second CAPsMan, they log
CAP selected CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0)
CAP connect to CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0) failed: timeout
CAP failed to join MenCAP (6C:3B:6B:B4:C4:19/7/0)
This comes no matter if the CAP is set to use the cert issued by the first CAPsMan, or if it’s set to request cert.
So I tried to export both CAPsMan certificates and the CAP certificate from the first CAPsMan. Now, when I import those certs on the second, the don’t get flagged with ‘K’. I guess that’s a source of the alternative issue:
When second CAPsMan is set to use the certs from first CAPsMan, the CAPs log:
CAP selected CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0)
CAP connect to CAPsMAN MenCAP (6C:3B:6B:B4:C4:19/7/0) failed: handshake failed: self signed certificate in certificate chain (6)
CAP failed to join MenCAP (6C:3B:6B:B4:C4:19/7/0)
What I’ve done is the export cert from first CAPsMan, including the key. It turns out that export-passphrase is the trick to include the key when exporting cert. My mistake in that matter was that there’s no need for an export-passphrase i my test setup. Then I set CAPsMan to use this CA cert, and auto-generate its own cert. When auto had generated the cert I changed cert setting from auto to the new cert.
On the CAP I changed cert from ‘request’ to the cert it got when first connected to the primary CAPsMan.
So far I haven’t run into any problems with this. I’ll assume things will be messed up if I setup a new CAP while the master CAPsMan is down. I’m not even going to test that.
Feature request for winbox: Put a note in the export dialog box stating that passphrase is required to export with key.
I had the same concern while planning to have redundant CAPsMAN. Solution worked for me ! Thanks a lot
it is good to have certificate and lock to CAPsMAN feature on as e.g I had an issue that 3 controllers were in the same network due to customer limitations and APs roamed randomely between all CAPsMANs as it is discovery based.
