CAPsMAN with open wireless network (hotspot)

kris11 · December 9, 2021, 7:36am

I’m configuring a hotspot on our new CRS328-24P-4S+ router. The hostspot is a slave configuration without any security configured:

[admin@MikroTik] /caps-man configuration<SAFE> export hide-sensitive 
# dec/09/2021 08:33:16 by RouterOS 6.48.5
# software id = Z28R-MV5A
#
# model = CRS328-24P-4S+
/caps-man configuration
add country=hungary datapath.bridge=bridge datapath.vlan-mode=no-tag name=Config_WORK security.authentication-types=wpa-psk,wpa2-psk ssid=budavar-iroda
add country=hungary datapath.bridge=bridge datapath.vlan-id=20 datapath.vlan-mode=use-tag name=media security.authentication-types=wpa2-psk ssid=budavar-media
add country=hungary datapath.bridge=bridge datapath.vlan-id=30 datapath.vlan-mode=use-tag name=office security.authentication-types=wpa2-psk ssid=budavar-office
add country=hungary datapath.bridge=bridge datapath.vlan-id=10 datapath.vlan-mode=use-tag name=hotspot security.authentication-types="" ssid=budavar-hotspot
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Config_WORK slave-configurations=hotspot,media,office

The three networks with security enabled work without any issue, only connection to the hotspot WLAN is not possible.

Any ideas what this can be?

ConnyMercier · December 9, 2021, 7:48am

Godd Morning again,

This is wrong :
add country=hungary datapath.bridge=bridge datapath.vlan-id=10 datapath.vlan-mode=use-tag name=hotspot security.authentication-types=“”

The export should be :
add country=hungary datapath.bridge=bridge datapath.vlan-id=10 datapath.vlan-mode=use-tag name=hotspot

kris11 · December 9, 2021, 11:48am

Unfortunately it still doesn’t fly, I need to massage it further.

NetworkManager keeps re-connecting:

Dec 9 12:27:41 capella wpa_supplicant[782]: wlp1s0: SME: Trying to authenticate with de:2c:6e:0c:0b:e2 (SSID=‘budavar-hotspot’ freq=2412 MHz)
Dec 9 12:27:41 capella kernel: [154636.306652] wlp1s0: authenticate with de:2c:6e:0c:0b:e2
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.0503] device (wlp1s0): supplicant interface state: scanning → authenticating
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.0504] device (p2p-dev-wlp1s0): supplicant management interface state: scanning → authenticating
Dec 9 12:27:41 capella kernel: [154636.327059] wlp1s0: send auth to de:2c:6e:0c:0b:e2 (try 1/3)
Dec 9 12:27:41 capella wpa_supplicant[782]: wlp1s0: Trying to associate with de:2c:6e:0c:0b:e2 (SSID=‘budavar-hotspot’ freq=2412 MHz)
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.0776] device (wlp1s0): supplicant interface state: authenticating → associating
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.0777] device (p2p-dev-wlp1s0): supplicant management interface state: authenticating → associating
Dec 9 12:27:41 capella kernel: [154636.354061] wlp1s0: authenticated
Dec 9 12:27:41 capella kernel: [154636.357596] wlp1s0: associate with de:2c:6e:0c:0b:e2 (try 1/3)
Dec 9 12:27:41 capella kernel: [154636.394435] wlp1s0: RX AssocResp from de:2c:6e:0c:0b:e2 (capab=0x401 status=0 aid=1)
Dec 9 12:27:41 capella wpa_supplicant[782]: wlp1s0: Associated with de:2c:6e:0c:0b:e2
Dec 9 12:27:41 capella wpa_supplicant[782]: wlp1s0: CTRL-EVENT-CONNECTED - Connection to de:2c:6e:0c:0b:e2 completed [id=0 id_str=]
Dec 9 12:27:41 capella kernel: [154636.419764] wlp1s0: associated
Dec 9 12:27:41 capella wpa_supplicant[782]: bgscan simple: Failed to enable signal strength monitoring
Dec 9 12:27:41 capella wpa_supplicant[782]: wlp1s0: CTRL-EVENT-SUBNET-STATUS-UPDATE status=0
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.1498] device (wlp1s0): supplicant interface state: associating → completed
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.1499] device (wlp1s0): Activation: (wifi) Stage 2 of 5 (Device Configure) successful. Connected to wireless network “budavar-hotspot”
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.1500] device (p2p-dev-wlp1s0): supplicant management interface state: associating → completed
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.1519] device (wlp1s0): state change: config → ip-config (reason ‘none’, sys-iface-state: ‘managed’)
Dec 9 12:27:41 capella NetworkManager[166577]: [1639049261.1529] dhcp4 (wlp1s0): activation: beginning transaction (timeout in 45 seconds)
Dec 9 12:27:41 capella avahi-daemon[743]: Joining mDNS multicast group on interface wlp1s0.IPv6 with address fe80::6c54:41f9:86e4:30c.
Dec 9 12:27:41 capella avahi-daemon[743]: New relevant interface wlp1s0.IPv6 for mDNS.
Dec 9 12:27:41 capella avahi-daemon[743]: Registering new address record for fe80::6c54:41f9:86e4:30c on wlp1s0.*.

and then

Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.5909] dhcp4 (wlp1s0): request timed out
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.5911] dhcp4 (wlp1s0): state changed unknown → timeout
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.5913] device (wlp1s0): state change: ip-config → failed (reason ‘ip-config-unavailable’, sys-iface-state: ‘managed’)
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.5943] device (wlp1s0): Activation: failed for connection ‘budavar-hotspot’
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.5951] device (wlp1s0): state change: failed → disconnected (reason ‘none’, sys-iface-state: ‘managed’)
Dec 9 12:28:26 capella avahi-daemon[743]: Withdrawing address record for fe80::6c54:41f9:86e4:30c on wlp1s0.
Dec 9 12:28:26 capella avahi-daemon[743]: Leaving mDNS multicast group on interface wlp1s0.IPv6 with address fe80::6c54:41f9:86e4:30c.
Dec 9 12:28:26 capella avahi-daemon[743]: Interface wlp1s0.IPv6 no longer relevant for mDNS.
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.6682] dhcp4 (wlp1s0): canceled DHCP transaction
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.6683] dhcp4 (wlp1s0): state changed timeout → done
Dec 9 12:28:26 capella kernel: [154681.946485] wlp1s0: deauthenticating from de:2c:6e:0c:0b:e2 by local choice (Reason: 3=DEAUTH_LEAVING)
Dec 9 12:28:26 capella wpa_supplicant[782]: wlp1s0: CTRL-EVENT-DISCONNECTED bssid=de:2c:6e:0c:0b:e2 reason=3 locally_generated=1
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.6883] device (wlp1s0): supplicant interface state: completed → disconnected
Dec 9 12:28:26 capella wpa_supplicant[782]: wlp1s0: CTRL-EVENT-REGDOM-CHANGE init=CORE type=WORLD
Dec 9 12:28:26 capella NetworkManager[166577]: [1639049306.6883] device (p2p-dev-wlp1s0): supplicant management interface state: completed → disconnected

But I assume it can be something beyond DHCP as if I assign manually an IP to the wireless interface on the workstation it still cannot communicate.

And what I see is that the dynamic cap appears on /interface bridge vlan 10 so the router sees that the workstation is connected.

kris11 · December 9, 2021, 3:03pm

The difficult thing is that if I enable authentication then all of a sudden it starts working. Connection, DHCP, everything.

Very strange.

kris11 · December 9, 2021, 3:38pm

I tried to add an access list in Capsman that lets any mac to connect… no success
I sniffed traffic on the dynamic cap interface… only ipv6 traffic, nothing relevant, even DHCP requests don’t turn up
I tried disabling all configurations except hotspot (maybe you can’t have configs with and without authentication at the same time)… no success

ConnyMercier · December 9, 2021, 8:33pm

Good Evening Kris,

I wasn’t able to reproduce the Error…
I was able to connect to the “unsecure” Network and get an IP-Address

Could you maybe Export the Configuration again ?
(/export hide-sensitive file=anynameyouwish)

kris11 · December 10, 2021, 6:56am

Thanks for looking at this!

This morning I was thinking about upgrading the router to 7.x stable
mikrotik_20211210.rsc (6.46 KB)

kris11 · December 10, 2021, 5:35pm

Today’s update: I still couldn’t connect from the workstation, but all of a sudden I saw a client out of the blue in the DHCP leases… meaning for some clients it works ?!

I’d say lets park this now, I’ll need to arrange somebody on site to debug this with me.

ConnyMercier · December 10, 2021, 5:36pm

O.K !

kris11 · April 5, 2022, 8:24am

So this topic is still with me, interestingly it impacts only Ubuntu/Linux clients, various mobile devices can connect.

Again:

as soon as i change the network security in Capsman, everything works
there is traffic on the interfaces on the Linux box, I see both RX/TX increasing
with tcpudump i see unanswered ARPs/DHCP initiated by the Linux box not answered by the router
I see router LLDP as well

I know it is most probably something Linux related, but any hints are appreciated.

kris11 · April 9, 2022, 7:32pm

Apparently Android and Windows devices can connect to the hotspot, only iOS and Linux devices have the problem. I did some sniffing, but it didn’t help too much:

DHCP client packets cannot be seen on the router
If I manually assign IP I see the incoming packets on the router but nothing is sent back

I clearly see the device in the CAPsMAN registration table.

If it was a firewall issue then how can it be that other OS/devices work well?

I’m totally clueless.