CAPsMAN ->WPA2-EAP->NPS MS Certificates=doesn't work

Santim · December 19, 2017, 7:15am

Good morning!
There is a task to organize WiFi roaming, WPA2 EAP with authorization on Windows 2012 NPS (certificate authorization), everything was configured on a test environment on one Mikrotik, without CAPsMAN, and everything worked fine, but if the same settings apply to the profile on the capsman, the client receives IP, in the NPS logs "Network Policy Server is granted access to a user.", BUT there is no connection to the network (even to Mikrotik). Once I remove the CAPsMAN, the connection appears.
I would be grateful for any help!
config with a test microtik (ssid test works, when you turn on capsman ssid test1 does not work as it should):

nov/21/2017 15:25:06 by RouterOS 6.40.3

software id = 8DXE-SL0U

model = 951Ui-2HnD

serial number = 4AC704232693

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2427 name=channel1
/interface bridge
add admin-mac=4C:5E:0C:7A:C4:98 auto-mac=no fast-forward=no name=bridgeLocal
/interface ethernet
set [ find default-name=ether1 ]
/caps-man interface
add disabled=no mac-address=64: D1:54:71:3E:89 master-interface=none name=cap1
radio-mac=64: D1:54:71:3E:89
/caps-man datapath
add bridge=bridgeLocal client-to-client-forwarding=yes local-forwarding=no
name=datapath1
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough
eap-radius-accounting=yes encryption=tkip name=wpa2
/caps-man configuration
add channel=channel1 country=russia datapath=datapath1 mode=ap name=cfg1
rx-chains=0,1,2 security=wpa2 ssid=test1 tx-chains=0,1,2
/interface wireless security-profiles
add authentication-types=wpa2-eap group-ciphers=tkip mode=dynamic-keys name=
test supplicant-identity="" unicast-ciphers=tkip
/interface wireless

managed by CAPsMAN

channel: 2427/20-Ce/gn(20dBm), SSID: test1, CAPsMAN forwarding

set [ find default-name=wlan1 ] country=russia frequency=2462 mode=ap-bridge
security-profile=test ssid=test wps-mode=disabled
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-format=
prefix-identity name-prefix=CAP_
/interface bridge port
add bridge=bridgeLocal interface=ether2
add bridge=bridgeLocal interface=ether3
add bridge=bridgeLocal interface=ether4
add bridge=bridgeLocal interface=ether5
add bridge=bridgeLocal interface=wlan1
add bridge=bridgeLocal interface=cap1
/interface wireless cap

set bridge=bridgeLocal caps-man-addresses=192.168.11.244 enabled=yes
interfaces=wlan1
/ip address
add address=192.168.11.244/24 interface=bridgeLocal network=192.168.11.0
add address=192.168.11.244/24 disabled=yes interface=ether1 network=
192.168.11.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid interface=ether1
add dhcp-options=hostname,clientid interface=bridgeLocal
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/radius
add address=192.168.1.1 secret=xxxxxxx service=wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=192.168.1.1