Downgrading existing EAP config with VLANs to WPA2 PSK

ajr · October 22, 2023, 8:47pm

Below you see my current configuration. Assignment of VLAN to user happens on the external radius server via Mikrotik-Wireless-VLANID.
There are problems with IOT devices and TV sets which do not support EAP authentication. I would like to downgrade at least one VLAN to WPA PSK. Selection of VLAN ahouls by SSID.
Questions:
Is this possible?
Where in the config can I assign a VLAN to a a SSID?
What are the strps to convert the config?

Current configuration

# oct/22/2023 13:14:22 by RouterOS 6.47.4
# software id = **ELIDED**
#
# model = RBcAPGi-5acD2nD
# serial number = **ELIDED**
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2412 name=2ghzCh1
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2432 name=2ghzCh5
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2437 name=2ghzCh6
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2452 name=2ghzCh9
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2462 name=2ghzCh11
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=2ghzCh13
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2484 name=2ghzCh14
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=eCee name=5ghz
/interface bridge
add igmp-snooping=yes name=vlanBridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="Tagged Uplink to switch"
set [ find default-name=ether2 ] comment="Optional link to other CAP"
/interface wireless
set [ find default-name=wlan1 ] ssid=CCC
set [ find default-name=wlan2 ] country=germany ssid=CCC wireless-protocol=nv2-nstreme-802.11
/interface vlan
add comment=Management interface=vlanBridge name=vlan1 vlan-id=1
/caps-man datapath
add bridge=vlanBridge local-forwarding=yes name=path1
/caps-man security
add authentication-types=wpa2-eap disable-pmkid=yes eap-methods=passthrough encryption=aes-ccm group-encryption=aes-ccm name=wpa2-eap tls-certificate=radiusCert.p12_0 tls-mode=verify-certificate
/caps-man configuration
add country=germany datapath=path1 installation=any mode=ap multicast-helper=full name=masterConfig security=wpa2-eap ssid=CCC
/caps-man interface
add channel=2ghzCh1 configuration=masterConfig disabled=no l2mtu=1600 mac-address=C4:AD:34:F5:4D:1E master-interface=none name=cap02_2 radio-mac=C4:AD:34:F5:4D:20 radio-name=C4:AD:34:F5:4D:20
add channel=5ghz configuration=masterConfig disabled=no l2mtu=1600 mac-address=C4:AD:34:F5:4D:1E master-interface=none name=cap02_5 radio-mac=C4:AD:34:F5:4D:21 radio-name=C4:AD:34:F5:4D:21
add channel=2ghzCh6 configuration=masterConfig disabled=no l2mtu=1600 mac-address=C4:AD:34:F5:4D:4E master-interface=none name=cap03_2 radio-mac=C4:AD:34:F5:4D:50 radio-name=cap03_2
add channel=5ghz configuration=masterConfig disabled=no l2mtu=1600 mac-address=C4:AD:34:F5:4D:4E master-interface=none name=cap03_5 radio-mac=C4:AD:34:F5:4D:51 radio-name=cap03_5
add channel=2ghzCh11 configuration=masterConfig disabled=no l2mtu=1600 mac-address=C4:AD:34:F5:43:BA master-interface=none name=cap04_2 radio-mac=C4:AD:34:F5:43:BC radio-name=cap04_2
add channel=5ghz configuration=masterConfig disabled=no l2mtu=1600 mac-address=C4:AD:34:F5:43:BA master-interface=none name=cap04_5 radio-mac=C4:AD:34:F5:43:BD radio-name=cap04_5
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/system logging action
add bsd-syslog=yes name=syslog remote=192.168.223.200 target=remote
/caps-man aaa
set called-format=mac mac-mode=as-username-and-password
/caps-man access-list
add action=accept allow-signal-out-of-range=10s client-to-client-forwarding=yes disabled=no signal-range=-120..120 ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes require-peer-certificate=yes upgrade-policy=suggest-same-version
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=masterConfig name-format=identity
/interface bridge port
add bridge=vlanBridge comment="Tagged Uplink to switch" interface=ether1
add bridge=vlanBridge comment="Optional link to other CAP" interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=vlanBridge tagged=vlanBridge,vlan1 vlan-ids=1
add bridge=vlanBridge tagged=vlanBridge,ether1,ether2 vlan-ids=11
add bridge=vlanBridge tagged=vlanBridge,ether1,ether2 vlan-ids=12
add bridge=vlanBridge tagged=vlanBridge,ether1,ether2 vlan-ids=13
add bridge=vlanBridge tagged=vlanBridge,ether1,ether2 vlan-ids=14
add bridge=vlanBridge tagged=vlanBridge,ether1,ether2 vlan-ids=15
add bridge=vlanBridge tagged=vlanBridge,ether1,ether2 vlan-ids=16
/interface list member
add interface=wlan2 list=WAN
add interface=vlanBridge list=LAN
/ip address
add address=172.16.63.11/24 interface=vlan1 network=172.16.63.0
/ip dns
set servers=192.168.223.100
/ip route
add comment="Default IPv4 Route" distance=1 gateway=172.16.63.9
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl certificate=serverCert.pem_0 disabled=no tls-version=only-1.2
set api disabled=yes
set api-ssl certificate=serverCert.pem_0 tls-version=only-1.2
/ip ssh
set host-key-size=4096 strong-crypto=yes
/ipv6 address
add address=<some_ip6_prefix>:30::11 interface=vlan1
/ipv6 route
add comment="Default IPv6 Route" distance=1 gateway=<some_ip6_prefix>:30::c
/radius
add address=172.16.63.9 secret=**ELIDED** service=wireless src-address=172.16.63.11
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=cap01.wlan.<some FQDN>
/system logging
add action=syslog topics=caps
add action=syslog topics=radius
add action=syslog topics=info
add action=syslog topics=warning
add action=syslog topics=error
add action=syslog topics=critical
/system ntp client
set enabled=yes server-dns-names=<some FQDN>

martinclaro · October 22, 2023, 10:44pm

Under /caps-man datapath

There are some examples in the official docs: https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs

ajr · October 23, 2023, 12:31pm

Thanks for responding and pointing me at the examples.

So the downgrade seems possible.

I still have to find out how this fits into my configuration.
Currently a firewall defines the VLANs and a switch connects them to the APs.
The firewall also does routing, DHCP and RADIUS.
If I move completely to WPA2 PSK I could remove RADIUS and move DHCP server
into CapsMan, which would make the config simpler.

As my RouterOS experience is some years old, I still looking for tips.

ajr · October 29, 2023, 8:59pm

My 1st naive apprach was this:

/caps-man security remove wpa2-eap

/caps-man configuration
add country=germany datapath.local-forwarding=yes datapath.vlan-id=12
datapath.vlan-mode=use-tag name=config:guests
security.authentication-types=wpa-psk,wpa2-psk
security.passphrase= ssid=CCC2
add country=germany datapath.local-forwarding=yes datapath.vlan-id=13
datapath.vlan-mode=use-tag name=config:MC3
security.authentication-types=wpa-psk,wpa2-psk
security.passphrase= ssid=CCC3
add country=germany datapath.local-forwarding=yes datapath.vlan-id=14
datapath.vlan-mode=use-tag name=config:MC1
security.authentication-types=wpa-psk,wpa2-psk
security.passphrase= ssid=CCC1
add country=germany datapath.local-forwarding=yes datapath.vlan-id=15
datapath.vlan-mode=use-tag name=config:IOT1
security.authentication-types=wpa-psk,wpa2-psk
security.passphrase= ssid=CCC4
add country=germany datapath.local-forwarding=yes datapath.vlan-id=16
datapath.vlan-mode=use-tag name=config:IOT2
security.authentication-types=wpa-psk,wpa2-psk
security.passphrase= ssid=CCC5

did not display any ssid, instead it allowd connect w/o password.
What did I make wrong?
My old configuration supported all VLANS on each Cap.

ajr · October 30, 2023, 12:21pm

Changing name in all configs to masterConfig did not help.
SSIDs are still hidden.
The attached drawing shows cabling of the 4 cAPs.
Switchport P2 is connected to the gateway with DHCP servers for IPv4 and IPv5.
Each cAP should serve the 5 WLANs.

Any help greatly appreciated as WLAN downtime is now 3rd day.
wlan_details_2.pdf (34.1 KB)

ajr · October 31, 2023, 9:47pm

I could not get it running and got only little help in this forum.
I stop this project and replace the cAPs by UniFi U6+s .

Thanks for your time.