HAP AX2 no connection to CAPsMAN

RouterOS Wireless Networking
1

Hello,

I’ve have a small test setup consiting of an AC LIte as CAPSMAN Server and a HAP AX2 as a CAP Client. Both have ROS 7.15.3 installed.

I get no connection on the AX2 although I see UDP traffic from the AX into the CAPSMAN through torch. I guess it has to do with the CAPMAN server

This is the CAPSMAN configuration

2024-08-23 21:44:51 by RouterOS 7.15.3

software id = L4DJ-R5PC

model = RB952Ui-5ac2nD

/caps-man channel
add band=2ghz-b/g/n name=channel-2ghz
/interface bridge
add admin-mac=48:8F:5A:28:A5:8B auto-mac=no comment=defconf name=bridge
port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=
MikroTik-28A590 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=
20/40/80mhz-XXXX distance=indoors frequency=auto installation=indoor
mode=ap-bridge ssid=MikroTik-28A58F wireless-protocol=802.11
/caps-man datapath
add bridge=bridge name=datapath-local
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security1
/caps-man configuration
add channel=channel-2ghz country=spain datapath=datapath-local name=
cfg-local-2ghz security=security1 ssid=WIFI-TEST
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/caps-man manager
set ca-certificate=auto enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=cfg-local-2ghz
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
internal-path-cost=10 path-cost=10
add bridge=bridge ingress-filtering=no interface=ether1 internal-path-cost=10
path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ovpn-server server
set auth=sha1,md5
/ip dhcp-client
add comment=defconf interface=bridge
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=“CapsMan TEst”
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

and this is the AX2 configuration

2024-08-23 21:46:55 by RouterOS 7.15.3

software id = J6GT-ETZP

model = C52iG-5HaxD2HaxD

/interface bridge
add admin-mac=48:A9:8A:DA:B2:D9 auto-mac=no comment=defconf name=bridgeLocal
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi

no connection to CAPsMAN

add channel.band=5ghz-ax configuration.manager=capsman .mode=ap datapath=
capdp disabled=no radio-mac=48:A9:8A:DA:B2:DE security.connect-priority=0

no connection to CAPsMAN

add channel.reselect-interval=1m configuration.manager=capsman .mode=ap
datapath=capdp disabled=no radio-mac=48:A9:8A:DA:B2:DF
security.connect-priority=0
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
add bridge=bridgeLocal comment=defconf interface=ether3
add bridge=bridgeLocal comment=defconf interface=ether4
add bridge=bridgeLocal comment=defconf interface=ether5
/interface wifi cap
set caps-man-addresses=CAMPSMAN_IP discovery-interfaces=all enabled=yes
slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal
/system clock
set time-zone-name=Europe/Madrid
/system note
set show-at-login=no

Any help would be appreciated.

2

Basically those two are incompatible. Unfortunately hAP ac has MIPSBE processor so you can not install newer wifi package.

WiFi CAPsMAN

WiFi CAPsMAN can only control WiFi interfaces, and WiFi CAPs can join only WiFi CAPsMAN, similarly, regular CAPsMAN only supports non-WiFi caps.

You have Wireless CAPsMAN and you are trying to join WiFi device..

3

It was a bad idea to keep the term CAPsMAN with the new wifi menu. But Mikrotik can still rename it to stop this confusion. CAPsCON, APsMAN, CAPsPROV, … :zany_face:

4

Thanks,

I have another AX2 I want to try using as a CAPSMAN server, but it does not appear in the menu? How can I make an AX2 a CAPsMAN to to allow other AX2 to connect?

5

wave2 CAPsMAN settings are shared with local wifi settings (if device supports it and has one of wifi-qcom* packets installed) under /interface/wifi … and you have to configure things using corresponding profiles (i.e. under ./channel/, ./security/, etc.).

All devices, running ROS 7.13 and newer, have capability of acting as wave2 CAPsMAN regardless the architecture (MIPSBE can do it as well … even though it can’t run wave2 drivers for radios).

6

How do I enable the capsman server on one of the AX2? I dont see a Capman option to enable it and set certificate options.

Thanks

7

WiFi → Remote CAP → CAPsMAN

8

https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPsMAN-CAPsimpleconfigurationexample:

9

Thanks, found it. They could have just named the tab CAPSMAN instead of CAP REMOTE.

It was a breeze configuring the AX2 with it, it even runs on the AC Lite no problem.

I see in the provisioning tab the name-format has changed and I can use the %I proefix for the Identify of the connecting AP. Are there more prefixed I can use?

10

yeah, see wifi docs.

"If included in the string, the character sequence %I will be replaced by the system identity of the cAP, %C will be replaced with the cAP’s TLS certificate’s Common Name, %R, or %r for lowercase, will be replaced with the CAP’s radio MAC

Default: “cap-wifi”"
https://help.mikrotik.com/docs/display/ROS/WiFi#:~:text=If%20included%20in,Default%3A%20"cap-wifi"

11

Thanks!!! Everything working now!

12

Hi. Please clarify because I am little bit lost now.
For few years I had hap ac2 running capsman with few caps connected (two cap ac and one wap ac). Needed to migrate main router to hap ax2 due to lack of disk space error on hap ac2.
Can hap ax2 still control my caps or I need to completely reconfigure my whole network?

13

It depends. If both cap and wap are ARM based, you can use the wifi-qcom-ac driver (instead of the wireless driver). This is required for supporting “new” CAPsMAN. The cAP ac is ARM based, the wAP ac could be (you have to check yourself, as there is also a MIPSBE version).

14

Ahh, so I need to upgrade my access points. Is there some easy way to migrate from old to new capsman preserving settings?

15

It depends, I think it is actually quit easy but I have done it more than once. And be aware that some old functionallity is no longer supported (i.e. CAPsMAN forwarding).

If you want some help, just post your current CAPsMAN settings (I assume it is /interface/capsman export) to get some advice.
But that would be something for a new topic :sunglasses:

16

Thank You Sir for Your answers. Posted new topic here
http://forum.mikrotik.com/t/migrating-from-old-capsman-to-new-hap-ac2-hap-ax2/182034/1