hAP in station mode fails to connect to CAPsMAN-controlled SSID due to VLAN assignment error

Hi,
I have a setup where several MikroTik devices (hAP ax, hAP ac2) are managed via CAPsMAN on an RB4011 router (RouterOS 7.19.1). The wireless network includes two SSIDs: PRIVATE_ssid (VLAN 10) and GUEST_ssid (VLAN 20), both dynamically provisioned through CAPsMAN and working fine with laptops and phones.

The problem arises with a hAP ac lite device configured in station mode. It connects well to PRIVATE_ssid on hAP ax2 device but when it attempts to connect to hAP ac2 AP it fails. The CAPsMAN log on the RB4011 shows:

2C:C8:1B:DB:9E:0F@hAPac2-CC2DE09200AE(PRIVATE_ssid) associated, signal strength -49
2C:C8:1B:DB:9E:0F@hAPac2-CC2DE09200AE(PRIVATE_ssid) disassociated, can not assign VLAN, maximum VLAN count for interface reached, signal strength -49

From what I understand, the hAP ac2 is rejecting the station-mode client because it cannot assign a VLAN, potentially due to VLAN limitations on the wireless interface.

What is the correct way to make a hAP ac lite (in station mode) connect to a VLAN-tagged SSID managed by CAPsMAN?

hAP ac lite which connects in station mode:

# 2025-06-11 13:27:52 by RouterOS 7.19.1
# software id = 1M0Y-EFEP
#
# model = RB952Ui-5ac2nD
# serial number = CC3E0E290B85
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn disabled=no frequency=auto installation=indoor ssid=PRIVATE_ssid station-roaming=enabled \
    wireless-protocol=802.11 wmm-support=enabled
set [ find default-name=wlan2 ] mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes group-key-update=30m mode=dynamic-keys supplicant-identity=MikroTik


Flags: X - disabled; R - running 
 0  R name="wlan1" mtu=1500 l2mtu=1600 mac-address=2C:C8:1B:DB:9E:0F arp=enabled interface-type=Atheros AR9300 mode=station ssid="PRIVATE_ssid" 
      frequency=auto band=2ghz-onlyn channel-width=20mhz secondary-frequency="" scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default compression=no

CAPsMAN:

# 2025-06-11 13:12:24 by RouterOS 7.19.1
# software id = KWW8-ELT6
#

# model = RB4011iGS+
# serial number = HHA0A5B4ASS
/interface wifi channel
add band=2ghz-ax disabled=no frequency=2412,2437,2462 name=2GHZ::20MHz_AX reselect-interval=2d..3d width=20mhz
add band=2ghz-n disabled=no frequency=2412,2437,2462 name=2GHZ::20MHz_N reselect-interval=2d..3d width=20mhz
add band=5ghz-ac disabled=no frequency=5180,5260,5500,5580,5660,5745 name=5GHZ::AC reselect-interval=2d..3d width=20/40/80mhz
add band=5ghz-ax disabled=no frequency=5180,5260,5500,5580,5660,5745 name=5GHZ::AX reselect-interval=2d..3d width=20/40/80mhz
/interface wifi datapath
add name=PRIVATE vlan-id=10
add name=GUEST vlan-id=20
add bridge=bridge-LAN disabled=no name=PRIVATE_ac
add bridge=bridge-LAN disabled=no name=GUEST_ac
/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes name=sec_PRIVATE wps=disable
add authentication-types=wpa2-psk,wpa3-psk connect-priority=0/1 disabled=no ft=yes ft-over-ds=yes name=sec_GUEST wps=disable
/interface wifi configuration
add channel.skip-dfs-channels=all country=Lithuania datapath=PRIVATE datapath.client-isolation=no disabled=no mode=ap name=PRIVATE security=sec_PRIVATE ssid=PRIVATE_ssid
add datapath=GUEST datapath.client-isolation=no disabled=no mode=ap name=GUEST_ssid security=sec_GUEST ssid=GUEST_ssid
add channel.skip-dfs-channels=all country=Lithuania datapath=PRIVATE_ac datapath.client-isolation=no disabled=no mode=ap name=PRIVATE_ac security=sec_PRIVATE ssid=\
    PRIVATE_ssid
add datapath=GUEST_ac datapath.client-isolation=no disabled=no mode=ap name=GUEST_ssid_ac security=sec_GUEST ssid=GUEST_ssid
add channel=2GHZ::20MHz_N datapath=PRIVATE datapath.client-isolation=no disabled=no mode=ap name=PRIVATE_2ghz_n security=sec_PRIVATE ssid=PRIVATE_ssid
add channel=2GHZ::20MHz_AX datapath=PRIVATE datapath.client-isolation=no disabled=no mode=ap name=PRIVATE_2ghz_ax security=sec_PRIVATE ssid=PRIVATE_ssid
add channel=5GHZ::AC country=Lithuania datapath=PRIVATE datapath.client-isolation=no disabled=no mode=ap name=PRIVATE_5ghz_ac security=sec_PRIVATE ssid=PRIVATE_ssid
add channel=5GHZ::AX country=Lithuania datapath=PRIVATE datapath.client-isolation=no disabled=no mode=ap name=PRIVATE_5ghz_ax security=sec_PRIVATE ssid=PRIVATE_ssid
/interface wifi access-list
add action=accept allow-signal-out-of-range=30s disabled=no signal-range=-78..120
add action=reject allow-signal-out-of-range=30s disabled=no
/interface wifi capsman
set ca-certificate=auto certificate=auto enabled=yes interfaces=vlan99-mgmt package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_2ghz_ax name-format=%I-%R slave-configurations=GUEST_ssid slave-name-format=%I-%R-%v \
    supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_5ghz_ax name-format=%I-%R slave-configurations=GUEST_ssid slave-name-format=%I-%R-%v \
    supported-bands=5ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_5ghz_ac name-format=%I-%R slave-configurations=GUEST_ssid_ac slave-name-format=%I-%R-%v \
    supported-bands=5ghz-ac
add action=create-dynamic-enabled disabled=no master-configuration=PRIVATE_2ghz_n name-format=%I-%R slave-configurations=GUEST_ssid_ac slave-name-format=%I-%R-%v \
    supported-bands=2ghz-n

hAP ac2 controlled by CAPsMAN:

# 2025-06-11 13:19:10 by RouterOS 7.19.1
# software id = 3F40-MZQK
#
# model = RBD52G-5HacD2HnD
# serial number = BEEC081D03CF
/interface bridge
add admin-mac=CC:2D:E0:92:00:A9 auto-mac=no comment=defconf name=bridgeLocal vlan-filtering=yes
/interface wifi
# managed by CAPsMAN F4:1E:57:76:03:38%vlan99-mgmt, traffic processing on CAP
# mode: AP, SSID: PRIVATE_ssid, channel: 2462/n
set [ find default-name=wifi1 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN F4:1E:57:76:03:38%vlan99-mgmt, traffic processing on CAP
# mode: AP, SSID: PRIVATE_ssid, channel: 5180/ac/Ceee/I
set [ find default-name=wifi2 ] configuration.manager=capsman .mode=ap disabled=no
# managed by CAPsMAN F4:1E:57:76:03:38%vlan99-mgmt, traffic processing on CAP
# mode: AP, SSID: GUEST_ssid
add disabled=no mac-address=CE:2D:E0:92:00:AF master-interface=wifi2 name=wifi7
# managed by CAPsMAN F4:1E:57:76:03:38%vlan99-mgmt, traffic processing on CAP
# mode: AP, SSID: GUEST_ssid
add disabled=no mac-address=CE:2D:E0:92:00:AE master-interface=wifi1 name=wifi8
/interface vlan
add interface=bridgeLocal name=vlan10-PRIVATE vlan-id=10
add interface=bridgeLocal name=vlan20-GUEST vlan-id=20
add interface=bridgeLocal name=vlan99-mgmt vlan-id=99
/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=10
add bridge=bridgeLocal comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=10
add bridge=bridgeLocal comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether4 pvid=10
add bridge=bridgeLocal comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=10
add bridge=bridgeLocal interface=wifi1 pvid=10
add bridge=bridgeLocal interface=wifi2 pvid=10
add bridge=bridgeLocal interface=wifi7 pvid=20
add bridge=bridgeLocal interface=wifi8 pvid=20
/interface bridge vlan
add bridge=bridgeLocal tagged=bridgeLocal,ether1 vlan-ids=99
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=ether2,ether3,ether4,ether5,wifi1,wifi2 vlan-ids=10
add bridge=bridgeLocal tagged=bridgeLocal,ether1 untagged=wifi7,wifi8 vlan-ids=20
/interface wifi cap
set discovery-interfaces=vlan99-mgmt enabled=yes slaves-static=yes
/ip dhcp-client
add comment=defconf interface=bridgeLocal
add default-route-tables=main interface=vlan99-mgmt
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=hAPac2

I am afraid due to differences between wifi-qcom and wifi-qcom-ac you will have this problem when trying to connect legacy wifi ac lite to wifi-qcom-ac used on ac2.

Lost features:

Compatibility with station-bridging as implemented in the ‘wireless’ package, station-bridge only works between the same type of drivers. Wifi to Wifi, and Wireless to Wireless.

https://help.mikrotik.com/docs/spaces/ROS/pages/224559120/WiFi

yeah, but they are talking about “station-bridge” and I’m trying to set up a “station”. I always thought that “station” is like a regular wifi client, but it’s not that simple i guess..

As @holvoetn mentioned (but in mismatched context): wifi-qcom-ac doesn’t support working with VLANs … so it also can’t carry over VLAN setting when station does roaming (e.g. FT). In a nutshell: when you have wifi-qcom-ac device in a mix, you can’t use any of fancy VLAN features (e.g. setting vid per user from access-list) in the whole CAPsMAN network because stations will have problems if they roam to wifi-qcom-ac-driven AP. You can only use single VLAN per SSID. With wifi-qcom you can set VLAN ID in datapath or you can manually add wifi interface as access port (with pvid setting) to VLAN-aware bridge. With wifi-qcom-ac it’s only possible to go with the last option (adding wifi interface as access port).

One of differences between you setup and mine is that I have datapath profiles fully set … so in wifi/configuration I only set number of datapath profile and no other datapath property explicitly.

Also make sure that your wifi-qcom-ac is actually provisioned with setting where VLAN doesn’t get set in datapath settings. The best way to make this sure is to have provisioning rules tied to radio-mac (I’m not sure if setting supported-bands actually does the trick … it might) … any have specific rules above the “catch all” default provisioning rule. Yes. it’s a nuance …