MAC address 'filtering': The best way across multiple WAPs?

RouterOS Wireless Networking
1

Hello,

I’d love some advice please. I have a LHG R (love it!) which provides our internet from a LTE service. I am upgrading our WAPs (very old Aironet units) to Mikrotik wAP ac units… six in total.

I would like to lock down the MAC addresses that are allowed to associated with the wAP acs. I am aware of spoofing so I accept this isn’t a panacea. I would like to maintain one access list (clients that are permitted to associate, all others are denied). I assume it makes sense to do this at the LHG R. I assume that it makes sense to deny association rather than block else where.

What is the best way to have one list to rule them all rather than have to config each wAP ac? I am aware of the existence of RADIUS but I don’t have any experience with this. We previously achieved this with MAC filters at each wAP but it was a pita. Very grateful for your thoughts. I don’t have the wAP acs yet, but they’ve been ordered so I’m getting ahead with the research! BTW there are two Cisco SOHO switches on the network that handle switching. I’ve tried searching the forums and manuals and I haven’t found a way of having a managed list.

Regards

2

OP self answering after discovering the solution: CAPsMAN.

On LHG R device (or any other Router Board device for that matter) configure CAPsMAN to control all access points. Access points then configured as CAPs. To restrict access point association to specific devices, set up Access List in CAPsMAN to accept specific MAC addresses and then (final rule) reject all others.
Some specific notes:

  1. on access points using CAP mode the interface that will talk to the CAPsMAN needs to be set to be a discovery interface (for example at CLI type /interface wireless cap set discovery-interfaces=bridge1 if you're bridging all the interfaces)
  2. connected devices need to told to not use a private MAC (or at least, the private MAC needs to be the one added to the Access List)
  3. couldn't always get the reset-button trick (press hold for about 10s until flashing user LED) to work so "easier" to reset wAP and remove all config and configure manually

The complete config (at CLI type "export") for a wAP ac needs to only be:

/interface bridge
add admin-mac=D4:01:C3:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless

managed by CAPsMAN

channel: 2432/20-Ce/gn(17dBm), SSID: X, CAPsMAN forwarding

set [ find default-name=wlan1 ] ssid=MikroTik

managed by CAPsMAN

channel: 5180/20-Ceee/ac/P(17dBm), SSID: X, CAPsMAN forwarding

set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/interface wireless cap

set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=
wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/system clock
set time-zone-name=X
/system identity
set name=X