No connection to CAPsMAN

Dear Mikrotik experts,

I am currently configuring our cAP ax access points to be managed by the “RB4011iGS+” router.

I have uninstalled the “wireless” package on the RB4011 and installed the wifi-qcom package instead

My CAPsMAN config looks like this:

/interface wifi security
add authentication-types=wpa2-psk,wpa3-psk disable-pmkid=yes disabled=no ft=\
    yes ft-over-ds=yes group-encryption=gcmp-256 name=sec-EvilCorp
/interface wifi configuration
add channel.band=5ghz-ax .skip-dfs-channels=all .width=20/40mhz datapath=\
    datapath-EvilCorp disabled=no manager=capsman mode=ap name=\
    cfg-EvilCorp security=sec-EvilCorp ssid=EvilCorp
add channel.band=2ghz-ax .width=20mhz datapath=datapath-EvilCorp \
    disabled=no manager=capsman mode=ap name=cfg-EvilCorp_legacy \
    security=sec-EvilCorp ssid=EvilCorp_legacy
/interface wifi provisioning
add action=create-dynamic-enabled disabled=no master-configuration=\
    cfg-EvilCorp_legacy supported-bands=2ghz-ax
add action=create-dynamic-enabled disabled=no master-configuration=\
    cfg-EvilCorp supported-bands=5ghz-ax

The CAPs are configured like this:

/interface wifi datapath
add bridge=bridgeLocal comment=defconf disabled=no name=capdp
/interface wifi
# managed by CAPsMAN
set [ find default-name=wifi1 ] configuration.manager=capsman datapath=capdp
# managed by CAPsMAN
set [ find default-name=wifi2 ] configuration.manager=capsman datapath=capdp
/interface bridge port
add bridge=bridgeLocal comment=defconf interface=ether1
add bridge=bridgeLocal comment=defconf interface=ether2
/interface wifi cap
set discovery-interfaces=bridgeLocal enabled=yes slaves-datapath=capdp
/ip dhcp-client
add comment=defconf interface=bridgeLocal

Despite the fact that the access points say “managed by CAPsMAN” the RB4011 itself states “no connection to CAPsMAN” over the interfaces.

Pinging the CAPsMAN from any of the access points works fine and vice versa.
All of the devices run the latest RouterOS 7.16

It almost looks like a bug as "no connection to CAPsMAN normally only shows up on the CAPs when the CAPsMAN is offline

I would really appreciate your help

Best wishes

CAPsMAN can NOT manage local interfaces. (if you have RB4011 with wifi)

CAPsMAN cannot manage it’s own wifi interfaces using configuration.manager=capsman, it is enough to just set the same configuration profile on local interfaces manually as you would with provisioning rules, and the end result will be the same as if they were CAPs.

Anyway..
manager=capsman shouldn’t be present in configuration profile on CAPsMAN. Same applies to mode=ap. Those settings should be applied to physical interfaces (and they are, at least on CAP that you posted your config from).

wpa3-psk = big compability issue
disable-pmkid = also big compability issue
gcmp-256 = another compability issue

If you are sure that all client devices are fully compatible with those settings, there is nothing wrong about them.

If you are looking for better stability and compatibility, use:

authentication-types=wpa2-psk encryption=ccmp management-protection=disabled

I am using a hAP AX3 as CAPsMAN and 3 other hAP AX3 as CAPS.
CAPsMAN is perfectly capable of managing the local interface of the 1st AX3 …
The interfaces are showing up as L for local …

It’s a bit misleading since the same screens are used for local and capsman controlled interfaces.
The ones marked with L should be locally managed since MT themselves clearly mentioned capsman CAN NOT control local interfaces.

What is indicated as manager on those 2 radios marked with L ? My guess is local or capsman-or-local. And then local it will be.
Or look on the device itself on Wifi tab. It will indicate there what is managing those radios.

I added the local machine as CAP to the CAPsMAN …
This worked ONLY if 127.0.0.1 as CAPsMAN addres was used.
From that point on the interface wher part of the CAPsMAN interfaces

And what is the benefit?

all devices are in the same steering group now

You don’t need to do that for steering group. You should just apply created configuration profile to local interface and thats it. Local interfaces will be in same steering group as the virtual one created by CAPsMAN.