Provisioning problem with hap ax3

raelbsd · June 20, 2025, 5:07pm

Hi folks,
I’m looking for some guidance on my setup. I have a C53UiG+5HPaxD2HPaxD (valhalla) and I’ll like to setup CAPSMAN for my local network and manage the local radios also as cAPs.
I manage to connect the local radios to the CAPSMAN, but I can’t make them to provision the configurations. I’m using BASE_VLAN (99, for MGMT) for CAPSMAN, and when I enable the cAP setup I see in the logs the connection:

 2025-06-20 14:06:11 system,info wifi CAPsMAN settings changed by tcp-msg(winbox):admin@fe80::76b4:cf07:60f5:fee9 (/interface wifi capsman set enabled=yes int
erfaces=BASE_VLAN package-path="" require-peer-certificate=no upgrade-policy=none)
 2025-06-20 14:06:14 system,info wifi CAP settings changed by tcp-msg(winbox):admin@fe80::76b4:cf07:60f5:fee9 (/interface wifi cap set caps-man-addresses=10.4
.2.2 discovery-interfaces=BASE_VLAN enabled=yes lock-to-caps-man=no slaves-datapath=DP_AC slaves-static=yes)
 2025-06-20 14:06:18 caps,info selected CAPsMAN mikrotik.valhalla.lan@10.4.2.2
 2025-06-20 14:06:18 caps,info connected to mikrotik.valhalla.lan@10.4.2.2
 2025-06-20 14:06:18 caps,info mikrotik.valhalla.lan@10.4.2.2 joined

I’ve including some relevant info here:

[admin@mikrotik.valhalla.lan] > /interface/wifi/radio/print 
Flags: L - LOCAL
Columns: CAP, RADIO-MAC, INTERFACE
#   CAP                             RADIO-MAC          INTERFACE
0 L                                 D4:01:C3:52:D0:AC  wifi1    
1 L                                 D4:01:C3:52:D0:AD  wifi2    
2   mikrotik.valhalla.lan@10.4.2.2  D4:01:C3:52:D0:AC           
3   mikrotik.valhalla.lan@10.4.2.2  D4:01:C3:52:D0:AD           
[admin@mikrotik.valhalla.lan] > /interface/wifi/cap/print          
                    enabled: yes                  
       discovery-interfaces: BASE_VLAN            
         caps-man-addresses: 10.4.2.2             
           lock-to-caps-man: no                   
              slaves-static: yes                  
            slaves-datapath: DP_AC                
      requested-certificate: CAP-D401C352D0A7     
   current-caps-man-address: 10.4.2.2             
  current-caps-man-identity: mikrotik.valhalla.lan
[admin@mikrotik.valhalla.lan] > /interface/wifi/capsman/print      
                   enabled: yes                         
                interfaces: BASE_VLAN                   
  require-peer-certificate: no                          
              package-path:                             
            upgrade-policy: none                        
  generated-ca-certificate: WiFi-CAPsMAN-CA-D401C352D0A7
     generated-certificate: WiFi-CAPsMAN-D401C352D0A7   
[admin@mikrotik.valhalla.lan] > /interface wifi monitor wifi1 once                     
     ;;; managed by CAPsMAN 10.4.2.2
  state: managed-by-capsman         
[admin@mikrotik.valhalla.lan] > /interface wifi monitor wifi2 once 
     ;;; managed by CAPsMAN 10.4.2.2
  state: managed-by-capsman         
[admin@mikrotik.valhalla.lan] > /interface/wifi/provisioning/print 
Columns: RADIO-MAC, ACTION, MASTER-CONFIGURATION, SLAVE-CONFIGURATIONS
# RADIO-MAC          ACTION                  MASTER-CONFIGURATION  SLAVE-CONFIGURATIONS
0 D4:01:C3:52:D0:AC  create-dynamic-enabled  cfgIoT-5.0            cfgGeneral-5.0      
                                                                   cfgMgmt-5.0         
1 D4:01:C3:52:D0:AD  create-dynamic-enabled  cfgIoT-2.4            cfgGeneral-2.4      
2 08:55:31:9B:20:E7  create-dynamic-enabled  cfgIoT-5.0            cfgGeneral-5.0      
                                                                   cfgMgmt-5.0         
3 08:55:31:9B:20:E6  create-dynamic-enabled  cfgIoT-2.4            cfgGeneral-2.4

I’ve followed the [WiFi - RouterOS - MikroTik Documentation], I think it’s ok, I’ve changed from no certificates configuration to full with the same result, I can’t make the provision for this interfaces.
Perhaps I missed something, but I don’t know what else to try.
Thanks in advance

Juan
valhalla_2006.rsc (9.9 KB)

(WiFi - RouterOS - MikroTik Documentation)

holvoetn · June 20, 2025, 8:48pm

You don’t show your config but local radios can not be controlled by capsman running on that same device.
They need to be set to locally managed.

Is that what’s happening ?

raelbsd · June 20, 2025, 9:36pm

Hi, I thought everything was in the exported .rsc file I attached. Maybe I didn’t express myself well, sorry for that. I need to run CAPSMAN on this device, and I’ve seen several suggestions for using the physical interfaces wifi1 and wifi2 as cAPs. When they connect to CAPSMAN, it doesn’t provision the interfaces (I need to put wifi1 and wifi2 on a VLAN and dynamically create three more interfaces in different VLANs), and the two physical interfaces appear disabled. That’s my main problem.

holvoetn · June 21, 2025, 5:39am

Set both local radios to local managed.
You can even still use provisioning to assign config with datapath etc.

There should be examples around here somewhere.

Export is usually included in code quotes, not attachment.
Makes it easier to read.

raelbsd · June 21, 2025, 10:23pm

About the local radios managed by CAPSMAN, I get confused with the help found at the the support page at Mikrotik:

But after your reply I’ve read the docs and found the same as you advise me (WiFi - RouterOS - MikroTik Documentation)
However, this raises several questions for me. How can I manage the extra wifi interfaces I need for the other VLANs (2.4 & 5.0 on VLAN 30, 5.0 for VLAN 99) since the wifi1 & wifi2 are local managed and can’t provision the slave interfaces?
The manual says to use manual provisioning but I don’t quite understand how to do it.
Thanks

holvoetn · June 22, 2025, 7:41am

I think you can use same provisioning rules as you would for normal CAPs devices for those local radios.
You can use their respective MAC address to make sure the correct rule gets applied.
I believe you also need to make sure on that local device dynamic interfaces are automatically added to bridge (bridge, add port, dynamic).
Provisioning will then create slave interfaces which then should be added to bridge.

Not 100% sure, has been quite a while since I used capsman on a device with local radios.

Alternative is to setup everything manually as if it are local interfaces.
So manually create the slave interfaces, manually add them to bridge with required VLAN settings.
You can re-use configuration from the capsman setup, though.