PSK2 passphrase based VLANs + capsman

Hi

i try to reproduce following situation from OpenWRT where i have 1 SSID and vlans are tagged based on wpa passphrase

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 't-WIFI'
        option encryption 'psk2+aes'
        option key 'SomeUnusedPass'
        option wmm '1'
        option short_preamble '1'
        option disassoc_low_ack '0'
        option max_inactivity '120'
        option isolate '1'
        option disabled '0'
        option ifname 'wlan0'
        option macaddr '0e:03:99:00:01:01'

config wifi-vlan
        option name 'vl2'
        option network 'vlan2'
        option vid '2'

config wifi-station
        option key 'vlan2-test'
        option vid '2'

config wifi-vlan
        option name 'vl200'
        option network 'vlan200'
        option vid '200'

config wifi-station
        option key 'vlan200-test'
        option vid '200'

this is working as expected, every VLAN have its own password and when i connect station to AP, correct VLAN is assigned based on password

but, when i try to reproduce same in MT with capsman

# 2023-09-06 10:04:11 by RouterOS 7.11.2
# software id = 
#
/caps-man configuration
add channel.band=2ghz-g/n country=hungary datapath.local-forwarding=yes mode=ap name=wifi2 security.authentication-types=wpa2-psk,wpa2-eap .encryption=aes-ccm .passphrase=SomeUnusedPass ssid=t-WIFI
add channel.band=5ghz-a/n country=hungary datapath.local-forwarding=yes mode=ap name=wifi5 security.authentication-types=wpa2-psk,wpa2-eap .encryption=aes-ccm .passphrase=SomeUnusedPass ssid=t5-WIFI
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no private-passphrase=vlan2-test ssid-regexp="" vlan-id=2 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s disabled=no private-passphrase=vlan200-test ssid-regexp="" vlan-id=200 vlan-mode=use-tag
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=wifi2

only the first entry from access-list is accepted
so password “vlan2-test” is working, vlan2 is tagged on wifi
but when i try to use second password “vlan200-test” i get wrong password error on client device

what is a proper way to have password based WIFI vlan tagging on MT ?
and, no, please, no radius

tnx in advance

CapsMAN has split into two branches to follow the WiFi driver split:

1. The Wireless package (legacy driver)
2. The Wifiwave2 package (new hardware)

CapsMAN for each driver supports it’s driver version alone.
I believe but not sure both CapsMAN versions can coexist on same host.
Consider describing WiFi devices and their respective drivers along with configuration for MikroTik devices.
A network diagram is helpful especially for networks with many devices and/or subnets or network segments.

No, not so far. Both versions can coexist in same LAN, but on two different devices.

Thank you; greatly appreciated.

Sorry, but your answer have no sense for me

again
i try to make dynamic VLANs on Mikrotik WIFI

1 SSID
multiple VLANs based on PSK2 password on this single !!! SSID

it is doable in OpenWRT with per VLAN psk passphrase

how to achieve this setup with MT ?
with or without capsman i don’t care
and hopefully without radius/usermanager

any idea ?

Without RADIUS I think it’s not possible… I was also interested in this.

the problem, as i see, is this

/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no private-passphrase=vlan2-test ssid-regexp="" vlan-id=2 vlan-mode=use-tag
add action=accept allow-signal-out-of-range=10s disabled=no private-passphrase=vlan200-test ssid-regexp="" vlan-id=200 vlan-mode=use-tag

only the first entry is taken into account
without mac (00:00:00:00:00:00) MT try to match private-passphrase with client and when it missmatch, it does not fall through to next rule
this way, only first entry is working
and yes, it is working well, vlan ID is assigned as per access-list entry