Remote CAP Address inconsistent

hairfarmer · August 11, 2016, 5:39pm

Hi all,

This isn’t really a problem as I have 40 some APs working perfectly with CAPsMAN now just upgraded to v6.36.

However I was wondering why some APs will identify with their IP address and some just have the MAC address.

Many of the units were configured identically and I don’t see any configuration differences.

Is this a bug or standard operating procedure?

rabienz · June 13, 2017, 8:59pm

i have the same problem any solution to this ?
thank you in advance

hairfarmer · June 13, 2017, 10:33pm

No real change however may I ask if you are running Hotspot on this network?

rabienz · June 14, 2017, 12:14am

No i am not
What hotspot is used for ?

uldis · June 14, 2017, 7:13am

by default the MAC address option is chosen but if the CAPsMAN was not accessible via MAC it switches to IP.
If you want you can force to use just the MAC or just the IP.

hairfarmer · July 3, 2017, 2:36pm

Thanks Uldis!

I looked closer into the documentation

https://wiki.mikrotik.com/wiki/Manual:CAPsMAN#CAP_to_CAPsMAN_Connection:

For the CAPsMAN system to function and provide wireless connectivity, a CAP must establish management connection with CAPsMAN. A management connection can be established using MAC or IP layer protocols and is secured using ‘DTLS’.

A CAP can also pass the client data connection to the Manager, but the data connection is not secured. If this is deemed necessary, then other means of data security needs to be used, e.g. IPSec or encrypted tunnels.

CAP to CAPsMAN connection can be established using 2 transport protocols (via Layer 2 and Layer3).

MAC layer connection features:
no IP configuration necessary on CAP
CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual (by means of L2 tunnels)
IP layer (UDP) connection features:
can traverse NAT if necessary
CAP must be able to reach CAPsMAN using IP protocol
if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with the CAPsMAN IP address, because IP multicast based discovery does not work over Layer3
In order to establish connection with CAPsMAN, CAP executes a discovery process. During discovery, CAP attempts to contact CAPsMAN and builds an available CAPsMANs list. CAP attempts to contact to an available CAPsMAN using:

configured list of Manager IP addresses
list of CAPsMAN IP addresses obtained from DHCP server
broadcasting on configured interfaces using both - IP and MAC layer protocols.
When the list of available CAPsMANs is built, CAP selects a CAPsMAN based on the following rules:

if caps-man-names parameter specifies allowed manager names (/system identity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is empty it will connect to any available Manager
suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity
After Manager is selected, CAP attempts to establish DTLS connection. There are the following authentication modes possible:

no certificates on CAP and CAPsMAN - no authentication
only Manager is configured with certificate - CAP checks CAPsMAN certificate, but does not fail if it does not have appropriate trusted CA certificate, CAPsMAN must be configured with require-peer-certificate=no in order to establish connection with CAP that does not possess certificate
CAP and CAPsMAN are configured with certificates - mutual authentication
After DTLS connection is established, CAP can optionally check CommonName field of certificate provided by CAPsMAN. caps-man-certificate-common-names parameter contains list of allowed CommonName values. If this list is not empty, CAPsMAN must be configured with certificate. If this list is empty, CAP does not check CommonName field.

If the CAPsMAN or CAP gets disconnected from the network, the loss of connection between CAP and CAPsMAN will be detected in approximately 10-20 seconds.

However I’m not seeing where I can specify one method over another. Could you please show me where on either the CAPsMAN or the AP to configure?

Very appreciated!

rabienz · September 9, 2017, 10:28am

me too can’t where to do it

JanezFord · November 19, 2019, 8:38am

How can I force just the IP ?

JF

sebastianh · February 3, 2022, 2:58pm

Can anyone shed some light to this issue? I am experiencing the same behavior on “latest” v6.48.6 (long-term).

Did OP ever get an answer?

Some of my RBcAPGi-5acD2nD are shown by IP, others are shown by mac address. most irritating to me

The CAPS which are listed by IP are on different switches than those listed by mac address. Could this be a factor?

dibaq · November 28, 2023, 12:06pm

Hello, I had the same problem - solution is disable discovering in CAP settings - use request certificate and lock to capsman. It works!