Hi,
after fiddling around with 3 Asus AX XT8 devices that were great in speed and coverage but unfortunately extremely bad in terms of stability, I decided to give three MT Audiences a try instead.
While I am an experienced Linux professional, I haven’t done much with RouterOS and certainly my knowledge about special RouterOS concepts is improvable 
So, what I am trying to achieve is this:
SWITCH <—LAN—> Audience main AP <—WLAN—> extra Audience node <—WLAN—> extra Audience node
I want to use them as APs in bridge mode, with WPA2-enterprise and the Audiences behaving as RADIUS clients.
The first thing I did initially was to give the three nodes a test run, with the main node still being configured as a router (“Home mesh” in QuickConfig) and add the additional nodes using WPS sync (as described in the user manual). That worked within minutes.
But as I need them to work as simple APs, I changed the main node to “WISP AP” in QuickConfig and configured WPA2-EAP, including RADIUS client configuration. That worked out nicely and I was able to connect to the main AP, but as it seems, the additional nodes don’t connect to the main AP anymore.
As far as I understand, the way those Audiences “mesh” together is by using a MT specific form of WDS (please correct me, if I’m wrong). And because the Audiences are tri-band, there is almost no performance penality, because the the dedicated third band only for communication between them.
So what is the correct way to “mesh” together the additional nodes?
to answer the question myself, I managed to get it up and running.
Initially, I decided to follow this user’s approach, outlining a configuration without CAPsMAN:
http://forum.mikrotik.com/t/two-audiences-as-ap-bridges-and-mesh/141045/1
However, because I read a lot of interesting and tempting stories and posts about CAPsMAN, I decided to research and learn about it and go for an implementation based on CAPsMAN.
After some fiddling, I have to admit that I am more than impressed by the features offered, as well as the extensive documentation. Wish I had known this tool earlier, this will certainly be extremely helpful to implement at work.
In case anyone is interested, here’s my main node’s configuration:
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-Ce/gn(16dBm), SSID: some@ssid, local forwarding
set [ find default-name=wlan1 ] disabled=no ssid=MikroTik
# managed by CAPsMAN
# channel: 5200/20-eCee/ac/P(18dBm), SSID: some@ssid, local forwarding
set [ find default-name=wlan2 ] disabled=no ssid=MikroTik
/caps-man security
add authentication-types=wpa2-eap eap-methods=passthrough eap-radius-accounting=yes encryption=aes-ccm group-encryption=aes-ccm group-key-update=5m name=\
radius tls-mode=no-certificates
/caps-man configuration
add channel.band=2ghz-b/g/n channel.control-channel-width=20mhz channel.extension-channel=XX comment=defconf country=austria datapath.bridge=bridge \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes distance=indoors installation=indoor name=cfg-2ghz security=radius ssid=\
some@ssid
add channel.band=5ghz-a/n/ac channel.control-channel-width=20mhz channel.extension-channel=XXXX comment=defconf country=austria datapath.bridge=bridge \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes distance=indoors installation=indoor name=cfg-5ghz-ac security=radius ssid=\
some@ssid
add channel.band=5ghz-a/n channel.control-channel-width=20mhz channel.extension-channel=XX comment=defconf country=austria datapath.bridge=bridge \
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes distance=indoors installation=indoor name=cfg-5ghz-an security=radius ssid=\
some@ssid
/caps-man interface
add channel.control-channel-width=20mhz channel.extension-channel=XX configuration=cfg-av-2ghz disabled=no mac-address=00:00:00:00:00:00 master-interface=\
none name=2ghz-av radio-mac=00:00:00:00:00:00 radio-name=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk comment=defconf disable-pmkid=yes mode=dynamic-keys name=wpsSync supplicant-identity=MikroTik wpa2-pre-shared-key=\
xxxxxxxxxxxxxxxxx
/interface wireless
set [ find default-name=wlan3 ] band=5ghz-a/n/ac channel-width=20/40mhz-XX disabled=no hide-ssid=yes mode=ap-bridge security-profile=wpsSync ssid=\
SYNC-XXXXXX
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=no signal-range=-70..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=no signal-range=-120..71 ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add comment=defconf disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled comment=defconf hw-supported-modes=gn master-configuration=cfg-2ghz name-format=prefix-identity name-prefix=2ghz
add action=create-dynamic-enabled comment=defconf hw-supported-modes=ac master-configuration=cfg-5ghz-ac name-format=prefix-identity name-prefix=5ghz-ac
add action=create-dynamic-enabled comment=defconf hw-supported-modes=an master-configuration=cfg-5ghz-an name-format=prefix-identity name-prefix=5ghz-an
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge comment=defconf interface=wlan3
add bridge=bridge interface=ether1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless cap
set caps-man-addresses=127.0.0.1 enabled=yes interfaces=wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/ip dns
set allow-remote-requests=yes
/radius
add address=1.2.3.4 secret=XXXXXX service=login,wireless,dot1x
/system clock
set time-zone-name=Europe/Brussels
Additional nodes can easily be added using the WPS sync button