Did anybody tried to configure user manager with capsman (wifiwave2) ?
Asked support about this but they are not responding.
I tried User manager with standard legacy drivers and single AP and it good workaround until Mikrotik implements PPSK.
(Thanks to the @pe1chl for help with user manager)
I did basic implementation of User Manager with WifiWave2, but only as MAC address filter list, and without PPSK yet.
I know MAC address filtering is not a security feature. It’s just to discourage sharing, and spreading, of passphrase to network with more privileged access.
Eventually, I plan to add PPSK, which brings certain devices to privileged network (VLAN) and will have just one SSID - no guest SSID.
However, I’m blocked until MikroTik fixes limitation on hAP ac³ - VLAN tagging unsupported in WifiWave2, and I’m now manually adding to static (CAP) interfaces to bridge and VLANs:
802.11n/ac interfaces do not support this type of VLAN tagging under the wifiwave2 package, but they can be configured as VLAN access ports in bridge settings
Or, I’ll replace it with hAP ax² - smaller and more pretty device, and without those ugly big antennas, but with better transmit power for both 5GHz (comparing at MCS9) and 2.4GHz(comparing at MCS7).
My main network that is in active use is RB5009 and 2 cAP ax controlled by capsman. For testing purposes I have RB4011 with wifiwave2 package installed and ax2 as cap.
How do you activate mac authentication on wifiwave2 ?
@pe1chl suggested to use password as well as mac filtering and I tried that and with legacy drivers it works without a problem. It asks you for password and then it’s connected to desired VLAN.
But that is pure AP setup, without capsman and legacy drivers.
Using access list, according to WifiWave2 docs:
Implemented through the query-radius action, MAC address authentication is a way to implement a centralized whitelist of client MAC addresses using a RADIUS server.
Example code:
add action=query-radius disabled=no ssid-regexp=SSID-using-radius-filter
add action=accept disabled=no ssid-regexp=SSID-for-guests
add action=reject signal-range=-120..0
This shouldn’t be just a suggestion, but a very strong recommendation. The MAC filtering provides exactly zero security against hackers. It’s useful only to not let your private password get spread by accident - people won’t be sharing your password to your more privileged SSID.
From link I already shared in previous post - see this answer:
MAC address filtering doesn’t improve security since network traffic includes the unencrypted MAC address of active network devices. This means anyone can find out a MAC address that’s on the allowed list and then use easily available software to spoof their MAC address.
Authentication and encryption are the only reasonable ways to secure your wireless network. > For a home network that means using WPA2-PSK security with a strong password and an SSID that’s not on the list of the 1000 most common SSIDs.
I wouldn’t base any access-control on MAC addresses. Maybe just physical port security - allow only certain machine to physically connect. But, one shouldn’t be assigning VLAN based on MAC address only (needs a private PSK for the user as well).
The security feature, that would grant access / assign machine to privileged VLAN, would be use of different PSK for desired users (MAC addresses), and this different PSK is the security feature, which ensures, that trusted device has been connected and it is allowed to access the more privileged VLAN.
Thank you for information, tomorrow i will create test setup to play a little bit with it.
Good thing is that I don’t have “dynamic” network so to say, all my devices are fixed, cameras, etc… There is no guest network and honestly nobody asks me for a wifi password so i really didn’t see the need for guest network…
As I promised, I tried to play a little bit with user manager.
I created two VLAN’s, I have CAPsMAN up and running and that part is working, I get correct VLAN assigned, I have internet access.
I tried to setup User manager but it doesn’t do anything, like I connect to wifi but user manager is ignored, no radius log messages, nothing…
Here you can find configuration that I’m using right now. MAC address that I use as username is device MAC, not random MAC.
# 2023-10-04 16:47:11 by RouterOS 7.12beta9
# software id =
#
# model = RB4011iGS+
# serial number =
/interface bridge
add admin-mac= auto-mac=no comment=defconf name=bridge \
vlan-filtering=yes
/interface vlan
add interface=bridge name=VLAN_60 vlan-id=60
add interface=bridge name=VLAN_70 vlan-id=70
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wifiwave2 datapath
add bridge=bridge disabled=no interface-list=LAN name=datapath_vlan60 \
vlan-id=60
add bridge=bridge disabled=no interface-list=LAN name=datapath_vlan70 \
vlan-id=70
/interface wifiwave2 security
add authentication-types=wpa2-psk,wpa3-psk disabled=no name=sec_test
/interface wifiwave2 configuration
add channel.band=2ghz-ax .frequency=2412 .width=20mhz country=Croatia \
datapath=datapath_vlan60 disabled=no mode=ap name=config_test_2.4 \
security=sec_test ssid=Mikrotik_1
add channel.band=5ghz-ax .frequency=5180 .width=20/40mhz country=Croatia \
datapath=datapath_vlan70 disabled=no mode=ap name=config_test_5 security=\
sec_test ssid=Mikrotik_2
/interface wifiwave2
add configuration=config_test_5 configuration.mode=ap datapath=\
datapath_vlan70 disabled=no name=cap-wifi1 radio-mac=
add configuration=config_test_2.4 configuration.mode=ap datapath=\
datapath_vlan60 disabled=no name=cap-wifi2 radio-mac=
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool1 ranges=192.168.60.2-192.168.60.254
add name=dhcp_pool2 ranges=192.168.70.2-192.168.70.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
add address-pool=dhcp_pool1 interface=VLAN_60 lease-time=1d name=dhcp1
add address-pool=dhcp_pool2 interface=VLAN_70 lease-time=1d name=dhcp2
/port
set 0 name=serial0
set 1 name=serial1
/user-manager user
add name=00:C3:0A:B7:ED:1C
/user-manager user group
set [ find default-name=default ] attributes=Mikrotik-Wireless-Forward:1
add attributes="Mikrotik-Wireless-Forward:1,Mikrotik-Wireless-VLANIDtype:0,Mik\
rotik-Wireless-VLANID:60" name=VLAN_60 outer-auths=pap
add attributes="Mikrotik-Wireless-Forward:1,Mikrotik-Wireless-VLANIDtype:0,Mik\
rotik-Wireless-VLANID:70" name=VLAN_70 outer-auths=pap
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge tagged=bridge,ether10 vlan-ids=70
add bridge=bridge tagged=bridge,ether10 vlan-ids=60
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=VLAN_60 list=LAN
add interface=VLAN_70 list=LAN
/interface wifiwave2 access-list
add action=query-radius disabled=no ssid-regexp=\
SSID-using-radius-filter
/interface wifiwave2 capsman
set enabled=yes package-path="" require-peer-certificate=no upgrade-policy=\
none
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=192.168.70.1/24 interface=VLAN_70 network=192.168.70.0
add address=192.168.60.1/24 interface=VLAN_60 network=192.168.60.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.60.0/24 dns-server=8.8.8.8 gateway=192.168.60.1
add address=192.168.70.0/24 dns-server=8.8.8.8 gateway=192.168.70.1
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input dst-port=1812,1813,3799 protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/radius
add address=192.168.88.1 service=wireless
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=radius
add topics=wireless
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
/user-manager
set certificate=*0 enabled=yes
/user-manager router
add address=192.168.88.1 name=router1
Is yours SSID named SSID-using-radius-filter?
The option ssid-regexp means following:
Match if the given regular expression matches the SSID.
So, if yours SSID is of different name, then this ACL rule is not matched. And, therefore the action to query-radius is not executed.
In my example, I redacted the actual SSID name from my network config, but you should fill the SSID, that will be using the radius. Alternatively, remove this option and this rule will be applied to all clients, that try to connect.
I’m an idiot… I didn’t change that… It’s working now.
I noticed that for eg, I have 2 SSIDs, one is Mikrotik_1 and it’s on VLAN60 and Mikrotik_2 that’s on VLAN70 configured by datapath and right now I have user manager configured just for Mikrotik_1, but in user manager i assign vlan70 to user connecting to Mikrotik_1 and it override datapath settings…
So, is datapath even necessary in this case ? or is enough to send desired VLANs to CAP ?
Well, I have not worked with datapaths, and have no clue how they work, because VLAN tagging is not supported by WifiWave2 driver for hAP ac³, which I’m using as CAP. So, I’ve had to add (created static) interfaces to bridge manually.
So I removed datapath from configuration and now Mikrotik_2 as expected receive IP address from default VLAN1, but Mikrotik_1 still gets IP address from VLAN that is specified in User Manager.
So it appears that datapath in this case is not needed and VLANs are managed by user manager… Ofcourse, VLANs that we plan to use still needs to be tagged and sent to CAP.