Community discussions

MUM Europe 2020
just joined
Topic Author
Posts: 3
Joined: Mon Sep 30, 2013 3:16 am
Location: Queensland, Australia

CAPsMAN Access List Private Passphrase

Wed Aug 17, 2016 9:15 am

Can CAPsMAN Access List `CAPs Access Rule` matching work with multiple rules that use `MAC Address` wildcard with different `Private Passphrase`?

We use the CAPsMAN Access List `MAC Address`, `SSID Regexp` and `Private Passphrase` to individually control device access by matching each device's MAC and a generated unique passphrase.
When we are on boarding a new device, we add a rule with no MAC into the access list with the new device's passphrase.
We then look in the registration table for the new device when it is connected and update the access list entry with the MAC address, so that it locks that passphrase to that device.
This works fine until somebody doesn't complete the on boarding process and we now have multiple devices that are trying to connect that aren't already in the list.
This causes all the devices that aren't explicitly in the access list, even if they have the incorrect passphrase, to appear in the registration table (briefly) for that rule, so we cannot determine which device is the one we are on boarding.
I think we can get around this by waiting for the `Uptime` value in the registration table being sufficiently long that a connection with incorrect passphrase would have been disconnected, so assuming that works, we move on to the next problem:

No device will ever connect to subsequent rule after the first MAC wildcard entries, even if they match all conditions in a later CAPs Access Rule.

My observation leads me to assume that this is the sequence of events within CAPsMAN:
  1. Device tries to connect to SSID
  2. Device MAC matches `MAC address` [blank]
  3. Device SSID matches `SSID Regexp`
  4. Device added to Registration Table
  5. CAPsMAN realises they have the wrong Private Passphrase
  6. Device access denied
  7. Device removed from Registration Table
  8. Device does not get checked against any further Access List entries
From this I assume that only the things above `Action` when viewed in winbox are actually checked before the device appears in the `Registration Table`.
CAPsMAN Onboarding.png
With all this in mind, how can we provision and manage devices with unique passphrases? Do I have to add another server in to what is otherwise a self contained system, use RADIUS and completely manage this elsewhere?

Note: the helpdesk see all this through a web interface that does everything through API calls for us.
CAPsMAN Onboarding Web.png
CAPsMAN Access List Web.png
You do not have the required permissions to view the files attached to this post.
Posts: 45
Joined: Mon Oct 17, 2011 4:07 am

Re: CAPsMAN Access List Private Passphrase

Tue Aug 01, 2017 11:08 pm

Did you ever figure this out? We're running into the same challenge. We've also tried a RADIUS server (userman), but it can't handle username pattern matches...
just joined
Posts: 13
Joined: Mon Feb 15, 2016 5:13 pm

Re: CAPsMAN Access List Private Passphrase

Fri Aug 11, 2017 12:49 am

Just a "me too" post. Didn't realise this post existed, it explains it very well.

I logged a new request a few weeks back here for the same thing : viewtopic.php?f=1&t=123551&p=609276#p609276

No feedback from Mikrotik on whether this is technically possible so I'm not sure if it's worth pursuing or not. If I come up with any workarounds then I'll let you know.

Who is online

Users browsing this forum: alber and 45 guests