Note that I have moved beyond the initial case. I now have multiple SSIDs per band. I'm working on moving many of them to VLANs to suit their individual special applications. Just as soon as I get load balancing and failover working.
More notes at the end.
Here you go:
[admin@router] /caps-man> export hide-sensitive
# jul/19/2018 07:53:30 by RouterOS 6.42.5
# software id = 4261-N4HD
#
# model = 2011UiAS-2HnD
# serial number = 608C05CD83DF
/caps-man channel
add band=2ghz-g/n name=2g
add band=5ghz-n/ac name=5g
/caps-man interface
add disabled=no mac-address=00:00:00:00:00:00 master-interface=none name=\
cap-master radio-mac=00:00:00:00:00:00
/caps-man datapath
add bridge=bridge name=BridgeDP
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=RadioRanch
add authentication-types=wpa2-psk encryption=aes-ccm name=BakerStreet
add authentication-types=wpa-psk encryption=aes-ccm name=riot
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm,tkip name=\
Bunkhouse
/caps-man configuration
add channel=2g country="united states3" datapath=BridgeDP datapath.bridge=\
bridge name=RadioRanch security=RadioRanch ssid=RadioRanch
add channel=5g country="united states3" datapath=BridgeDP datapath.bridge=\
bridge name=BakerStreet security=BakerStreet ssid=BakerStreet
add channel=2g country="united states3" datapath=BridgeDP datapath.bridge=\
bridge name=riot2 security=riot ssid=riot2
add channel=5g country="united states3" datapath=BridgeDP datapath.bridge=\
bridge name=riot5 security=riot ssid=riot5
add country="united states3" datapath=BridgeDP datapath.bridge=bridge name=\
Bunkhouse security=Bunkhouse ssid=Bunkhouse
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=riot2 name-format=\
prefix-identity name-prefix=TAP radio-mac=4C:5E:0C:F9:BD:4D
add action=create-dynamic-enabled hw-supported-modes=a,ac,an \
master-configuration=BakerStreet name-format=prefix-identity name-prefix=\
CAP slave-configurations=riot5,Bunkhouse
add action=create-dynamic-enabled hw-supported-modes=g,gn \
master-configuration=RadioRanch name-format=prefix-identity name-prefix=\
CAP slave-configurations=riot2,Bunkhouse
[admin@router] /caps-man>
Other points;
country="united states3" is set to match my country locked APs
Provisioning entry order matters. Provisioning files are executed in order and the first match wins.
The first provisioning entry is present to lock a specific AP to provide only 'riot2'
'riot' is 'Radio IoT' to let me isolate my growing number of Internet of Things things from the main LAN. It will be VLANd straight to the WAN. Band specific SSIDs so I can keep as much at 5 GHz as possible to preserve 2.4 GHz capacity.
The redundant "datapath=BridgeDP datapath.bridge=bridge" entries in the configuration files only need to be "datapath=BridgeDP" These are an artifact of my hacking around to get it to work. I've not yet cleaned everything up.
You might also look at
viewtopic.php?f=7&t=136663&p=674938#p674938 for related confusion that might be useful to you.
I hope this helps.