Community discussions

MikroTik App
 
ErikG
just joined
Topic Author
Posts: 2
Joined: Mon Sep 28, 2020 4:53 pm

CAPsMAN Authentication Issue

Wed Sep 30, 2020 4:56 am

Hello everyone. I have hit a brick wall with this CAPsMAN configuration I have been working on and am reaching out to the MikroTik community to see if anyone can help correct my lack of knowledge issue or at least discover what may be broken.

So what I've done is setup CAPsMAN to provision with dynamic interfaces and under the master interfaces there are guest interfaces for guest WiFi as well.
My issue is this: when I try to connect a laptop to the AP (which is a cAP ac) I get authentication errors on my Windows 10 device, however if I repeatedly attempt to connect eventually it will establish properly.
I've seen this exact issue happen else where on CAPsMAN on devices that are not my own, which is why I don't think it's just my device and I suspect I have something configured wrong or this RB4011/cAP ac is dropping the 802.11 ball.

For anyone that wants to help I've included the configs from the RB4011 and the cAP ac below.

CAPsMAN Config:
CAPsMAN Controller:
/caps-man channel
add control-channel-width=20mhz extension-channel=disabled frequency=\
    2412,2437,2462 name=ch-X-2GHz_auto secondary-frequency=disabled
add control-channel-width=20mhz extension-channel=disabled frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805,5825 name=ch-X-5GHz_auto \
    secondary-frequency=disabled skip-dfs-channels=yes
add control-channel-width=20mhz frequency=2412 name=ch1_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2417 name=ch2_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2422 name=ch3_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2427 name=ch4_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2432 name=ch5_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2437 name=ch6_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2442 name=ch7_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2447 name=ch8_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2452 name=ch9_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2457 name=ch10_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=2462 name=ch11_2GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz extension-channel=XX frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805 name=ch-XX-5GHz_auto \
    secondary-frequency=disabled skip-dfs-channels=yes
add control-channel-width=20mhz extension-channel=XXXX frequency=\
    5180,5200,5220,5240,5745,5765,5785,5805 name=ch-XXXX-5GHz_auto \
    secondary-frequency=disabled skip-dfs-channels=yes
add control-channel-width=20mhz extension-channel=XX frequency=2412,2462 name=\
    ch-XX-2GHz_auto secondary-frequency=disabled
add control-channel-width=20mhz frequency=5180 name=ch36_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5200 name=ch40_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5220 name=ch44_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5240 name=ch48_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5745 name=ch149_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5765 name=ch153_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5785 name=ch157_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5805 name=ch161_5GHz \
    secondary-frequency=disabled
add control-channel-width=20mhz frequency=5825 name=ch165_5GHz \
    secondary-frequency=disabled
/caps-man configuration
add mode=ap name=cfg-blank
/interface bridge
add admin-mac=48:8F:5A:8B:CB:68 auto-mac=no dhcp-snooping=yes \
    ingress-filtering=yes mtu=1500 name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface wireless
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-b/g/n bridge-mode=disabled country=canada2 distance=indoors \
    frequency=auto hw-fragmentation-threshold=2347 installation=indoor \
    max-station-count=250 mode=ap-bridge multicast-helper=full name=WiFi_2g \
    scan-list=default,5200-5300 ssid=4011 station-roaming=enabled \
    wireless-protocol=802.11 wmm-support=enabled
add mac-address=4A:8F:5A:5B:9F:F4 master-interface=WiFi_2g mode=station name=\
    WiFi_2g-Guest
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=5ghz-a/n/ac bridge-mode=disabled channel-width=20/40/80mhz-eeeC \
    country=canada2 distance=indoors frequency=5805 hw-fragmentation-threshold=\
    2347 max-station-count=250 mode=ap-bridge multicast-helper=full name=\
    WiFi_5g skip-dfs-channels=all ssid=4011 station-roaming=enabled \
    wireless-protocol=802.11 wmm-support=enabled
add mac-address=4A:8F:5A:8B:CB:73 master-interface=WiFi_5g mode=station name=\
    WiFi_5g-Guest
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=WAN
/interface wireless nstreme
set WiFi_2g enable-polling=no
set WiFi_5g enable-polling=no
/interface vlan
add interface=bridge name=BR_Guest vlan-id=4080
add interface=bridge loop-protect=off name=BR_WAN vlan-id=4094
/caps-man security
add authentication-types=wpa2-psk disable-pmkid=no encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=1h name=default passphrase=\
    12345678910cap
add authentication-types=wpa2-psk disable-pmkid=no encryption=aes-ccm \
    group-encryption=aes-ccm group-key-update=1h name=guest passphrase=\
    12345678910capg
/interface list
add name=WiFi
add name=LAN
add exclude=WiFi,LAN name=WAN
add exclude=WiFi,LAN,WAN name=admin
/caps-man datapath
add arp=enabled bridge=bridge client-to-client-forwarding=yes interface-list=\
    none local-forwarding=yes mtu=1500 name=datapath-lan vlan-id=1 vlan-mode=\
    no-tag
add arp=enabled bridge=bridge client-to-client-forwarding=no interface-list=\
    none local-forwarding=yes mtu=1500 name=datapath-lan_guest vlan-id=4080 \
    vlan-mode=use-tag
/caps-man configuration
add channel=ch6_2GHz channel.band=2ghz-onlyn channel.control-channel-width=\
    20mhz channel.extension-channel=disabled channel.secondary-frequency=\
    disabled country=canada datapath=datapath-lan disconnect-timeout=3s \
    distance=indoors frame-lifetime=0ms guard-interval=any hide-ssid=no \
    hw-protection-mode=none hw-retries=7 installation=any keepalive-frames=\
    enabled max-sta-count=250 mode=ap multicast-helper=full name=cfg-2GHz \
    rx-chains=0,1,2,3 security=default ssid=Test tx-chains=0,1,2,3
add channel=ch-X-2GHz_auto country=canada datapath=datapath-lan_guest \
    disconnect-timeout=3s distance=indoors frame-lifetime=0ms guard-interval=\
    any hide-ssid=no hw-protection-mode=none hw-retries=7 installation=any \
    keepalive-frames=enabled max-sta-count=250 mode=ap multicast-helper=full \
    name=cfg-2GHz_Guest rx-chains=0,1,2,3 security=guest ssid=Test tx-chains=\
    0,1,2,3
add channel=ch161_5GHz channel.band=5ghz-a/n/ac channel.control-channel-width=\
    20mhz channel.extension-channel=eeeC channel.secondary-frequency=disabled \
    channel.skip-dfs-channels=yes country=canada datapath=datapath-lan \
    disconnect-timeout=3s distance=indoors frame-lifetime=0ms guard-interval=\
    any hide-ssid=no hw-protection-mode=none hw-retries=7 installation=any \
    keepalive-frames=enabled max-sta-count=250 mode=ap multicast-helper=full \
    name=cfg-5GHz rx-chains=0,1,2,3 security=default ssid=Test_5GHz tx-chains=\
    0,1,2,3
add channel=ch-XX-5GHz_auto channel.skip-dfs-channels=yes country=canada \
    datapath=datapath-lan_guest disconnect-timeout=3s distance=indoors \
    frame-lifetime=0ms guard-interval=any hide-ssid=no hw-protection-mode=none \
    hw-retries=7 installation=any keepalive-frames=enabled max-sta-count=250 \
    mode=ap multicast-helper=full name=cfg-5GHz_Guest rx-chains=0,1,2,3 \
    security=guest ssid=Test_5GHz-Guest tx-chains=0,1,2,3
/caps-man interface
add channel.frequency=2437 channel.secondary-frequency=disabled configuration=\
    cfg-2GHz disabled=yes l2mtu=1600 mac-address=48:8F:5A:2E:A6:F7 \
    master-interface=none name="2GHz-cAP ac (51448)-1" radio-mac=\
    48:8F:5A:2E:A6:F7 radio-name=488F5A2EA6F7
add channel.frequency=5805 channel.secondary-frequency=disabled configuration=\
    cfg-5GHz disabled=yes l2mtu=1600 mac-address=48:8F:5A:2E:A6:F8 \
    master-interface=none name="5GHz-cAP ac (51448)-1" radio-mac=\
    48:8F:5A:2E:A6:F8 radio-name=488F5A2EA6F8
add channel.frequency=5180,5200,5220,5240,5745,5765,5785,5805 \
    channel.secondary-frequency=disabled configuration=cfg-5GHz_Guest disabled=\
    yes l2mtu=1600 mac-address=4A:8F:5A:2E:A6:F8 master-interface=\
    "5GHz-cAP ac (51448)-1" name="5GHz-cAP ac (51448)-1-1" radio-mac=\
    00:00:00:00:00:00 radio-name=4A8F5A2EA6F8
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h mode=\
    dynamic-keys name=profile1 supplicant-identity="" wpa2-pre-shared-key=\
    123456789104011
/ip dhcp-server
add interface=bridge name=dhcp1
/ip pool
add name=pool-lan ranges=192.168.100.20-192.168.100.254
add name=pool-lan_guest ranges=192.168.102.20-192.168.102.254
/ip dhcp-server
add address-pool=pool-lan bootp-support=none disabled=no interface=bridge \
    lease-time=1d name=DHCP-LAN
add address-pool=pool-lan_guest bootp-support=none disabled=no interface=\
    BR_Guest lease-time=1d name=DHCP-LAN-Guest
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=CAPsMAN-CA-488F5A8BCB68 certificate=CAPsMAN-488F5A8BCB68 \
    enabled=yes require-peer-certificate=yes upgrade-policy=\
    require-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
add disabled=no interface=WiFi_5g
add disabled=no interface=WiFi_2g
/caps-man provisioning
add action=create-enabled comment="Prov cAP ac" common-name-regexp=\
    CAP-488F5A2EA6F5 hw-supported-modes=g identity-regexp=51448 \
    master-configuration=cfg-2GHz name-format=prefix-identity name-prefix=2GHz
add action=create-enabled common-name-regexp=CAP-488F5A2EA6F5 \
    hw-supported-modes=ac identity-regexp=51448 master-configuration=cfg-5GHz \
    name-format=prefix-identity name-prefix=5GHz slave-configurations=\
    cfg-5GHz_Guest
add action=create-dynamic-enabled comment="Prov RB4011" common-name-regexp=\
    CAPsMAN-488F5A8BCB68 disabled=yes hw-supported-modes=g identity-regexp=\
    51448 master-configuration=cfg-2GHz name-format=prefix-identity \
    name-prefix=2GHz
add action=create-dynamic-enabled common-name-regexp=CAPsMAN-488F5A8BCB68 \
    disabled=yes hw-supported-modes=ac identity-regexp=51448 \
    master-configuration=cfg-5GHz name-format=prefix-identity name-prefix=5GHz \
    slave-configurations=cfg-5GHz_Guest
add hw-supported-modes=ac master-configuration=cfg-blank name-format=identity
add hw-supported-modes=g master-configuration=cfg-blank
/interface bridge port
add bridge=bridge comment="Change Pvid back to 1" edge=yes ingress-filtering=\
    yes interface=ether1 point-to-point=yes pvid=4094 trusted=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether2 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether3 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether4 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether5 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether6 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether7 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether8 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether9 \
    point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether10 \
    point-to-point=yes
add bridge=bridge comment=WAN edge=yes ingress-filtering=yes interface=\
    sfp-sfpplus1 point-to-point=yes pvid=4094 trusted=yes
/interface bridge settings
set use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=bridge tagged=bridge vlan-ids=4094
add bridge=bridge tagged=bridge,WiFi_2g,WiFi_5g,ether10 vlan-ids=4080
/interface list member
add interface=WiFi_2g list=WiFi
add interface=WiFi_5g list=WiFi
add interface=bridge list=LAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN
add interface=BR_WAN list=WAN
add interface=BR_TV list=WAN
/interface wireless cap
set bridge=bridge caps-man-addresses=127.0.0.1 certificate=CAPsMAN-488F5A8BCB68 \
    interfaces=WiFi_2g,WiFi_5g static-virtual=yes
/interface wireless sniffer
set file-limit=8192 file-name=bad_auth.pcap memory-limit=2048 receive-errors=\
    yes
/ip address
add address=192.168.100.1/24 interface=bridge network=192.168.100.0
add address=192.168.102.1/24 interface=BR_Guest network=192.168.102.0
/ip dhcp-client
add disabled=no interface=BR_WAN
add add-default-route=no disabled=no interface=BR_Admin use-peer-dns=no \
    use-peer-ntp=no
add disabled=no interface=bridge
/ip dhcp-server lease
add address=192.168.100.250 client-id=1:48:8f:5a:2e:a6:f5 mac-address=\
    48:8F:5A:2E:A6:F5 server=DHCP-LAN
/ip dhcp-server network
add address=192.168.100.0/24 caps-manager=192.168.100.1 dns-server=\
    192.168.100.1 gateway=192.168.100.1 netmask=24 ntp-server=192.168.100.1
add address=192.168.102.0/24 dns-server=192.168.102.1 gateway=192.168.102.1 \
    netmask=24 ntp-server=192.168.102.1
/system identity
set name="RB4011 (51448)"



cAP ac config:
/interface bridge
add admin-mac=48:8F:5A:2E:A6:F5 auto-mac=no name=bridge protocol-mode=none \
    vlan-filtering=yes
/interface wireless
# managed by CAPsMAN
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-b/g/n bridge-mode=disabled country=canada2 distance=indoors mode=\
    ap-bridge multicast-helper=full name=WiFi_2g ssid=MikroTik \
    wireless-protocol=802.11 wmm-support=enabled
add keepalive-frames=disabled mac-address=4A:8F:5A:2E:A6:F7 master-interface=\
    WiFi_2g multicast-buffering=disabled name=WiFi_2g-Guest ssid=guest vlan-id=\
    4080 vlan-mode=use-tag wds-cost-range=0 wds-default-cost=0 wps-mode=\
    disabled
# managed by CAPsMAN
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
    band=5ghz-a/n/ac bridge-mode=disabled country=canada2 distance=indoors \
    mode=ap-bridge multicast-helper=full name=WiFi_5g ssid=MikroTik \
    wireless-protocol=802.11 wmm-support=enabled
add mac-address=4A:8F:5A:2E:A6:F8 master-interface=WiFi_5g mode=station name=\
    WiFi_5g-Guest
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
/interface wireless nstreme
# managed by CAPsMAN
set WiFi_2g enable-polling=no
# managed by CAPsMAN
set WiFi_5g enable-polling=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge edge=yes interface=ether1 learn=yes point-to-point=yes \
    trusted=yes
add bridge=bridge edge=yes interface=WiFi_2g learn=yes point-to-point=yes
add bridge=bridge edge=yes interface=WiFi_5g learn=yes point-to-point=yes
add bridge=bridge edge=yes ingress-filtering=yes interface=ether2 \
    point-to-point=yes
/interface bridge vlan
add bridge=bridge tagged=ether1 vlan-ids=4080
/interface wireless cap
# 
set bridge=bridge caps-man-addresses=192.168.100.1 certificate=request enabled=\
    yes interfaces=WiFi_2g,WiFi_5g static-virtual=yes
/ip dhcp-client
add disabled=no interface=bridge
/system identity
set name="cAP ac (51448)"
/system routerboard settings
set auto-upgrade=yes
 
İmposss
newbie
Posts: 48
Joined: Sat Jan 16, 2021 5:30 pm

Re: CAPsMAN Authentication Issue

Mon Jan 18, 2021 12:56 am

Hello I think there is a problem in dhcp snooping. I have same problem on my two hap ac2. Main router work well but when connect to like cpe hap ac2, clients can not get ip. I disabled dhcp snooping for now. Search to solution.

Who is online

Users browsing this forum: Amazon [Bot], phascogale and 28 guests