Community discussions

MikroTik App
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Migrating CAPSMAN - best practices

Fri Apr 23, 2021 10:49 am

Hi all,

We're doing some consultancy for a large organisation with many access points all configured using CAPSMAN. They were originally configured with all services (DHCP/NTP/CAPSMAN/Hotspot/Firewall/LNS etc.) all running on one CCR. We need to split them out to separate boxes (and virtualise some of them) to make the network more manageable.
The first step is to migrate the CAPSMAN and hotspot. Hotspot is easily done - just export/import the configuration and files and it all works. CAPSMAN is a different kettle of fish.
We've set this up and tested it in the lab and we've had all sorts of problems - all related to certificates. The only reliable way of migrating it is to take a backup on the original box, import it on the new one and then delete the unnecessary configuration - this all works when the new and old boxes are the same, but obviously this is going to be problematic if they're not.
So, the steps we've taken are:
1 - Export CAPSMAN configuration from old box
2 - Export certificates from old box
3 - Import configuration to new box
4 - Import certificates to new box
5 - Rename certificates on new box to match certificates on old box
6 - Configure CAPSMAN on new box to use the certificates imported from the old box
But all I'm getting is ":ffff:10.10.10.123:47023 failed to connect, no key for certificate found (6)"
Clearly I'm missing something and I'm not even sure that this is the 'correct' way to migrate CAPSMAN anyway (having to rename the certificates is a pain in the rear). I've checked through the certificates (and even wiped the configuration and started from scratch to make sure I haven't missed anything), but I still get this key error.

So the questions are:
1 - Is there a way of backing up certificates/keys on one RouterOS box so that they can be imported to a new box and just work?
2 - is there a documented, 'correct' way to migrate a CAPSMAN instance (configuration and certificates)?

Obviously I can do the migration by starting from scratch and resetting each AP, but it would be preferable to just have everything work straight away rather than have to change the configuration on each of the many many APs.

Cheers,
Nicholas.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18959
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Migrating CAPSMAN - best practices

Wed Apr 28, 2021 5:39 pm

suggest you hire a consultant or a trainer! ;-)
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Migrating CAPSMAN - best practices

Wed Apr 28, 2021 6:28 pm

1 - Export CAPSMAN configuration from old box
2 - Export certificates from old box
3 - Import configuration to new box
4 - Import certificates to new box
5 - Rename certificates on new box to match certificates on old box
6 - Configure CAPSMAN on new box to use the certificates imported from the old box
1) install the same version of previous routerboard in new (upgrading new device is done later).
2) export all capsman config on .rsc file
3) Export all Certificates AND capsman private key from old
4) Now, not later, import only capsman cert with Private key (twice, the second time read private key) and check if "K" appear on certificate
5) Now, not later, import all the other certificates
6) be sure all certificates are trusted
7) Now, not later, rename the certificate as previous routerboard (certificate are called after inport like file name of certificate)
8) Open .rsc exported config and check if are some errors or incoerence
9) Import .rsc NOT by file, but paste lite-to-line (section to section) in terminal for see someting go wrong

0) leave caps man where is, move each other services...
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Migrating CAPSMAN - best practices

Mon Jun 07, 2021 1:03 am

suggest you hire a consultant or a trainer! ;-)
So, you could have:
a) Said nothing.
b) Helped.
c) Made an unhelpful comment.

You chose option C. What did you think that achieved? Is somebody admitting that they don't know something really worthy of ridicule?

Should I just have bulls*****d to my customer? No, I said that there was one particular aspect I did not fully understand but that I did have a workaround if the correct procedures weren't documented.

So, forgive me if I don't change who I am - if I don't know something, I'll damn well say so. My customers expect honesty which is fine by me. And you know what? If somebody asks for help, if I'm able, I'll damn well help them. But that's just me.
 
User avatar
NAB
Trainer
Trainer
Topic Author
Posts: 542
Joined: Tue Feb 10, 2009 4:08 pm
Location: UK
Contact:

Re: Migrating CAPSMAN - best practices

Mon Jun 07, 2021 1:06 am

<snip>
Many thanks for the pointers. Unfortunately I still can't get an export/import working by following them though :-(

I suspect that the problem is more likely with the 1100AHx4 I'm using to test all this with - it has major problems I need to report to support anyway. I'll try again with a different box!

Who is online

Users browsing this forum: Amazon [Bot] and 26 guests