Hi,

I would like to provision my cAPs via the Address (I assume IP-Address?).
But the Address-Field is empty and therefore any provisioning-rule does not match.

How can I get the cAPs IP to the CAPSMAN?

In the documentaion it is not stated:

ip-address-ranges (IpAddressRange[,IpAddressRanges] max 100x; Default: "")
Match CAPs with IPs within configured address range.

https://help.mikrotik.com/docs/spaces/R ... 38/CAPsMAN
https://help.mikrotik.com/docs/spaces/R ... er+CAPsMAN

I assume it is related to this statemant:

A management connection can be established using MAC or IP layer protocols and is secured using 'DTLS'.

You are probably trying to use Wireless CAPsMAN with cAP AX that only supports newer Wifi CAPsMAN. Try to post more info and you configs.

First check if both ends are using the same driver - Wifi or Wireless.

I just tested this: you have probably set "discovery-interface=" in your CAP config. This means your CAP connects via Layer2 to Capsman.

To filter via IP-Address, the CAP has to connect via Layer3 to Capsman. For this, you either set the IP-Address of CapsMan in the CAP config or send the capsman ip-address from your DHCP server (IP -> DHCP -> Networks -> add the CAPS Manager IP-Address to your Network).

CAP Connection in Manual: https://help.mikrotik.com/docs/spaces/R ... Connection

DHCP Config in Manual: https://help.mikrotik.com/docs/spaces/R ... CP-Network

Thank you sukram!
I wonder why it is to hard for MT to write the fundamental things clear in their help-documentation...

For me 2 things were no set:
Firewall -> Filter -> Input-Chain
TCP Port: 5246-5247
UDP Port: 5246-5247

Why are such fundamental things not mentioned in their help-documentation: https://help.mikrotik.com/docs/spaces/R ... er+CAPsMAN

And this statement is simply wrong:

Note: CAPsMAN uses UDP port 5246 for manager traffic and UDP port 5247 for data traffic

https://wiki.mikrotik.com/Manual:CAPsMAN
You need TCP AND UDP, UDP alone fails...

And you have to set a path under: WiFi -> Remote CAP -> CAPsMAN -> "Package Path"
This can be a dummy (non existing) path, but if the window is empy, things fail silently.
I update my MTs (including the APs) via a SSH-script, I dont need their built-in update-mechanism. But you have to enter a path.

I wonder why it is to hard for MT to write the fundamental things clear in their help-documentation...

I know not all possible situations and scenarios are described, but basic things like opening ports you can find here:
https://help.mikrotik.com/docs/spaces/R ... 6/Firewall

Why are such fundamental things not mentioned in their help-documentation: https://help.mikrotik.com/docs/spaces/R ... er+CAPsMAN

It is fundamentally incorrect to make services like CAPsMAN publicly available. Unless you actually know what you are doing and filter on source as well. Do you?

Can you explain a bit more about the environment? Perhaps a network diagram?

[Update]
Reading your opening post again...to answer your question: CAPsMAN is responding to CAP's and provisions them. To prevent abuse, you should add filters on the filter rules to make sure that only specific (public?) IP's can connect to the CAPsMAN.