Community discussions

MikroTik App
just joined
Topic Author
Posts: 3
Joined: Thu Sep 23, 2021 8:04 pm

CAPsMAN, mac auth and dynamic vlans

Thu Sep 23, 2021 8:44 pm

Hello everyone,
I am trying to configure a hAP ac2 and have some problems with dynamic vlans. The hAP is provisioned from a separate CAPsMAN device. I am using an external DHCP and freeradius server on a raspberry pi for testing. I want to deploy multiple hAP ac2 devices in a dormitory where every room has its own vlan. WiFi devices should be able to roam between all APs in the building while staying in their own rooms vlan as not every room will have an Access Point. The tenants supply their Mac addresses and the radius server assigns vlans for the wifi devices. Using Enterprise WPA is not really a valid option as we want to support smart home and media streaming devices which may not support it.

I am using the following vlans:
2 - For people who do not qualify for internet access (They are getting some internal resources and are blocked by the firewall)
8 - for management
50-52 - As "room" vlans. For testing only 3 but there are going to be more once everything is working correctly.

My network setting looks like this for now:
CAPsMAN eth5 <-> eth1 hAP ac2 eth5 <-> RasPi (Radius, DHCP)

Config for the CAPsMAN:
# sep/23/2021 19:05:22 by RouterOS 6.48.3
# software id = 2SWT-QDFS
# model = RB960PGS
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath1 vlan-mode=no-tag
/interface bridge
add admin-mac=2C:C8:1B:60:C6:25 auto-mac=no comment=defconf name=bridge pvid=8 vlan-filtering=yes
/caps-man security
add authentication-types=wpa2-psk eap-methods=passthrough encryption=aes-ccm \
/caps-man configuration
add country=germany datapath=datapath1 distance=indoors \
    installation=indoor multicast-helper=full name=cfg1 security=security1 \
add channel.skip-dfs-channels=yes country=germany \
    datapath=datapath1 distance=indoors installation=indoor name=cfg2 \
    security=security1 ssid=ssid_5.0GHz
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/caps-man aaa
set mac-format=xx-xx-xx-xx-xx-xx mac-mode=as-username-and-password
/caps-man access-list
add action=query-radius allow-signal-out-of-range=10s \
    client-to-client-forwarding=yes disabled=no signal-range=-120..120 \
    ssid-regexp="" time=0s-1d,sun,mon,tue,wed,thu,fri,sat vlan-mode=no-tag
/caps-man manager
set enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,gn \
    master-configuration=cfg1 name-format=prefix-identity name-prefix=2.4
add action=create-dynamic-enabled hw-supported-modes=ac,an \
    master-configuration=cfg2 name-format=prefix-identity name-prefix=5.0
/interface bridge port
add bridge=bridge edge=yes interface=ether2 pvid=51
add bridge=bridge edge=yes interface=ether3 pvid=51
add bridge=bridge edge=yes interface=ether4 pvid=51
add bridge=bridge edge=yes interface=ether5
add bridge=bridge interface=ether1 pvid=50
/interface bridge vlan
add bridge=bridge tagged=ether5 vlan-ids=2
add bridge=bridge tagged=ether5,ether1 untagged=bridge vlan-ids=8
add bridge=bridge tagged=ether5 vlan-ids=50
add bridge=bridge tagged=ether5 untagged=ether4,ether3,ether2 vlan-ids=51
add bridge=bridge tagged=ether5 vlan-ids=52
/interface dot1x server
add auth-types=mac-auth interface=ether2 mac-auth-mode=\
    mac-as-username-and-password radius-mac-format=xx-xx-xx-xx-xx-xx \

Config for the hAP ac2:
# sep/23/2021 12:30:28 by RouterOS 6.48.4
# software id = SJT5-5K9C
# model = RBD52G-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:7B:53:88 auto-mac=no comment=defconf name=bridge \
    protocol-mode=none pvid=8 vlan-filtering=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3 pvid=50
add bridge=bridge comment=defconf interface=ether4 pvid=50
add bridge=bridge comment=defconf interface=ether5 pvid=50
add bridge=bridge comment=defconf interface=wlan1 pvid=52
add bridge=bridge comment=defconf interface=wlan2 pvid=52
add bridge=bridge interface=ether1
/interface bridge vlan
add bridge=bridge tagged=ether1,ether4,ether5 untagged=bridge vlan-ids=8
add bridge=bridge tagged=ether1,ether5 untagged=ether4,ether3,ether2,wlan2 \
add bridge=bridge tagged=ether1,ether5 vlan-ids=2
add bridge=bridge tagged=ether1,ether5 vlan-ids=51
add bridge=bridge tagged=ether5,ether4 untagged=wlan1,wlan2 vlan-ids=52
/interface dot1x server
add accounting=no auth-types=mac-auth disabled=yes interface=ether5 \
    mac-auth-mode=mac-as-username-and-password radius-mac-format=\
    xx-xx-xx-xx-xx-xx reject-vlan-id=2
/interface wireless cap
set bridge=bridge caps-man-addresses= enabled=yes interfaces=\

It appears to be working at first as the DHCP server gets DISCOVER messages on the correct vlan but the response seems to get lost somewhere on the way to the wifi device. Even with wireshark on my laptop I could not find any trace of the response and therefore the devices do not get an ip address. I observed a similar if not equal behavior before when I assigned the vlan directly in the datapath settings of the capsman and had the use-tag option. Only after setting the "no-tag" did it work with fixed vlans.

Any Ideas what I can do to make it work?
just joined
Topic Author
Posts: 3
Joined: Thu Sep 23, 2021 8:04 pm

Re: CAPsMAN, mac auth and dynamic vlans  [SOLVED]

Fri Oct 15, 2021 1:12 am

I found the problem:
On the hAP ac2 I had to add the WiFi interfaces to the VLANs as tagged interfaces in the Bridge->VLANs config, then it worked.

Who is online

Users browsing this forum: No registered users and 4 guests