@mkx
Thank you for taking the time to respond and try to help. This is a problem that is related to data paths and RADIUS. I know that it is a pain when someone sends you somewhere to read a series of posts when, but believe me that in this case, reading the posts will give you a better idea. I am completely new to CAPsMAN and maybe that is why is hard to explain what is the problem. Someone tried to explain it there this way.
The Capsman automatically creates the necessary VLAN membership in the bridge based on the configured VLAN ID in the Capsman data path. If a different VLAN ID is given via access list or radius, this does not work because the tagged VLAN membership is missing.
This can be tested by manually setting the appropriate memberships, then it works.
Since the caps interfaces are dynamic (changing IDs?), this configuration is lost after a reboot or reprovisioning.
If Capsman is not operated in forwarding mode but in local mode, you can supply the physical WLAN interfaces in the caps with the appropriate VLANs and this configuration remains in place.
I think Mikrotik Support should be able to confirm this and consider it a feature request.
The Capsman Datapath configuration should actually allow multiple VLANs, one as default and the rest to ensure dynamic VLAN assignment on the bridges.
At the moment, an SSID with several VLANs only works in local mode after the VLAN memberships have been set manually.
But here is my attempt to describe the problem.
Let's say that I have a bridge name "br-VLANs" with all of my VLANs and that it is working correctly any other way. Now, this is my data path in CAPsMAN
/caps-man datapath
add bridge=br-VLANs name="Dynamic VLANs" vlan-mode=use-tag
To set up the VLAN ingress of an interface, this is what we do when they are untagged,
/interface bridge port
# EXAMPLE VLAN50
add bridge=br-VLANs interface=ether1 pvid=50
# EXAMPLE VLAN40
add bridge=br-VLANs interface=ether2 pvid=50
And this is the way that we add the ingress on tagged interfaces,
add bridge=br-VLANs interface=sfp1
Finally, we need to finish by setting up the egress behavior,
/interface bridge vlan
add bridge=br-VLANs comment="Sample VLAN" tagged=sfp1 vlan-ids=40
add bridge=br-VLANs comment="Sample VLAN" tagged=sfp1 vlan-ids=50
We don't have to add the untagged interfaces above, because recent ROS6-7 does that automatically inferring that info from the ingress setup.
Now, going back to CAPsMAN,
/caps-man datapath
add bridge=br-VLANs name="Dynamic VLANs" vlan-mode=use-tag
When setting up dynamic VLAN assignment using CAPsMAN, that configuration is not enough. Well, kind off because the ingress behavior is "added automatically" by ROS6-7, but the egress setup is not automatically done WHEN TAGGED.
So, in order to setup dynamic VLANs on CAPsMAN, this needs to be done,
/interface bridge vlan
add bridge=br-VLANs comment="Sample VLAN" tagged=sfp1,cap-1,cap-2,etc... vlan-ids=40
add bridge=br-VLANs comment="Sample VLAN" tagged=sfp1,cap-1,cap-2,etc... vlan-ids=50
And that is where the problems start. Because if one of your CAP routers go down, they are removed from the configuration above and you need to re-add them. Also, if you happen to have a lot of CAPs, this means that you need to add each CAP to every possible VLAN you would like to get a dynamic id.
My question was. Is there a way to aggregate the CAP interfaces so that one just has to keep those lists up to date without having to check and see if you CAP is still in the right place or do that a hundred times (supposing that you have 10 VLANs and 20 CAPs)
Something that in my mind looks like,
/interface bridge vlan
add bridge=br-VLANs comment="Sample VLAN" tagged=sfp1,aggregate1 vlan-ids=40
add bridge=br-VLANs comment="Sample VLAN" tagged=sfp1,aggregate1,aggregate2 vlan-ids=50