Just a follow-up for anyone reading... or thinking RouterOS does not support dynamic VLANs (on WiFi)... (which old forum posts suggest) - this is not true.
Dynamic wifi VLANs do appear to be possible, just that you need to configure your Radius server to pass attributes set in the inner tunnel authentication down to the outer-tunnel. For me, on freeradius, this was altering some settings under the eap / peap module configuration.
The settings in question were "use_tunneled_reply = yes" (I also set "copy_request_to_tunnel = yes" - not certain that was needed, but it makes attributes passed by the CAP available in the inner tunnel authentication check).
I have the CAPs traffic forwarded back on the CAPsMAN manager unit. Also - I created a new bridge to push traffic onto, and setup the VLANs I was using on that bridge, not sure if that makes a difference. I might like to try and figure out if it is necessary to setup the VLAN interfaces on the unit if doing local forwarding (do tagged packets then just get bridged out to ethernet link of the cAP?)
Especially with the upcoming changes w.r.t. VLANs and bridges - I think it might be useful to document further how VLAN traffic is handled by the software bridges - both as they are in 6.40, and what will be the case when the new implementation lands.
I still don't know if Mikrotik supports VLAN assignment via Radius during 801.X auth on a wired port, or a non CAPsMAN Wifi, but these are not my use-cases).
For futher reading, see this MUM presentation.. (although you'll have to adapt for other Radius servers).
https://mum.mikrotik.com/presentations/ ... 137144.pdf