Wireless networking with CAPsMAN and the MikroTik cAP ac
This document assumes the router is configured and working normally and all configuration is performed via webfig
Contents
- 1 CAPsMAN Configuration For 2.4 and 5GHz SSIDs
- 2 Guest Network Configuration
CAPsMAN Configuration For 2.4 and 5GHz SSIDs
Get the MAC Addresses for the cAP radios
- Log in to the Access Point
- Go to Wireless
- Click on the wlan1 interface
- Copy the MAC Address down and note if the band is 2 or 5GHz
- Click Cancel
- Click on the wlan2 interface
- Copy the MAC Address down and note if the band is 2 or 5GHz
- Click Cancel
Router Configuration
Log into the Router that will be the central CAPsMAN Manager
Initial CAPsMAN Configuration
- Click on CAPsMAN
- On CAP Interface tab click on Manger button
- Check the Enabled Box
- Set Certificate and CA Certificate to auto, or none
- (I encountered an issue with auto-generated certificates that I believe has to do with an existing CA I configured on the router)
- Set Upgrade Policy to "suggest same version"
- Click on Interfaces
- Click on Add New
- Change Interface from all to bridge
- Click on OK
- Click on the all interface
- Check the forbid box
- Click on Ok
Configure Datapaths
Datapaths are the forwarding mechanism from the radios to the network they belong on
- Go to Datapaths (need a better description of what this does)
- Click on Add New
- Change the name to Default
- Set the Bridge from the drop-down
Configure Security Options
Here is where you configure Authentication and Encryption for the wireless networks.
- Click on the Security Tab (this sets your passwords)
- Click on Add new
- Enter a name for the security configuration
- Set Authentication type to WPA2 PSK
- Set Encryption to aes ccm and tkip
- Set the Passphrase to something secure
Configure Channels
Channels specify radio band and frequency options
2.4 and 5GHz band configuration
- Click on the Channels tab
- Click on the Add new button
- Set the name to Default24
- Set the Band to 2ghz-b/g/n
- Click on OK
- Click on Add new
- Set the name to Default5g
- Set the band to 5ghz-a/n/ac
- Click on Ok
SSID Creation
- Click on Configurations Tab
- Click the Add New button
- Set the name to Default24G
- Set the SSID to Default24G
- Set the Country appropriately
- Set the Channel to Default24
- Set the Datapath to Default
- Set the Security to what was created earlier
- Click on OK
- Click on Add New
- Set the name to Default5G
- Set the SSID to Default5G
- Set the Country appropriately
- Set the Channel to Default5g
- Set the Datapath to Default
- Set the Security to what was created earlier
- Click on Ok
Provision the Configuration to the Radios
- Click on Provisioning Tab
- Click on Add New
- Paste the 5g radio MAC address in the Radio Mac field
- Set Hw. Supported Modes to ac
- Set Action to create dynamic enabled
- Set the Master Configuration to Default5G
- Click on Ok
- Click on Add New
- Paste the 2g radio MAC address in the Radio Mac field
- Set Action to create dynamic enabled
- Set the Master Configuration to Default24G
- Click on Ok
Change the Access Point Radios to be CAPsMAN Managed
- Log in to the access point
- Go to Wireless
- On the WiFi Interfaces tab click on the CAP button
- Add both wlan interfaces to the Interfaces section
- Set Certificate to request
- If there are certificate issues set this to none
- Set Discover Interfaces to bridge
- Set the CAPsMAN addresses to the address of the CAPsMAN router the above configuration was done on
- Click Ok
Guest Network Configuration
All configuration is performed on the router that is the central CAPsMAN controller
Interface and DHCP Configuration
Create a VLAN and Assign it an IP Address
- Go to Interfaces -> VLAN
- Click on Add New
- Enter a Name
- Set the VLAN ID
- Set Interface to bridge
- Go to IP -> Addresses
- Click on Add New
- Enter the address that will be used as the gateway for the guest network
- Enter the network address
- Select the VLAN interface created earlier
DHCP Configuration
- Go to IP -> Pool
- Click on Add New
- Enter a Name
- Enter the address range for the guest network
- Go to IP -> DHCP Server
- On the DHCP tab click Add New
- Enter a Name
- Set Interface to the VLAN interface created earlier
- Set the Address Pool to the one created earlier
- Click on the Networks tab
- Click Add New
- Enter the network address
- Enter the gateway address (the one the VLAN interface is set to)
- Add some entries to the DNS Servers (I like to use 8.8.8.8 and 1.1.1.1)
Configure the Guest Network in CAPsMAN
Go to CAPsMAN
Create a Rate to Limit Bandwidth on the Guest Network
- Click on the Rates tab
- Click on Add New
- Set the Name to Guest
- Set Basic Rates (set it low so your guests don't use all your bandwidth)
- Set Supported Rates to the same value as above
Configure Authentication and Encryption
- Click on the Security Cfg. tab
- Click Add New
- Set the Name to Guest
- Set Authentication type to WPA2 PSK
- Set Encryption to aes ccm and tkip
- Set Passphrase to something easy for guests to enter
Configure a Datapath for Traffic to go on the VLAN
- Click on the Datapaths tab
- Click Add New
- Set the Name
- Set Bridge to bridge
- Set VLAN Mode to use tag
- Set VLAN ID to the ID configured earlier
Configure the SSID for the Guest Network
- Click on the Configurations Tab
- Click Add New
- Set the Name to Guest
- Set the SSID
- Set the Country
- Set the Channel to Default24 (I don't like tying up the 5g with guest access)
- Set the Rate to Guest
- Set the Datapath to the one created earlier
- Set the Security to Guest
Provision the Guest Network to the Radios
- Click on the Provisioning tab
- Click on the entry for the 2.4GHz radio
- Set the Slave Configuration to Guest
- Click OK
Restrict Access From the Guest Network
- Go to IP -> Firewall
- On the Filter Rules tab click Add New
- Set Chain to input
- Set Src. Address to the Guest network address
- Set Dst. Address to the Privat network address
- Set In. Interface to the Guest VLAN
- Set Action to reject
- Click Ok
- Drag the rule up so it is above any Accept Input rules