CAPsMAN (1)

8/19/2019 CAPsMAN (1)

1/34

Haydar FadelMay -25 - 2014

MikroTik CAPsM

8/19/2019 CAPsMAN (1)

2/34

• Controlled Access Point system Manager (CAPsMcentralization of wireless network management and if necprocessing.

• When using the CAPsMAN feature, the network will consist of 'Controlled Access Points' (CAP) that provide wireless con

• and a 'system Manager' (CAPsMAN) that manages the cothe APs, it also takes care of client authentication and optforwarding.

Overview

8/19/2019 CAPsMAN (1)

3/34

• When a CAP is controlled by CAPsMAN it only requires tconfiguration required to allow it to establish connection wit

• Functions that were conventionally executed by an AP control, client authentication) are now executed by CAPsMA

• The CAP device now only has to provide the wireleencryption/decryption.

• Depending on configuration, data is either forwarded to C

centralized processing (default) or forwarded locally at the C

Overview

8/19/2019 CAPsMAN (1)

4/34

• MikroTik have just introduced their much awaited wireless msystem CAPsMAN as of RouterOS 6.11.

• This is the first BETA version of CAPsMAN and therefore shoused for testing purposes.

• That being said we will explain how to install CAPsMAN on RouterBOARD and learn how to get it up and running.

Overview

CAPsMAN features MISSING CAPsMAN fea

RADIUS MAC authentication Nstreme AP suppo

WPA/WPA2 security Nv2 AP support

TBA TBA

8/19/2019 CAPsMAN (1)

5/34

Overview

8/19/2019 CAPsMAN (1)

6/34

• CAPsMAN works on any RouterOS device from v6.11, wireleare not required (since it manages the wireless interfaces of

• Ensure you have at least two MikroTik RouterBOARDs is runn6.11 or later (one will be the CAPsMANController and a CAPs Client for testing).

• For the purpose of this LAB we will be starting with a blank c(/system-reset no-defaults=yes)

• Notes:

CAPsMAN = CAPsMAN Router (device holding configuratclients).

CAPs = CAPs Client (device we will auto configure).

Requirements

8/19/2019 CAPsMAN (1)

7/34

• For the CAPsMAN system to function and provide wireless coCAP must establish management connection with CAPsMAN

• A management connection can be established using MAprotocols and is secured using 'DTLS'.

• A CAP can also pass the client data connection to the Mandata connection is not secured.

• If this is deemed necessary, then other means of data secu

be used, e.g. IPSec or encrypted tunnels.

CAP to CAPsMAN Connection

8/19/2019 CAPsMAN (1)

8/34

• CAP to CAPsMAN connection can be established usingprotocols (via Layer 2 and Layer3).

• MAC layer connection features: no IP configuration necessary on CAP

CAP and CAPsMAN must be on the same Layer 2 segment - either p(by means of L2 tunnels)

• IP layer (UDP) connection features:

can traverse NAT if necessary

CAP must be able to reach CAPsMAN using IP protocol

if the CAP is not on the same L2 segment as CAPsMAN, it must be pthe CAPsMAN IP address, because IP multicast based discovery doeLayer3


8/19/2019 CAPsMAN (1)

9/34

• In order to establish connection with CAPsMAN, CAP executprocess.

• During discovery, CAP attempts to contact CAPsMAN aavailable CAPsMANs list.

• CAP attempts to contact to an available CAPsMAN using:

configured list of Manager IP addresses

list of CAPsMAN IP addresses obtained from DHCP server

broadcasting on configured interfaces using both - IP and MAC laye


8/19/2019 CAPsMAN (1)

10/34

• When the list of available CAPsMANs is built, CAP selects based on the following rules:

if caps-man-names parameter specifies allowed manager nidentity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier iempty it will connect to any available Manager .

suitable Manager with MAC layer connectivity is preferred to Mconnectivity.


8/19/2019 CAPsMAN (1)

11/34

• Step 1:Download and Install the CAPsMAN package from www.mikrotik.com/download

Implementation

http://www.mikrotik.com/downloadhttp://www.mikrotik.com/download

8/19/2019 CAPsMAN (1)

12/34

Implementation

• Suitable Manager with MAC layer connectivity is preferred toIP connectivity.

8/19/2019 CAPsMAN (1)

13/34

ImplementationStep 2:

8/19/2019 CAPsMAN (1)

14/34

• Step 3:

• First we will enable CAPs Management on the router:

[admin@Haydar] /caps-man manager set enabled=yes

Implementation

8/19/2019 CAPsMAN (1)

15/34

• Step 4:

• We will start by creating a basic CAPs channel profile:

Profile Name: CAPsMAN

Band: 2ghz-b/g/n

Frequency / Channel: 2452MHz (Channel 1)

Channel Width: 20MHz

[admin@Haydar] /caps-man channel add band=2ghz-b/g/n f

width=20 name=CAPsMAN

Implementation

8/19/2019 CAPsMAN (1)

16/34

Implementation

8/19/2019 CAPsMAN (1)

17/34

• Step 5:

• Now we will create a CAPs security profile:

Profile Name: security1

Authentication Type: wpa2-psk (WPA2-PSK Only)

Encryption: aes-ccm (AES)

Passphrase: mysecurek3y123

[admin@Haydar] /caps-man security add name=security1

types=wpa2-psk encryption=aes-ccm group-encrypassphrase=mysecurek3y123

Implementation

8/19/2019 CAPsMAN (1)

18/34

Implementation

8/19/2019 CAPsMAN (1)

19/34

• Step 6:

• We will now create a configuration file:

Profile Name: Config-1

Wireless Interface Mode: ap

SSID: Haydar-CAPs

Channel Profile: channel1 (Step 4)

Security Profile: security1 (Step 5)

[admin@Haydar] /caps-man configuration add name=Confissid="Haydar-CAPs" channel=CAPsMAN security=security1

Implementation

8/19/2019 CAPsMAN (1)

20/34

Implementation

8/19/2019 CAPsMAN (1)

21/34

Implementation

8/19/2019 CAPsMAN (1)

22/34

Implementation

8/19/2019 CAPsMAN (1)

23/34

• Step 7:

• Create a provision for our CAPs router which will be a

provisioned with the configurations in steps 4-6: Radio MAC: D4:CA:6D:90:82:59 (wlan1 mac address we want to auto

Action: create-dynamic-enabled (provision this interface dynamicall

Master Configuration: Config-1

[admin@Haydar] /caps-man provisioning add radio-mac= D4action=create-dynamic-enabled master-configuration=Config-1

Implementation

8/19/2019 CAPsMAN (1)

24/34

Implementation

8/19/2019 CAPsMAN (1)

25/34

• CAP behaviour of AP is configured in /interface wireless ccontains the following settings:

CAP Configuration

Property Descriptionenabled (yes | no; Default: no) Disable or enable CAP feature

interfaces (list of interfaces; Default: empty) List of wireless interfaces to be contro

discovery-interfaces (list of interfaces;Default:empty)

List of interfaces over which CAP sdiscover Manager

caps-man-addresses (list of IP addresses;Default:empty)

List of Manager IP addresses that Ccontact during discovery

caps-man-names (list of allowed CAPs Manager names; Default: empty)

List of Manager names that CAPconnect, if empty - CAP does noname

bridge (bridge interface; Default: none) Bridge to which interfaces should local forwarding mode is used

8/19/2019 CAPsMAN (1)

26/34

• When an AP is configured to be controlled by CAPsMAN, cof selected wireless interfaces entered on the AP itself is igno

•

Instead, AP accepts configuration for selected wireless intCAPsMAN.

• Notes:

The CAP wireless interfaces that are managed by CAPsMAN and being forwarded to CAPsMAN (ie. they are not in local forwardishown as disabled, with the note Managed by CAPsMAN.

Those interfaces that are inlocal forwarding mode (traffic is locallCAP, and only management is done by CAPsMAN) are not shown dnote Managed by CAPsMAN is shown

CAP Configuration

8/19/2019 CAPsMAN (1)

27/34

• Step 8:

• We now have to provide a basic configuration on the CAPs

for it to locate the CAPsMAN Controller and receiveconfiguration:

Start Configuration

/system identity set name=CAPs

/interface wireless cap set enabled=yes interfaces=wlan

addresses=192.168.3.1 /ip dhcp-client add interface=ether3 use-peer-dns=yes add-de

disabled=no

End Configuration

Implementation

8/19/2019 CAPsMAN (1)

28/34

Implementation

8/19/2019 CAPsMAN (1)

29/34

• Step 8:

Verify that your CAPs client router's wlan1 interface has been provisione

Implementation

8/19/2019 CAPsMAN (1)

30/34

• Step 8:


Implementation

8/19/2019 CAPsMAN (1)

31/34

• Step 8:


Implementation

8/19/2019 CAPsMAN (1)

32/34

• Step 8:


Implementation

8/19/2019 CAPsMAN (1)

33/34

• This tutorial is designed to get you up and running with a baconfiguration.

•

It covers one of many ways (some of which are more CAPsMAN can be used to provision MikroTik Wireless Interfac

• It should only be used in a testing environment until the of(non BETA).

Conclusion

8/19/2019 CAPsMAN (1)

34/34

MikroTik CAPsMAN

The END

Documents

CAPsMAN (1)