Upload
bootboot
View
221
Download
0
Embed Size (px)
Citation preview
8/19/2019 CAPsMAN (1)
1/34
Haydar FadelMay -25 - 2014
MikroTik CAPsM
8/19/2019 CAPsMAN (1)
2/34
• Controlled Access Point system Manager (CAPsMcentralization of wireless network management and if necprocessing.
• When using the CAPsMAN feature, the network will consist of 'Controlled Access Points' (CAP) that provide wireless con
• and a 'system Manager' (CAPsMAN) that manages the cothe APs, it also takes care of client authentication and optforwarding.
Overview
8/19/2019 CAPsMAN (1)
3/34
• When a CAP is controlled by CAPsMAN it only requires tconfiguration required to allow it to establish connection wit
• Functions that were conventionally executed by an AP control, client authentication) are now executed by CAPsMA
• The CAP device now only has to provide the wireleencryption/decryption.
• Depending on configuration, data is either forwarded to C
centralized processing (default) or forwarded locally at the C
Overview
8/19/2019 CAPsMAN (1)
4/34
• MikroTik have just introduced their much awaited wireless msystem CAPsMAN as of RouterOS 6.11.
• This is the first BETA version of CAPsMAN and therefore shoused for testing purposes.
• That being said we will explain how to install CAPsMAN on RouterBOARD and learn how to get it up and running.
Overview
CAPsMAN features MISSING CAPsMAN fea
RADIUS MAC authentication Nstreme AP suppo
WPA/WPA2 security Nv2 AP support
TBA TBA
8/19/2019 CAPsMAN (1)
5/34
Overview
8/19/2019 CAPsMAN (1)
6/34
• CAPsMAN works on any RouterOS device from v6.11, wireleare not required (since it manages the wireless interfaces of
• Ensure you have at least two MikroTik RouterBOARDs is runn6.11 or later (one will be the CAPsMANController and a CAPs Client for testing).
• For the purpose of this LAB we will be starting with a blank c(/system-reset no-defaults=yes)
• Notes:
CAPsMAN = CAPsMAN Router (device holding configuratclients).
CAPs = CAPs Client (device we will auto configure).
Requirements
8/19/2019 CAPsMAN (1)
7/34
• For the CAPsMAN system to function and provide wireless coCAP must establish management connection with CAPsMAN
• A management connection can be established using MAprotocols and is secured using 'DTLS'.
• A CAP can also pass the client data connection to the Mandata connection is not secured.
• If this is deemed necessary, then other means of data secu
be used, e.g. IPSec or encrypted tunnels.
CAP to CAPsMAN Connection
8/19/2019 CAPsMAN (1)
8/34
• CAP to CAPsMAN connection can be established usingprotocols (via Layer 2 and Layer3).
• MAC layer connection features: no IP configuration necessary on CAP
CAP and CAPsMAN must be on the same Layer 2 segment - either p(by means of L2 tunnels)
• IP layer (UDP) connection features:
can traverse NAT if necessary
CAP must be able to reach CAPsMAN using IP protocol
if the CAP is not on the same L2 segment as CAPsMAN, it must be pthe CAPsMAN IP address, because IP multicast based discovery doeLayer3
CAP to CAPsMAN Connection
8/19/2019 CAPsMAN (1)
9/34
• In order to establish connection with CAPsMAN, CAP executprocess.
• During discovery, CAP attempts to contact CAPsMAN aavailable CAPsMANs list.
• CAP attempts to contact to an available CAPsMAN using:
configured list of Manager IP addresses
list of CAPsMAN IP addresses obtained from DHCP server
broadcasting on configured interfaces using both - IP and MAC laye
CAP to CAPsMAN Connection
8/19/2019 CAPsMAN (1)
10/34
• When the list of available CAPsMANs is built, CAP selects based on the following rules:
if caps-man-names parameter specifies allowed manager nidentity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier iempty it will connect to any available Manager .
suitable Manager with MAC layer connectivity is preferred to Mconnectivity.
CAP to CAPsMAN Connection
8/19/2019 CAPsMAN (1)
11/34
• Step 1:Download and Install the CAPsMAN package from www.mikrotik.com/download
Implementation
http://www.mikrotik.com/downloadhttp://www.mikrotik.com/download
8/19/2019 CAPsMAN (1)
12/34
Implementation
• Suitable Manager with MAC layer connectivity is preferred toIP connectivity.
8/19/2019 CAPsMAN (1)
13/34
ImplementationStep 2:
8/19/2019 CAPsMAN (1)
14/34
• Step 3:
• First we will enable CAPs Management on the router:
[admin@Haydar] /caps-man manager set enabled=yes
Implementation
8/19/2019 CAPsMAN (1)
15/34
• Step 4:
• We will start by creating a basic CAPs channel profile:
Profile Name: CAPsMAN
Band: 2ghz-b/g/n
Frequency / Channel: 2452MHz (Channel 1)
Channel Width: 20MHz
[admin@Haydar] /caps-man channel add band=2ghz-b/g/n f
width=20 name=CAPsMAN
Implementation
8/19/2019 CAPsMAN (1)
16/34
Implementation
8/19/2019 CAPsMAN (1)
17/34
• Step 5:
• Now we will create a CAPs security profile:
Profile Name: security1
Authentication Type: wpa2-psk (WPA2-PSK Only)
Encryption: aes-ccm (AES)
Passphrase: mysecurek3y123
[admin@Haydar] /caps-man security add name=security1
types=wpa2-psk encryption=aes-ccm group-encrypassphrase=mysecurek3y123
Implementation
8/19/2019 CAPsMAN (1)
18/34
Implementation
8/19/2019 CAPsMAN (1)
19/34
• Step 6:
• We will now create a configuration file:
Profile Name: Config-1
Wireless Interface Mode: ap
SSID: Haydar-CAPs
Channel Profile: channel1 (Step 4)
Security Profile: security1 (Step 5)
[admin@Haydar] /caps-man configuration add name=Confissid="Haydar-CAPs" channel=CAPsMAN security=security1
Implementation
8/19/2019 CAPsMAN (1)
20/34
Implementation
8/19/2019 CAPsMAN (1)
21/34
Implementation
8/19/2019 CAPsMAN (1)
22/34
Implementation
8/19/2019 CAPsMAN (1)
23/34
• Step 7:
• Create a provision for our CAPs router which will be a
provisioned with the configurations in steps 4-6: Radio MAC: D4:CA:6D:90:82:59 (wlan1 mac address we want to auto
Action: create-dynamic-enabled (provision this interface dynamicall
Master Configuration: Config-1
[admin@Haydar] /caps-man provisioning add radio-mac= D4action=create-dynamic-enabled master-configuration=Config-1
Implementation
8/19/2019 CAPsMAN (1)
24/34
Implementation
8/19/2019 CAPsMAN (1)
25/34
• CAP behaviour of AP is configured in /interface wireless ccontains the following settings:
CAP Configuration
Property Descriptionenabled (yes | no; Default: no) Disable or enable CAP feature
interfaces (list of interfaces; Default: empty) List of wireless interfaces to be contro
discovery-interfaces (list of interfaces;Default:empty)
List of interfaces over which CAP sdiscover Manager
caps-man-addresses (list of IP addresses;Default:empty)
List of Manager IP addresses that Ccontact during discovery
caps-man-names (list of allowed CAPs Manager names; Default: empty)
List of Manager names that CAPconnect, if empty - CAP does noname
bridge (bridge interface; Default: none) Bridge to which interfaces should local forwarding mode is used
8/19/2019 CAPsMAN (1)
26/34
• When an AP is configured to be controlled by CAPsMAN, cof selected wireless interfaces entered on the AP itself is igno
•
Instead, AP accepts configuration for selected wireless intCAPsMAN.
• Notes:
The CAP wireless interfaces that are managed by CAPsMAN and being forwarded to CAPsMAN (ie. they are not in local forwardishown as disabled, with the note Managed by CAPsMAN.
Those interfaces that are inlocal forwarding mode (traffic is locallCAP, and only management is done by CAPsMAN) are not shown dnote Managed by CAPsMAN is shown
CAP Configuration
8/19/2019 CAPsMAN (1)
27/34
• Step 8:
• We now have to provide a basic configuration on the CAPs
for it to locate the CAPsMAN Controller and receiveconfiguration:
Start Configuration
/system identity set name=CAPs
/interface wireless cap set enabled=yes interfaces=wlan
addresses=192.168.3.1 /ip dhcp-client add interface=ether3 use-peer-dns=yes add-de
disabled=no
End Configuration
Implementation
8/19/2019 CAPsMAN (1)
28/34
Implementation
8/19/2019 CAPsMAN (1)
29/34
• Step 8:
Verify that your CAPs client router's wlan1 interface has been provisione
Implementation
8/19/2019 CAPsMAN (1)
30/34
• Step 8:
Verify that your CAPs client router's wlan1 interface has been provisione
Implementation
8/19/2019 CAPsMAN (1)
31/34
• Step 8:
Verify that your CAPs client router's wlan1 interface has been provisione
Implementation
8/19/2019 CAPsMAN (1)
32/34
• Step 8:
Verify that your CAPs client router's wlan1 interface has been provisione
Implementation
8/19/2019 CAPsMAN (1)
33/34
• This tutorial is designed to get you up and running with a baconfiguration.
•
It covers one of many ways (some of which are more CAPsMAN can be used to provision MikroTik Wireless Interfac
• It should only be used in a testing environment until the of(non BETA).
Conclusion
8/19/2019 CAPsMAN (1)
34/34
MikroTik CAPsMAN
The END