Mikrotik CapsMan Tutorial

8/18/2019 Mikrotik CapsMan Tutorial

1/50

CAPsMAN Case Study

Uldis Cernevskis

MikroTik, Latvia

MUM Brazil

November 20!


2/50

CAPsMAN "eatures

● Centralized mana#ement o$ %outer&S APs

● 'ual Band AP su((ort

● Provisionin# o$ APs

● MAC and )P Layer *ommuni*ation +it APs

● Certi$i*ate su((ort $or AP *ommuni*ation

● "ull and Lo*al data $or+ardin# mode

● %A')US MAC autenti*ation● Custom *on$i#uration su((ort


3/50

%e-uirements●

CAPsMAN – ./ or %outerB&A%' based devi*e

– Ne+est %outer&S v version

– 1ireless$( (a*ka#e installed and enabled

● CAP

– 3/ or %outerB&A%' based devi*e

– Ne+est %outer&S v version

– Ateros *i(set 4a5b5#5n5a*6 +ireless *ard

– 1ireless$( (a*ka#e installed and enabled

– At least Level! %outer&S li*ense


4/50

CAPsMAN Sim(le Setu(


5/50


● 7nable CAPsMAN servi*e

● Create Brid#e inter$a*e

● Add )P *on$i#uration to Brid#e inter$a*e

● Create CAPsMAN Con$i#uration

● Create Provisionin# rule

●

7nable CAP mode on te APs


6/50


● 7nable te CAPsMAN servi*e


7/50


● Create Brid#e )nter$a*e


8/50


8 Add )Paddress

28 Add '9CPServer

:8 Add NATrule


9/50

CAPsMAN Sim(le Setu(●

Add Ne+ CAPsMAN Con$i#uration


10/50


● Add ne+ Provisionin# rule


11/50


– 7nable +ireless$((a*ka#e

– 7nable CAP mode

● By CAP modebutton on someboards

● By *on$i#uration in

1ireless CAPmenu

●

Con$i#ure te AP to use CAP mode


12/50

● Ce*k te Status o$ te CAPsMAN CAP inter$a*e


CAPCAPsMAN


13/50

CAPsMAN %e#istration table


14/50

Manual Provisionin#

● Can#in# Provisionin# rules doesn;t e$$e*t already*on$i#ured CAPs, manual Provisionin# re-uired<

– %emove CAP inter$a*e

– )nitiate Provision *ommand on te CAP


15/50

CAP to CAPsMAN Conne*tion

● MAC Layer2<

– No )P *on$i#uration re-uired

– CAP an CAPsMAN must bein te same Layer 2 net+ork

● )P 4U'P6 Layer:<

– CAP must rea* teCAPsMAN usin# )P (roto*ol

– Can traverse NAT i$

ne*essary

● Mana#ement *onne*tion bet+een CAP and CAPsMANis se*ured usin# 'TLS

● CAP *lient data tra$$i* is not se*ured = i$ ne*essaryadditional en*ry(tion by usin# )PSe* or en*ry(tedtunnels is needed


16/50

CAPsMAN Sele*tion on CAP●

CAP attem(ts to *onta*t CAPsMAN and buildavailable CAPsMAN list<

– List o$ CAPsMAN )Ps

– List o$ CAPsMAN )Ps obtained $rom '9CP

– Broad*astin# on *on$i#ured inter$a*es usin# )P and MACLayer

● CAP sele*ts te CAPsMAN based on su* rules<

– )$ CAPsMAN names settin# is mat*ed it +ill (re$er tat

CAPsMAN earlier in te list

– MAC layer *onne*tivity to CAPsMAN is (re$erred over )P*onne*tivity

– )$ list is em(ty it +ill *onne*t to any available CAPsMAN


17/50

CAPsMAN +it Layer:

●

&n te CAP s(e*i$y te )P address o$ te CAPsMAN


18/50

CAPsMAN sele*tion usin# Name●

&n te CAP s(e*i$y te CAPsMAN identityname


19/50

CAP )denti$i*ation

●

MAC5)P address● %outerBoard model

● Serial Number o$ te Board

● %outer&S version

●

System )dentity● Main +ireless MAC

● State o$ te CAP

● Provided radio *ount


20/50

CAPsMAN stati* CAP inter$a*e

● No inter$a*e name *an#e or settin# *an#e a$ter te reboot

● Additional manual settin# override

● Co(y dynami* inter$a*e to make stati* inter$a*e


21/50

CAPsMAN >irtualAP


22/50

CAPsMAN >irtualAP Con$i#uration

● Create ne+ Brid#e inter$a*e and )P*on$i#uration $or te >irtualAPs or use tesame brid#e inter$a*e as Master AP

●

Create a ne+ *on$i#uration $or te >irtualAP● S(e*i$y te ne+ *on$i#uration in Provisionin#

rule as Slave Con$i#uration

●

%emove all CAP inter$a*es● )nitiate Manual Provisionin# on all te CAPs


23/50

CAPsMAN >irtualAP Setu(


24/50

CAPsMAN >irtualAP Setu(


25/50

CAPsMAN stati* >irtualAP


26/50

CAPsMAN A**ess List "eatures

● MAC Autenti*ation

● %adius ?uery su((ort

● MAC Mask su((ort

● Si#nal %an#e

● Time

● Private Pass(rase

● >LAN )' assi#nment


27/50

CAPsMAN A**ess List● Allo+ A((le devi*es to *onne*t

● %est o$ te *onne*tions (ass to te %A')US


28/50

CAPsMAN Lo*al "or+ardin# Setu(


29/50

CAPsMAN Lo*al "or+ardin#● Create a Lo*al "or+ardin# *on$i#uration


30/50

CAPsMAN Lo*al "or+ardin#● Create Provisionin# rule

● Move above te de$ault Provisionin# rule


31/50

CAPsMAN Lo*al "or+ardin#

●

&n CAP s(e*i$y te Brid#e inter$a*e $or CAP oruse routin# $or a**ess to net+ork


32/50

CAPsMAN >LAN Assi#nment


33/50

CAPsMAN >LAN Assi#nment● 1en usin# Lo*al "or+ardin# CAPsMAN *an assi#n >LAN )'

to s(e*i$i* CAP inter$a*e or even s(e*i$i* +ireless *lient● Create Slave inter$a*e +it >lan ta#


34/50


● Create A**ess Listrule $or s(e*i$i**lient to #et ta##edto Mana#ement

>lan on te sameCAP inter$a*e

● Move te A**ess

List rule above te(revious ones


35/50


● Create >LAN inter$a*es on te CAPsMANrouter inter$a*e +ere te CAPs are *onne*ted


36/50


● Assi#n )Ps to >LAN inter$a*es on CAPsMAN


37/50

CAPsMAN 'ual Band CAP

● )$ te Cannel settin#s are not s(e*i$ied it +illautomati*ally use te su((orted band5*annel

● )$ s(e*i$i* Cannel settin#s are re-uired ten

s(e*i$i* Provisionin# rules are re-uired – Custom Cannel settin#s

– 'ual band +ireless inter$a*e su((ort


38/50

CAPsMAN 'ual Band CAP● Create : *on$i#urations<

– Con$i# $or bot bands radio

– Con$i# $or @#z only radio

– Con$i# $or 28!#z only radio


39/50

CAPsMAN 'ual Band CAP● Create : Provisionin# rules

– "or A5N,5N ard+are use Bot Bands *on$i#

– "or A5N ard+are use @#z *on$i#

– "or 5N ard+are use 28!#z *on$i#

l d


40/50

CAPsMAN 'ual Band CAP

CAP MAN C $i i id


41/50

CAPsMAN Con$i#uration override

● Con$i#urationoverrides Cannelsettin#

● )nter$a*e overridesCannel andCon$i#urationsettin#

CAP MAN A t C ti$i t


42/50

CAPsMAN Auto Certi$i*ate

● 7nable Certi$i*ate and CA Certi$i*ate onCAPsMAN



43/50


●

7nable re-uest Certi$i*ate on CAP



44/50


● Allo+ CAPsMAN to a**e(t *onne*tions only$rom CAPs +it valid *erti$i*ate

CAP L k T CAP MAN


45/50

CAP Lo*k To CAPsMAN

●

7nable Lo*k To CAPsMAN on CAP = *erti$i*ateis re-uired

CAPsMAN and CAP in one board


46/50

CAPsMAN and CAP in one board

● 7nable CAPsMANMana#er and *reatete *on$i#uration

●

Con$i#ure te CAP tolook $or )P 280808

CAPsMAN Antenna #ain


47/50

CAPsMAN Antenna#ain

● Antenna#ain value istaken $rom te CAPinter$a*e

● Must be *on$i#ured onAP be$ore enableradio in CAP mode

● 7.am(le +it db

antenna#ain and:0db 7)%P

CAPsMAN v2 $eatures


48/50

CAPsMAN v2 $eatures

● CAPsMAN automati* u(#rade o$ all CAP *lients4*on$i#urable6

● )m(roved CAPDCAPsMAN data *onne*tion(roto*ol

● Added EName "ormatE and EName Pre$i.E settin# $orProvision rules

● )m(roved lo##in# entries +en *lient roams bet+een

te CAPs● Added L2 Pat MTU dis*overy

CAPsMAN v2 *om(atibility


49/50

CAPsMAN v2 *om(atibility

● CAPsMAN v2 is N&T *om(atible +it *urrentCAPsMAN v 4CAPsMAN v CAP devi*es +illnot be able to *onne*t to CAPsMAN v2 andCAPsMAN v2 CAP devi*es +ill not be able to

*onne*t to CAPsMAN v68● Bot CAPsMAN and CAP devi*es sould ave +ireless*m2 (a*ka#e installed in order to

make CAPsMAN v2 system to +ork8

U(#rade to CAPsMAN v2


50/50

U(#rade to CAPsMAN v2

●

&(tion< )nstall a ne+ tem(orary CAPsMAN v2 router insame net+ork +ere te *urrent CAPsMAN router is andstart u(#radin# CAPs +it +ireless*m2 (a*ka#e8 AllCAPs +it te v2 +ill *onne*t to te ne+ tem(oraryCAPsMAN v2 router8 A$ter every CAP is u(#raded to v2,

u(#rade your *urrent CAPsMAN to v2 and ten turn o$$te tem(orary CAPsMAN v2 router8

● &(tion2< U(#rade your CAPs and ten CAPsMAN to v2 atte same time8 )n tis *ase you *ould ave little more

do+ntime unless you s*edule all te CAPs toreboot5install at te same time8

Documents

Mikrotik CapsMan Tutorial