MikroTik CAPsMAN. Haydar Fadel May -25-2014



Similar documents
CAPsMAN Case Study. Uldis Cernevskis MikroTik, Latvia. MUM Pittsburgh September 2014

WISP 101. The DO s and DON T s of becoming a Wireless ISP

The Use of Mikrotik Router Boards With Radius Server for ISPs.

Create Virtual AP for Network Campus with Mikrotik

MikroTik Invisible Tools. By : Haydar Fadel 2014

Apple Airport Extreme Base Station V4.0.8 Firmware: Version 5.4

Configure WorkGroup Bridge on the WAP131 Access Point

GregSowell.com. Mikrotik Basics

Chapter 1 Configuring Internet Connectivity

Wireless Tips and Tricks for RouterOS v6. MUM South Africa 2013 Johannesburg Uldis Cernevskis MikroTik

Chapter 2 Wireless Settings and Security

MikroTik Certified Network Associate (MTCNA) Training outline

RouterBOARD Wireless Hacks. Liuedit Master subtitle style Convergingstream

LevelOne User Manual WPC-0600 N_One Wireless CardBus Adapter

How To Connect Xbox 360 Game Consoles to the Router by Ethernet cable (RJ45)?

Linksys WAP300N. User Guide

Configuring Settings on the Cisco Unified Wireless IP Phone 7925G

Table of Contents. Cisco Wi Fi Protected Access 2 (WPA 2) Configuration Example

Wireless Local Area Networks (WLANs)

Chapter 2 Configuring Your Wireless Network and Security Settings

User Guide. E-Series Routers

Enabling Multiple Wireless Networks on RV320 VPN Router, WAP321 Wireless-N Access Point, and Sx300 Series Switches

N300 Wireless Router WNR2000v4 User Manual

Quick Installation Guide

Chapter 3 Safeguarding Your Network

Saturday, August 25, MUM Home INDIA Assignment 2012 Soumil Gupta Bhaya PROPRIETARY WIRELESS PROTOCOLS. N-Streme and Nv2

Configuring Wireless Security on ProSafe wireless routers (WEP/WPA/Access list)

MFC7840W Windows Network Connection Repair Instructions

USER GUIDE AC2400. DUAL BAND GIGABIT Wi Fi ROUTER. Model# E8350

N450 Wireless Router WNR2500

Mechanic Handheld Wireless Access Point Setup Guide

Central WLAN management. Centralized WLAN Management. LANCOM WLAN Controller LANCOM WLC Option for Router

LOHU 4951L Outdoor Wireless Access Point / Bridge

Preparing the Computers for TCP/IP Networking

Chapter 4 Customizing Your Network Settings

MPLS for ISPs PPPoE over VPLS. MPLS, VPLS, PPPoE

WASP User Manual. Revision: 1.6. (c) 2012 North Pole Engineering, Inc.

PIXMA MX920. series. Setup Guide

IEEE a/ac/n/b/g Enterprise Access Points ECW5320 ECWO5320. Management Guide. Software Release v

USER GUIDE Cisco Small Business

Integrating a Hitachi IP5000 Wireless IP Phone

Quality of Service in wireless Point-to-Point Links

Web Authentication Proxy on a Wireless LAN Controller Configuration Example

DV230 Web Based Configuration Troubleshooting Guide

RAP Installation - Updated

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

Layer 2 / Layer 3 switches and multi-ssid multi-vlan network with traffic separation

Nokia Siemens Networks. CPEi-lte User Manual

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Wireless-N. User Guide. PCI Adapter WMP300N (EU) WIRELESS. Model No.

MikroTik Training Module Understanding VLAN Translation/Rewrites using Switches and Routers

Extending the range of a wireless network by using mesh topology

WHR-300HP2 User Manual

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 10/2015

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

Golden N Wireless Mini USB Adapter. Model # AWLL6075 User s Manual. Rev. 1.2

V310 Support Note Version 1.0 November, 2011

TECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012

MikroTik RouterOS v3. New Obvious and Obscure Mikrotik RouterOS v3.x features

The Wireless Network Road Trip

Wi-Fi Settings Guide. Model No. SP 212/SP 213 Series

Configuring the WT-4 for Upload to a Computer (Infrastructure Mode)

WRE6505. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1,

The Wireless LAN (Local Area Network) USB adapter can be operated in one of the two following networking configurations :

VLANs. Application Note

MFC6490CW Windows Network Connection Repair Instructions

Access Point Configuration

Windows Vista: Connecting to the wireless network at Hood College

Chapter 9 Monitoring System Performance

A Division of Cisco Systems, Inc. GHz g. Wireless-G. Access Point with SRX. User Guide WIRELESS WAP54GX. Model No.

Wireless N 300 Mini USB Adapter. Model # AWLL6086 User s Manual. Rev. 1.0

Wireless-N Broadband Router

LONG RANGE WIRELESS ACCESS POINT / CLIENT BRIDGE

EPI-3601S Wireless LAN PCI adapter Version 1.2 EPI-3601S. Wireless LAN PCI Adapter. (802.11g & b up to 108 Mbps) User Manual. Version: 1.

NBG2105. User s Guide. Quick Start Guide. Wireless Mini Travel Router. Default Login Details. Version 1.00 Edition 1, 11/2012

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

GregSowell.com. Mikrotik Security

running operation mode painless TECHNICAL SPECIFICATION WAN/LAN: One 10/100 Fast Ethernet RJ-45 WPS (WiFi Protected Setup) WAN (Internet connection)

Wireless-G Business PCI Adapter with RangeBooster

Table of Contents. Product Overview...5

Kvaser BlackBird Getting Started Guide

University of Hawaii at Manoa Professor: Kazuo Sugihara

RTX41xx. Wi-Fi Module

POWERLINK High Power Wireless LAN b/g/n USB Adapter User Manual

CONNECTING THE RASPBERRY PI TO A NETWORK

User guide for NANOSTATION 2

estadium Project Lab 8: Wireless Mesh Network Setup with DD WRT

This page displays the device information, such as Product type, Device ID, Hardware version, and Software version.

Microsoft Lync Certification Configuration Guide for WiNG 5.5

Chapter 4 Management. Viewing the Activity Log

ECB GHz Super G 108Mbps Access Point/Client Bridge/Repeater/WDS AP/

Top 10 Security Checklist for SOHO Wireless LANs

How To. Simply Connected. XWR-1750 Basic Configuration INTRODUCTION

Abstract. Avaya Solution & Interoperability Test Lab

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

English version. LW320/LW321 Sweex Wireless 300N Router. Package Contents. Terminology list

Ruckus Wireless access point set up from an Audio Everywhere streaming perspec;ve. Lance Glasser 6 June 2015

Transcription:

MikroTik CAPsMAN Haydar Fadel May -25-2014

Overview Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network management and if necessary, data processing. When using the CAPsMAN feature, the network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless connectivity. and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication and optionally, data forwarding.

Overview When a CAP is controlled by CAPsMAN it only requires the minimum configuration required to allow it to establish connection with CAPsMAN. Functions that were conventionally executed by an AP (like access control, client authentication) are now executed by CAPsMAN. The CAP device now only has to provide the wireless link layer encryption/decryption. Depending on configuration, data is either forwarded to CAPsMAN for centralized processing (default) or forwarded locally at the CAP itself.

Overview MikroTik have just introduced their much awaited wireless management system CAPsMAN as of RouterOS 6.11. This is the first BETA version of CAPsMAN and therefore should only be used for testing purposes. That being said we will explain how to install CAPsMAN on your MikroTik RouterBOARD and learn how to get it up and running. CAPsMAN features RADIUS MAC authentication WPA/WPA2 security TBA MISSING CAPsMAN features Nstreme AP support Nv2 AP support TBA

Overview

Requirements CAPsMAN works on any RouterOS device from v6.11, wireless interfaces are not required (since it manages the wireless interfaces of CAPs) Ensure you have at least two MikroTik RouterBOARDs is running RouterOS 6.11 or later (one will be the CAPsMANController and one will be a CAPs Client for testing). For the purpose of this LAB we will be starting with a blank configuration (/system-reset no-defaults=yes) Notes: CAPsMAN = CAPsMAN Router (device holding configurations for CAPs clients). CAPs = CAPs Client (device we will auto configure).

CAP to CAPsMAN Connection For the CAPsMAN system to function and provide wireless connectivity, a CAP must establish management connection with CAPsMAN. A management connection can be established using MAC or IP layer protocols and is secured using 'DTLS'. A CAP can also pass the client data connection to the Manager, but the data connection is not secured. If this is deemed necessary, then other means of data security needs to be used, e.g. IPSec or encrypted tunnels.

CAP to CAPsMAN Connection CAP to CAPsMAN connection can be established using 2 transport protocols (via Layer 2 and Layer3). MAC layer connection features: no IP configuration necessary on CAP CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual (by means of L2 tunnels) IP layer (UDP) connection features: can traverse NAT if necessary CAP must be able to reach CAPsMAN using IP protocol if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with the CAPsMAN IP address, because IP multicast based discovery does not work over Layer3

CAP to CAPsMAN Connection In order to establish connection with CAPsMAN, CAP executes a discovery process. During discovery, CAP attempts to contact CAPsMAN and builds an available CAPsMANs list. CAP attempts to contact to an available CAPsMAN using: configured list of Manager IP addresses list of CAPsMAN IP addresses obtained from DHCP server broadcasting on configured interfaces using both - IP and MAC layer protocols.

CAP to CAPsMAN Connection When the list of available CAPsMANs is built, CAP selects a CAPsMAN based on the following rules: if caps-man-names parameter specifies allowed manager names (/system identity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is empty it will connect to any available Manager. suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity.

Step 1: Download and Install the CAPsMAN package from www.mikrotik.com/download

Suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity.

Step 2:

Step 3: First we will enable CAPs Management on the router: [admin@haydar] /caps-man manager set enabled=yes

Step 4: We will start by creating a basic CAPs channel profile: Profile Name: CAPsMAN Band: 2ghz-b/g/n Frequency / Channel: 2452MHz (Channel 1) Channel Width: 20MHz [admin@haydar] /caps-man channel add band=2ghz-b/g/n frequency=2412 width=20 name=capsman

Step 5: Now we will create a CAPs security profile: Profile Name: security1 Authentication Type: wpa2-psk (WPA2-PSK Only) Encryption: aes-ccm (AES) Passphrase: mysecurek3y123 [admin@haydar] /caps-man security add name=security1 authenticationtypes=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=mysecurek3y123

Step 6: We will now create a configuration file: Profile Name: Config-1 Wireless Interface Mode: ap SSID: Haydar-CAPs Channel Profile: channel1 (Step 4) Security Profile: security1 (Step 5) [admin@haydar] /caps-man configuration add name=config-1 mode=ap ssid="haydar-caps" channel=capsman security=security1

Step 7: Create a provision for our CAPs router which will be automatically provisioned with the configurations in steps 4-6: Radio MAC: D4:CA:6D:90:82:59 (wlan1 mac address we want to auto-provision) Action: create-dynamic-enabled (provision this interface dynamically) Master Configuration: Config-1 [admin@haydar] /caps-man provisioning add radio-mac= D4:CA:6D:27:35:07 action=create-dynamic-enabled master-configuration=config-1

CAP Configuration CAP behaviour of AP is configured in /interface wireless cap menu. It contains the following settings: Property enabled (yes no; Default: no) interfaces (list of interfaces; Default: empty) discovery-interfaces (list of interfaces; Default:empty) caps-man-addresses (list of IP addresses; Default:empty) caps-man-names (list of allowed CAPs Manager names; Default: empty) bridge (bridge interface; Default: none) Description Disable or enable CAP feature List of wireless interfaces to be controlled by Manager List of interfaces over which CAP should attempt to discover Manager List of Manager IP addresses that CAP will attempt to contact during discovery List of Manager names that CAP will attempt to connect, if empty - CAP does not check Manager name Bridge to which interfaces should be added when local forwarding mode is used

CAP Configuration When an AP is configured to be controlled by CAPsMAN, configuration of selected wireless interfaces entered on the AP itself is ignored. Instead, AP accepts configuration for selected wireless interfaces from CAPsMAN. Notes: The CAP wireless interfaces that are managed by CAPsMAN and whose traffic is being forwarded to CAPsMAN (ie. they are not in local forwarding mode), are shown as disabled, with the note Managed by CAPsMAN. Those interfaces that are inlocal forwarding mode (traffic is locally managed by CAP, and only management is done by CAPsMAN) are not shown disabled, but the note Managed by CAPsMAN is shown

Step 8: We now have to provide a basic configuration on the CAPs client router for it to locate the CAPsMAN Controller and receive its wireless configuration: Start Configuration /system identity set name=caps /interface wireless cap set enabled=yes interfaces=wlan1 caps-manaddresses=192.168.3.1 /ip dhcp-client add interface=ether3 use-peer-dns=yes add-default-route=yes disabled=no End Configuration

Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:

Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:

Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:

Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:

Conclusion This tutorial is designed to get you up and running with a basic CAPsMAN configuration. It covers one of many ways (some of which are more secure) that CAPsMAN can be used to provision MikroTik Wireless Interfaces. It should only be used in a testing environment until the official release (non BETA).

The END MikroTik CAPsMAN