MikroTik CAPsMAN Haydar Fadel May -25-2014
Overview Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network management and if necessary, data processing. When using the CAPsMAN feature, the network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless connectivity. and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication and optionally, data forwarding.
Overview When a CAP is controlled by CAPsMAN it only requires the minimum configuration required to allow it to establish connection with CAPsMAN. Functions that were conventionally executed by an AP (like access control, client authentication) are now executed by CAPsMAN. The CAP device now only has to provide the wireless link layer encryption/decryption. Depending on configuration, data is either forwarded to CAPsMAN for centralized processing (default) or forwarded locally at the CAP itself.
Overview MikroTik have just introduced their much awaited wireless management system CAPsMAN as of RouterOS 6.11. This is the first BETA version of CAPsMAN and therefore should only be used for testing purposes. That being said we will explain how to install CAPsMAN on your MikroTik RouterBOARD and learn how to get it up and running. CAPsMAN features RADIUS MAC authentication WPA/WPA2 security TBA MISSING CAPsMAN features Nstreme AP support Nv2 AP support TBA
Overview
Requirements CAPsMAN works on any RouterOS device from v6.11, wireless interfaces are not required (since it manages the wireless interfaces of CAPs) Ensure you have at least two MikroTik RouterBOARDs is running RouterOS 6.11 or later (one will be the CAPsMANController and one will be a CAPs Client for testing). For the purpose of this LAB we will be starting with a blank configuration (/system-reset no-defaults=yes) Notes: CAPsMAN = CAPsMAN Router (device holding configurations for CAPs clients). CAPs = CAPs Client (device we will auto configure).
CAP to CAPsMAN Connection For the CAPsMAN system to function and provide wireless connectivity, a CAP must establish management connection with CAPsMAN. A management connection can be established using MAC or IP layer protocols and is secured using 'DTLS'. A CAP can also pass the client data connection to the Manager, but the data connection is not secured. If this is deemed necessary, then other means of data security needs to be used, e.g. IPSec or encrypted tunnels.
CAP to CAPsMAN Connection CAP to CAPsMAN connection can be established using 2 transport protocols (via Layer 2 and Layer3). MAC layer connection features: no IP configuration necessary on CAP CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual (by means of L2 tunnels) IP layer (UDP) connection features: can traverse NAT if necessary CAP must be able to reach CAPsMAN using IP protocol if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with the CAPsMAN IP address, because IP multicast based discovery does not work over Layer3
CAP to CAPsMAN Connection In order to establish connection with CAPsMAN, CAP executes a discovery process. During discovery, CAP attempts to contact CAPsMAN and builds an available CAPsMANs list. CAP attempts to contact to an available CAPsMAN using: configured list of Manager IP addresses list of CAPsMAN IP addresses obtained from DHCP server broadcasting on configured interfaces using both - IP and MAC layer protocols.
CAP to CAPsMAN Connection When the list of available CAPsMANs is built, CAP selects a CAPsMAN based on the following rules: if caps-man-names parameter specifies allowed manager names (/system identity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is empty it will connect to any available Manager. suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity.
Step 1: Download and Install the CAPsMAN package from www.mikrotik.com/download
Suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity.
Step 2:
Step 3: First we will enable CAPs Management on the router: [admin@haydar] /caps-man manager set enabled=yes
Step 4: We will start by creating a basic CAPs channel profile: Profile Name: CAPsMAN Band: 2ghz-b/g/n Frequency / Channel: 2452MHz (Channel 1) Channel Width: 20MHz [admin@haydar] /caps-man channel add band=2ghz-b/g/n frequency=2412 width=20 name=capsman
Step 5: Now we will create a CAPs security profile: Profile Name: security1 Authentication Type: wpa2-psk (WPA2-PSK Only) Encryption: aes-ccm (AES) Passphrase: mysecurek3y123 [admin@haydar] /caps-man security add name=security1 authenticationtypes=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=mysecurek3y123
Step 6: We will now create a configuration file: Profile Name: Config-1 Wireless Interface Mode: ap SSID: Haydar-CAPs Channel Profile: channel1 (Step 4) Security Profile: security1 (Step 5) [admin@haydar] /caps-man configuration add name=config-1 mode=ap ssid="haydar-caps" channel=capsman security=security1
Step 7: Create a provision for our CAPs router which will be automatically provisioned with the configurations in steps 4-6: Radio MAC: D4:CA:6D:90:82:59 (wlan1 mac address we want to auto-provision) Action: create-dynamic-enabled (provision this interface dynamically) Master Configuration: Config-1 [admin@haydar] /caps-man provisioning add radio-mac= D4:CA:6D:27:35:07 action=create-dynamic-enabled master-configuration=config-1
CAP Configuration CAP behaviour of AP is configured in /interface wireless cap menu. It contains the following settings: Property enabled (yes no; Default: no) interfaces (list of interfaces; Default: empty) discovery-interfaces (list of interfaces; Default:empty) caps-man-addresses (list of IP addresses; Default:empty) caps-man-names (list of allowed CAPs Manager names; Default: empty) bridge (bridge interface; Default: none) Description Disable or enable CAP feature List of wireless interfaces to be controlled by Manager List of interfaces over which CAP should attempt to discover Manager List of Manager IP addresses that CAP will attempt to contact during discovery List of Manager names that CAP will attempt to connect, if empty - CAP does not check Manager name Bridge to which interfaces should be added when local forwarding mode is used
CAP Configuration When an AP is configured to be controlled by CAPsMAN, configuration of selected wireless interfaces entered on the AP itself is ignored. Instead, AP accepts configuration for selected wireless interfaces from CAPsMAN. Notes: The CAP wireless interfaces that are managed by CAPsMAN and whose traffic is being forwarded to CAPsMAN (ie. they are not in local forwarding mode), are shown as disabled, with the note Managed by CAPsMAN. Those interfaces that are inlocal forwarding mode (traffic is locally managed by CAP, and only management is done by CAPsMAN) are not shown disabled, but the note Managed by CAPsMAN is shown
Step 8: We now have to provide a basic configuration on the CAPs client router for it to locate the CAPsMAN Controller and receive its wireless configuration: Start Configuration /system identity set name=caps /interface wireless cap set enabled=yes interfaces=wlan1 caps-manaddresses=192.168.3.1 /ip dhcp-client add interface=ether3 use-peer-dns=yes add-default-route=yes disabled=no End Configuration
Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
Step 8: Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
Conclusion This tutorial is designed to get you up and running with a basic CAPsMAN configuration. It covers one of many ways (some of which are more secure) that CAPsMAN can be used to provision MikroTik Wireless Interfaces. It should only be used in a testing environment until the official release (non BETA).
The END MikroTik CAPsMAN