Blog.gowifi

Blog.gowifi

logos (other)

Logos

Go Wireless NZ

Friday, March 28, 2014

Introducing CAPsMAN from MikroTik


Introduction:
MikroTik have just introduced their much awaited wireless management system CAPsMAN as of RouterOS 6.11. This is the first BETA version of CAPsMAN and therefore should only be used for testing purposes. That being said we will explain how to install CAPsMAN on your MikroTik RouterBOARD and learn how to get it up and running.




For more information on CAPsMAN please visit the MikroTik Wiki section for CAPsMAN.

Prerequisites:
- Ensure you have at least two MikroTik RouterBOARDs is running RouterOS 6.11 or later (one will be the CAPsMAN Controller and one will be a CAPs Client for testing).
- For the purpose of this LAB we will be starting with a blank configuration 
(/system-reset no-defaults=yes)

Notes:
CAPsMAN = CAPsMAN Router (device holding configurations for CAPs clients).
CAPs = CAPs Client (device we will auto configure).

Step 1:
Download and Install the CAPsMAN package from www.mikrotik.com/download
 
Step 2:
For the purpose of this tutorial we will start with the following initial configuration on the CAPsMAN - Open a New Terminal window and paste the following configuration in and ensure there are no errors):
# Start of Configuration
# Rename ether1 to ether1-wan and ether2 to ether2-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
# Setup the lan ready for CAPs clients to be provisioned
/ip pool
add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether2-lan name=dhcp1
/ip address
add address=192.168.1.1/24 interface=ether2-lan network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
# Allow DNS requests from the lan to the router
/ip dns
set allow-remote-requests=yes
# Masquerade lan traffic our to the internet
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade internal network" out-interface=ether1-wan src-address=192.168.1.0/24
# Configure a DHCP client for ether1-wan
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1-wan
# Configure clock and NTP settings to suit your region helpful with troubleshooting
/system clock
set time-zone-name=Pacific/Auckland
/system ntp client
set enabled=yes mode=unicast primary-ntp=203.99.129.34
# Set the identity for the router
/system identity
set name=CAPsMAN
# End of configuration

Step 3:
First we will enable CAPs Management on the router:
[admin@CAPsMAN] /caps-man manager set enabled=yes

Step 4:
We will start by creating a basic CAPs channel profile:
Profile Name: channel1
Band: 2ghz-b/g/n
Frequency / Channel: 2412MHz (Channel 1)
Channel Width: 20MHz
[admin@CAPsMAN/caps-man channel add band=2ghz-b/g/n frequency=2412 width=20 name=channel1

Step 5:
Now we will create a CAPs security profile:
Profile Name: security1
Authentication Type: wpa2-psk (WPA2-PSK Only)
Encryption: aes-ccm (AES)
Passphrase: mysecurek3y123
[admin@CAPsMAN/caps-man security add name=security1 authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=mysecurek3y123 

Step 6:
We will now create a configuration file:
Profile Name: cfg1
Wireless Interface Mode: ap
SSID: Configured by CAPsMAN
Channel Profile: channel1 (Step 4)
Security Profile: security1 (Step 5)
[admin@CAPsMAN/caps-man configuration add name=cfg1 mode=ap ssid="Configured by CAPsMAN" channel=channel1 security=security1

Step 6:
Create a provision for our CAPs router which will be automatically provisioned with the configurations in steps 4-6:
Radio MAC: D4:CA:6D:90:82:59 (wlan1 mac address we want to auto-provision)
Action: create-dynamic-enabled (provision this interface dynamically)
Master Configuration: cfg1
[admin@CAPsMAN/caps-man provisioning add radio-mac=D4:CA:6D:90:82:59 action=create-dynamic-enabled master-configuration=cfg1

Step 7: 
We now have to provide a basic configuration on the CAPs client router for it to locate the CAPsMAN Controller and receive its wireless configuration:
# Start Configuration
/system identity set name=CAPs
/interface wireless cap set enabled=yes interfaces=wlan1 caps-man-addresses=192.168.1.1
/ip dhcp-client add interface=ether1 use-peer-dns=yes add-default-route=yes disabled=no
# End Configuration

Step 8:
Verify that your CAPs client router's wlan1 interface has been provisioned successfully:

Conclusion:
This tutorial is designed to get you up and running with a basic CAPsMAN configuration. It covers one of many ways (some of which are more secure) that CAPsMAN can be used to provision MikroTik Wireless Interfaces. It should only be used in a testing environment until the official release (non BETA).

4 comments:

  1. Hi, not working unfortuanaly, RB 750 CAPsMAN manager - RB 912UAG CAP remote. May be more you may /export compact post of both routers ?

    ReplyDelete
    Replies
    1. I have just retested this. Please see my exports below. Also make sure that you have the CAP Remote ether1 plugged into one of the DHCP ports on the CAPsMAN Manager to ensure it receives an address:

      #START OF EXPORT
      /caps-man channel
      add band=2ghz-b/g/n frequency=2412 name=channel1 width=20
      /interface wireless
      set [ find default-name=wlan1 ] l2mtu=1600 ssid=MikroTik
      /interface ethernet
      set [ find default-name=ether1 ] name=ether1-wan
      set [ find default-name=ether2 ] name=ether2-lan
      /caps-man security
      add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
      name=security1 passphrase=mysecurek3y123
      /caps-man configuration
      add channel=channel1 mode=ap name=cfg1 security=security1 ssid=\
      "Configured by CAPsMAN"
      /interface wireless security-profiles
      set [ find default=yes ] supplicant-identity=MikroTik
      /ip hotspot user profile
      set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
      mac-cookie-timeout=3d
      /ip pool
      add name=dhcp_pool1 ranges=192.168.1.2-192.168.1.254
      /ip dhcp-server
      add address-pool=dhcp_pool1 disabled=no interface=ether2-lan name=dhcp1
      /caps-man manager
      set enabled=yes
      /caps-man provisioning
      add action=create-dynamic-enabled master-configuration=cfg1 radio-mac=\
      D4:CA:6D:90:82:59
      /ip address
      add address=192.168.1.1/24 interface=ether2-lan network=192.168.1.0
      /ip dhcp-client
      add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
      interface=ether1-wan
      /ip dhcp-server network
      add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
      /ip dns
      set allow-remote-requests=yes
      /ip firewall nat
      add action=masquerade chain=srcnat comment="masquerade internal network" \
      out-interface=ether1-wan src-address=192.168.1.0/24 to-addresses=0.0.0.0
      /ip upnp
      set allow-disable-external-interface=no
      /system clock
      set time-zone-name=Pacific/Auckland
      /system identity
      set name=CAPsMAN
      /system leds
      set 0 interface=wlan1
      /system ntp client
      set enabled=yes mode=unicast primary-ntp=203.99.129.34
      # END OF EXPORT

      #START OF EXPORT
      /interface wireless
      # managed by CAPsMAN
      # channel: 2412/20/gn, SSID: Configured by CAPsMAN, CAPsMAN forwarding
      set [ find default-name=wlan1 ] l2mtu=1600 ssid=MikroTik
      /interface wireless security-profiles
      set [ find default=yes ] supplicant-identity=MikroTik
      /ip hotspot user profile
      set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
      mac-cookie-timeout=3d
      /interface wireless cap
      set caps-man-addresses=192.168.1.1 enabled=yes interfaces=wlan1
      /ip dhcp-client
      add dhcp-options=hostname,clientid disabled=no interface=ether1
      /ip upnp
      set allow-disable-external-interface=no
      /system identity
      set name=CAPs
      /system leds
      set 0 interface=wlan1
      /system routerboard settings
      set cpu-frequency=400MHz
      #END OF EXPORT

      Delete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Have been trying to get Capsman to set bandwidth of 40Mhz (dual chain). We can get the AP itself to set to 40Mhz, but when set from Capsman you receive the error "unsupported channel".... Any ideas???

    Version 6.32.3

    ReplyDelete