Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network management and if necessary, data processing. When using the CAPsMAN feature, the network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless connectivity and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication and optionally, data forwarding.
When a CAP is controlled by CAPsMAN it only requires the minimum configuration required to allow it to establish connection with CAPsMAN. Functions that were conventionally executed by an AP (like access control, client authentication) are now executed by CAPsMAN. The CAP device now only has to provide the wireless link layer encryption/decryption.
Depending on configuration, data is either forwarded to CAPsMAN for centralized processing (default) or forwarded locally at the CAP itself (#Local_Forwarding_Mode).
- RADIUS MAC authentication
- WPA/WPA2 security
MISSING CAPsMAN features
- Nstreme AP support
- Nv2 AP support
CAPsMAN works on any RouterOS device from v6.11, wireless interfaces are not required (since it manages the wireless interfaces of CAPs)
CAP to CAPsMAN Connection
For the CAPsMAN system to function and provide wireless connectivity, a CAP must establish management connection with CAPsMAN. A management connection can be established using MAC or IP layer protocols and is secured using 'DTLS'.
A CAP can also pass the client data connection to the Manager, but the data connection is not secured. If this is deemed necessary, then other means of data security needs to be used, e.g. IPSec or encrypted tunnels.
CAP to CAPsMAN connection can be established using 2 transport protocols (via Layer 2 and Layer3).
- MAC layer connection features:
- no IP configuration necessary on CAP
- CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual (by means of L2 tunnels)
- IP layer (UDP) connection features:
- can traverse NAT if necessary
- CAP must be able to reach CAPsMAN using IP protocol
- if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with the CAPsMAN IP address, because IP multicast based discovery does not work over Layer3
In order to establish connection with CAPsMAN, CAP executes a discovery process. During discovery, CAP attempts to contact CAPsMAN and builds an available CAPsMANs list. CAP attempts to contact to an available CAPsMAN using:
- configured list of Manager IP addresses
- list of CAPsMAN IP addresses obtained from DHCP server
- broadcasting on configured interfaces using both - IP and MAC layer protocols.
When the list of available CAPsMANs is built, CAP selects a CAPsMAN based on the following rules:
- if caps-man-names parameter specifies allowed manager names (/system identity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is empty it will connect to any available Manager
- suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity
After Manager is selected, CAP attempts to establish DTLS connection. There are the following authentication modes possible:
- no certificates on CAP and CAPsMAN - no authentication
- only Manager is configured with certificate - CAP checks CAPsMAN certificate, but does not fail if it does not have appropriate trusted CA certificate
- CAP and CAPsMAN are configured with certificates - mutual authentication
After DTLS connection is established, CAP can optionally check CommonName field of certificate provided by CAPsMAN. caps-man-certificate-common-names parameter contains list of allowed CommonName values. If this list is not empty, CAPsMAN must be configured with certificate. If this list is empty, CAP does not check CommonName field.
CAP Locking to CAPsMAN
CAP can be configured to automatically lock to particular CAPsMAN. Locking is implemented by recording certificate CommonName of CAPsMAN that CAP is locked to and checking this CommonName for all subsequent connections. As this feature is implemented using certificate CommonName, use of certificates is mandatory for locking to work.
Locking is enabled by the following command:
[admin@CAP] > /interface wireless cap set lock-to-caps-man=yes
Once CAP connects to suitable CAPsMAN and locks to it, it is reflected like this:
[admin@wtp] > /interface wireless cap print ... locked-caps-man-common-name: CAPsMAN-000C424C30F3
From now on CAP will only connect to CAPsMAN with this CommonName, until locking requirement is cleared, by setting lock-to-caps-man=no. This approach needs to be used if it is necessary to force CAP to lock to another CAPsMAN - by at first setting lock-to-caps-man=no followed by lock-to-caps-man=yes.
When an AP is configured to be controlled by CAPsMAN, configuration of selected wireless interfaces entered on the AP itself is ignored. Instead, AP accepts configuration for selected wireless interfaces from CAPsMAN.
CAP behaviour of AP is configured in /interface wireless cap menu. It contains the following settings:
|enabled (yes | no; Default: no)||Disable or enable CAP feature|
|interfaces (list of interfaces; Default: empty)||List of wireless interfaces to be controlled by Manager|
|certificate (certificate name | none; Default: none)||Certificate to use for authenticating|
|discovery-interfaces (list of interfaces; Default: empty)||List of interfaces over which CAP should attempt to discover Manager|
|caps-man-addresses (list of IP addresses; Default: empty)||List of Manager IP addresses that CAP will attempt to contact during discovery|
|caps-man-names (list of allowed CAPs Manager names; Default: empty)||List of Manager names that CAP will attempt to connect, if empty - CAP does not check Manager name|
|caps-man-certificate-common-names (list of allowed CAPs Manager CommonNames; Default: empty)||List of Manager certificate CommonNames that CAP will connect to, if empty - CAP does not check Manager certificate CommonName|
|bridge (bridge interface; Default: none)||Bridge to which interfaces should be added when local forwarding mode is used|
CAPsMAN Configuration Concepts
Each wireless interface on a CAP that is under CAPsMAN control appears as a virtual interface on the CAPsMAN. This provides maximum flexibility in data forwarding control using regular RouterOS features, such as routing, bridging, firewall, etc.
Many wireless interface settings are able to be grouped together into named groups ('profiles') that simplifies the reuse of configuration - for example, common configuration settings can be configured in a 'configuration profile' and multiple interfaces can then refer to that profile. At the same time any profile setting can be overridden directly in an interface configuration for maximum flexibility.
Currently there are the following setting groups:
- channel - channel related settings, such as frequency and width
- datapath - data forwarding related settings, such as bridge to which particular interface should be automatically added as port
- interworking - IEEE 802.11u, Hotspot 2.0 related settings
- security - security related settings, such as allowed authentication types or passphrase
- configuration - main wireless settings group, includes settings such as SSID, and additionally binds together other setting groups - that is, configuration profile can refer to channel, security, etc. named setting groups. Additionally any setting can be overridden directly in configuration profile.
Interface settings bind together all setting groups, but additionally any setting can be overridden directly in interface settings.
By means of setting groups, configuration is organized in hierarchical structure with interface (actual user of configuration) as the root. In order to figure out the effective value of some setting this structure is consulted in a fashion where a higher level setting value overrides a lower level value.
For example, when WPA2 passphrase to be used by a particular interface needs to be found, the following places are consulted and the first place with WPA2 passphrase configured specifies effective passphrase. "->" denotes referring to setting profile (if configured):
- interface passphrase
- interface->security passphrase
- interface->configuration passphrase
- interface->configuration->security passphrase
There are 2 types of interfaces on CAPsMAN - "master" and "slave". The master interface holds the configuration for an actual wireless interface (radio), while a slave interface links to the master interface and is intended to hold the configuration for a Virtual-AP (multiple SSID support). There are settings that are meaningful only for master interface, i.e. mainly hardware setup related settings such as radio channel settings. Note that in order for a radio to accept clients, it's master interface needs to be enabled. Slave interfaces will become operational only if enabled and the master interface is enabled.
Interfaces on CAPsMAN can be static or dynamic. Static interfaces are stored in RouterOS configuration and will persist across reboots. Dynamic interfaces exist only while a particular CAP is connected to CAPsMAN.
CAPsMAN Global Configuration
Settings to enable CAPsMAN functionality are found in /caps-manager manager menu:
|enabled (yes | no; Default: no)||Disable or enable CAPsMAN functionality|
|certificate (auto | certificate name | none; Default: none)||Device certificate|
|ca-certificate (auto | certificate name | none; Default: none)||Device CA certificate|
|require-peer-certificate (yes | no; Default: no)||Require all connecting CAPs to have a valid certificate|
CAPsMAN distinguishes between CAPs based on an identifier. The identifier is generated based on the following rules:
- if CAP provided a certificate, identifier is set to the Common Name field in the certificate
- otherwise identifier is based on Base-MAC provided by CAP in the form: '[XX:XX:XX:XX:XX:XX]'.
When the DTLS connection with CAP is successfully established (which means that CAP identifier is known and valid), CAPsMAN makes sure there is no stale connection with CAP using the same identifier. Currently connected CAPs are listed in /caps-manager remote-cap menu:
[admin@CM] /caps-manager> remote-cap print # ADDRESS IDENT STATE RADIOS 0 00:0C:42:00:C0:32/27044 MT-000C4200C032 Run 1
CAPsMAN distinguishes between actual wireless interfaces (radios) based on their builtin MAC address (radio-mac). This implies that it is impossible to manage two radios with the same MAC address on one CAPsMAN. Radios currently managed by CAPsMAN (provided by connected CAPs) are listed in /caps-manager radio menu:
[admin@CM] /caps-manager> radio print Flags: L - local, P - provisioned # RADIO-MAC INTERFACE REMOTE-AP-IDENT 0 P 00:03:7F:48:CC:07 cap1 MT-000C4200C032
When CAP connects, CAPsMAN at first tries to bind each CAP radio to CAPsMAN master interface based on radio-mac. If an appropriate interface is found, radio gets set up using master interface configuration and configuration of slave interfaces that refer to particular master interface. At this moment interfaces (both master and slaves) are considered bound to radio and radio is considered provisioned.
If no matching master interface for radio is found, CAPsMAN executes 'provisioning rules'. Provisioning rules is an ordered list of rules that contain settings that specify which radio to match and settings that specify what action to take if a radio matches.
Provisioning rules for matching radios are configured in /caps-manager provisioning menu:
|action (create-disabled | create-enabled | create-dynamic-enabled | none; Default: none)||Action to take if rule matches are specified by the following settings:
|master-configuration (; Default: )||If action specifies to create interfaces, then a new master interface with its configuration set to this configuration profile will be created|
|slave-configurations (; Default: )||If action specifies to create interfaces, then a new slave interface for each configuration profile in this list is created.|
|radio-mac (MAC address; Default: 00:00:00:00:00:00)||MAC address of radio to be matched, empty MAC (00:00:00:00:00:00) means match all MAC addresses|
|? (?; Default: ?)||(more matchers may be provided in a future release)|
To get the active provisioning matchers:
[admin@CM] /caps-manager provisioning> print Flags: X - disabled 0 radio-mac=00:00:00:00:00:00 action=create-enabled master-configuration=main-cfg slave-configurations=virtual-ap-cfg
For user's convenience there are commands that allow the re-execution of the provisioning process for some radio or all radios provided by some AP:
[admin@CM] > caps-manager radio provision 0
[admin@CM] > caps-manager remote-cap provision 0
CAPsMAN interfaces are managed in /caps-manager interface menu:
[admin@CM] > /caps-manager interface print Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running # NAME RADIO-MAC MASTER-INTERFACE 0 M BR cap2 00:0C:42:1B:4E:F5 none 1 B cap3 00:00:00:00:00:00 cap2
Datapath settings control data forwarding related aspects. On CAPsMAN datapath settings are configured in datapath profile menu /caps-manager datapath or directly in a configuration profile or interface menu as settings with datapath. prefix.
There are 2 major forwarding modes:
- local forwarding mode, where CAP is locally forwarding data to and from wireless interface
- manager forwarding mode, where CAP sends to CAPsMAN all data received over wireless and only sends out the wireless data received from CAPsMAN. In this mode even client-to-client forwarding is controlled and performed by CAPsMAN.
Forwarding mode is configured on a per-interface basis - so if one CAP provides 2 radio interfaces, one can be configured to operate in local forwarding mode and the other in manager forwarding mode. The same applies to Virtual-AP interfaces - each can have different forwarding mode from master interface or other Virtual-AP interfaces.
Most of the datapath settings are used only when in manager forwarding mode, because in local forwarding mode CAPsMAN does not have control over data forwarding.
There are the following datapath settings:
- bridge -- bridge interface to add interface to, as a bridge port, when enabled
- bridge-cost -- bridge port cost to use when adding as bridge port
- bridge-horizon -- bridge horizon to use when adding as bridge port
- client-to-client-forwarding -- controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by CAP, otherwise it is performed by CAPsMAN.
- local-forwarding -- controls forwarding mode
- openflow-switch -- OpenFlow switch to add interface to, as port when enabled
- vlan-id -- VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
- vlan-mode -- VLAN tagging mode specifies if VLAN tag should be assigned to interface (causes all received data to get tagged with VLAN tag and allows interface to only send out data tagged with given tag)
Local Forwarding Mode
In this mode wireless interface on CAP behaves as a normal interface and takes part in normal data forwarding. Wireless interface will accept/pass data to networking stack on CAP. CAPsMAN will not participate in data forwarding and will not process any of data frames, it will only control interface configuration and client association process.
Wireless interface on CAP will change its configuration to 'enabled' and its state and some relevant parameters (e.g. mac-address, arp, mtu) will reflect that of the interface on CAPsMAN. Note that wireless related configuration will not reflect actual interface configuration as applied by CAPsMAN:
[admin@CAP] /interface wireless> pr Flags: X - disabled, R - running 0 R ;;; managed by CAPsMAN ;;; channel: 5180/20-Ceee/ac, SSID: master, local forwarding name="wlan2" mtu=1500 mac-address=00:03:7F:48:CC:07 arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="merlin" frequency=5240 band=5ghz-a/n channel-width=20/40mhz-eC scan-list=default ...
Virtual-AP interfaces in local forwarding mode will appear as enabled and dynamic Virtual-AP interfaces:
[admin@CAP] /interface> pr Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE MTU L2MTU MAX-L2MTU ... 2 RS ;;; managed by CAPsMAN ;;; channel: 5180/20-Ceee/ac, SSID: master, local forwarding wlan2 wlan 1500 1600 3 DRS ;;; managed by CAPsMAN ;;; SSID: slave, local forwarding wlan6 wlan 1500 1600 ... [admin@CAP] /interface> wireless pr Flags: X - disabled, R - running ... 2 R ;;; managed by CAPsMAN ;;; SSID: slave, local forwarding name="wlan6" mtu=1500 mac-address=00:00:00:00:00:00 arp=enabled interface-type=virtual-AP master-interface=wlan2
The fact that Virtual-AP interfaces are added as dynamic, somewhat limits static configuration possibilities on CAP for data forwarding, such as assigning addresses to Virtual-AP interface. This does not apply to master wireless interface.
To facilitate data forwarding configuration, CAP can be configured with bridge to which interfaces are automatically added as ports when interfaces are enabled by CAPsMAN. This can be done in /interface wireless cap menu.
Manager Forwarding Mode
In this mode CAP sends all data received over wireless to CAPsMAN and only sends out over wireless, data received from CAPsMAN. CAPsMAN has full control over data forwarding including client-to-client forwarding. Wireless interface on CAP is disabled and does not participate in networking:
... 1 X ;;; managed by CAPsMAN ;;; channel: 5180/20-Ceee/ac, SSID: master, manager forwarding name="wlan2" mtu=1500 mac-address=00:03:7F:48:CC:07 arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="merlin" ...
Virtual-AP interfaces are also created as 'disabled' and do not take part in data forwarding on CAP.
Access list on CAPsMAN is an ordered list of rules that is used to allow/deny clients to connect to any CAP under CAPsMAN control. When client attempts to connect to a CAP that is controlled by CAPsMAN, CAP forwards that request to CAPsMAN. As a part of registration process, CAPsMAN consults access list to determine if client should be allowed to connect.
Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.
Access list is configured in /caps-manager access-list menu. There are the following parameters for access list rules:
- client matching parameters:
- address - MAC address of client
- mask - MAC address mask to apply when comparing client address
- interface - optional interface to compare with interface to which client actually connects to
- time - time of day and days when rule matches
- signal-range - range in which client signal must fit for rule to match
- action parameter - specifies action to take when client matches:
- accept - accept client
- reject - reject client
- query-radius - query RADIUS server if particular client is allowed to connect
- connection parameters:
- ap-tx-limit - tx speed limit in direction to client
- client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
- client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface
- private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
- radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
- vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
- vlan-id - VLAN ID to use if doing VLAN tagging.
Registration table contains a list of clients that are connected to radios controlled by CAPsMAN and is available in /caps-manager registration-table menu:
[admin@CM] /caps-manager> registration-table print # INTERFACE MAC-ADDRESS UPTIME RX-SIGNAL 0 cap1 00:03:7F:48:CC:0B 1h38m9s210ms -36
Create security profile for WPA2 PSK, without specifying passphrase:
[admin@CM] /caps-manager security>add name="wpa2psk" authentication-types=wpa2-psk encryption=aes-ccm
Create configuration profile to be used by master interface
- specify WPA2 passphrase in configuration
- specify channel settings in configuration:
[admin@CM] /caps-manager configuration> add name=master-cfg ssid=master security=wpa2psk security.passphrase=12345678 channel.frequency=5180 channel.width=20 channel.band=5ghz-a
Create configuration profile to be used by virtual AP interface
- specify different WPA2 passphrase in configuration:
[admin@CM] /caps-manager configuration> add name=slave-cfg ssid=slave security=wpa2psk security.passphrase=87654321
Create provisioning rule that matches any radio and creates dynamic interfaces using master-cfg and slave-cfg:
[admin@CM] /caps-manager provisioning> add action=create-dynamic-enabled master-configuration=master-cfg slave-configurations=slave-cfg
Now when AP connects and is provisioned 2 dynamic interfaces (one master and one slave) will get created:
[admin@CM] /caps-manager interface> print detail Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running 0 MDB name="cap1" mtu=1500 l2mtu=2300 radio-mac=00:0C:42:1B:4E:F5 master-interface=none configuration=master-cfg 1 DB name="cap2" mtu=1500 l2mtu=2300 radio-mac=00:00:00:00:00:00 master-interface=cap1 configuration=slave-cfg
Consider an AP, that does not support configured frequency connects and can not become operational:
[admin@CM] /caps-manager interface> pr Flags: M - master, D - dynamic, B - bound, X - disabled, I - inactive, R - running # NAME RADIO-MAC MASTER-INTERFACE 0 MDB ;;; unsupported band or channel cap3 00:0C:42:1B:4E:FF none ...
We can override channel settings for this particular radio in interface settings, without affecting master-cfg profile:
[admin@CM] /caps-manager interface> set cap3 channel.frequency=2142 channel.band=2ghz-b/g