Setting up CAPsMAN (basic configuration)
18 Aug 23


CAPsMAN = Controlled Access Point system Manager

prepared under RouterOS v. 6.49.8 stable. 

CAPsMAN is software, part of RouterOS, for administering access point devices (APs). The access points can be specialised Mikrotik devices such as the cAP range, or any MT device that has a WLAN interface. Its clients are connected by ethernet: this is not for a 'mesh' setup where the access points communicate among themselves by  wireless channels. The 'server' device does not have to be on the same subnet as the client APs. 


On the CAPsMAN server device.

1. Choose a device to be the CAPsMAN manager. This could be any MT device; it doesn't have to have a wireless interface itself. But it needs to have the wireless package enabled (System>Packages>wireless); after enabling this, after reboot, 'CAPsMAN' will be present in the left side menu. 

2. Select 'CAPsMAN' and choose the 'Manager' menu, Add New and check 'Enabled'. 

2. In CAPsMAN>Configurations. This going to be a basic configuration which will apply to all the  Access Point client. Later one can make other configurations for different classes of AP client, and set many other detailed parameters. Add New. A default 'Name' will be provided which you can change. Set 'Mode' to 'ap', provide an SSID so your users can choose a radio signal on their devices, set your 'Country', make sure that 'Local Forewarding' is ticked and choose values for 'Authentification Type' (e.g. WPA PSK and WPA2 PSK), 'Encryption' (e.g. aes ccm) and a password ('Passphrase'). Apply. 

3. In CAPsMAN>Provisioning, Add New, check 'Enabled' and under 'Action' select 'create dynamic enabled'. 'Master Configuration' should show the name of the Configuration you have just set up. Apply. 


On each Access Point device. 

4. Devices with a wlan interface can be controlled by the CAPsMAN server. This includes wireless services on the the device running the CAPsMAN server itself; other devices need to be connected by ethernet to the CAPsMAN server device. On each device, go to the 'Wireless' menu item and click on 'CAP', make it 'Enabled' then select one or more WLAN 'Interfaces' and enter the IP address of the CAPsMAN server on your local network (in the case of WLANs on the same device as the CAPsMAN server, this will be 127. 0.0.1). Apply. The display of the Wireless>WiFi Interfaces window will change to indicate that this WLAN is now "managed by CAPsMAN" and show the channel details and the SSID.

Further information. On a device with a WLAN interface controlled by CAPsMAN on the same device, if CAPsMAN does not detect an established CAP wlan then check in the firewall that packets from the wireless interface(s) are not blocked. If necessary add a rule to accept on the input chain from 127.0.0.1. (can be limited to; Protocol udp, Destination Port 5246-5247).

Back on the CAPsMAN server

5. Now on the CAPsMAN server device, go to CAPsMAN>Radio, select the access point(s) you have set up and for each one press the button 'Provision'. CAPsMAN>CAP Interface will now show traffic on the access points details of which are given at CAPsMAN>Remote CAP. Futher, a remote signal scan is available at CAPsMAN>CAP Scanner. 

Wireless device users should now be able to see the SSID(s) on access points and connect to them. 



References
1. Normunds in the definitive CAPsMAN video: youtube.com/watch?v=taQ70m0DVYA
2. Mikrotik reference (old manual): https://wiki.mikrotik.com/wiki/Manual:CAPsMAN