Scribd Logo
Upload

Welcome to Scribd!

  • CAPsMAN PDF

    Uploaded by

    Chavez Chelo
    152 views34 pages

    Original Title

    CAPsMAN.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    152 views34 pages

    CAPsMAN PDF

    Uploaded by

    Chavez Chelo

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    MikroTik CAPsMAN

    Haydar Fadel
    May -25 - 2014
    Overview
    Controlled Access Point system Manager (CAPsMAN) allows
    centralization of wireless network management and if necessary, data
    processing.
    When using the CAPsMAN feature, the network will consist of a number
    of 'Controlled Access Points' (CAP) that provide wireless connectivity.
    and a 'system Manager' (CAPsMAN) that manages the configuration of
    the APs, it also takes care of client authentication and optionally, data
    forwarding.
    Overview
    When a CAP is controlled by CAPsMAN it only requires the minimum
    configuration required to allow it to establish connection with CAPsMAN.
    Functions that were conventionally executed by an AP (like access
    control, client authentication) are now executed by CAPsMAN.
    The CAP device now only has to provide the wireless link layer
    encryption/decryption.
    Depending on configuration, data is either forwarded to CAPsMAN for
    centralized processing (default) or forwarded locally at the CAP itself.
    Overview
    MikroTik have just introduced their much awaited wireless management
    system CAPsMAN as of RouterOS 6.11.
    This is the first BETA version of CAPsMAN and therefore should only be
    used for testing purposes.
    That being said we will explain how to install CAPsMAN on your MikroTik
    RouterBOARD and learn how to get it up and running.

    CAPsMAN features MISSING CAPsMAN features


    RADIUS MAC authentication Nstreme AP support
    WPA/WPA2 security Nv2 AP support
    TBA TBA
    Overview
    Requirements
    CAPsMAN works on any RouterOS device from v6.11, wireless interfaces
    are not required (since it manages the wireless interfaces of CAPs)
    Ensure you have at least two MikroTik RouterBOARDs is running RouterOS
    6.11 or later (one will be the CAPsMANController and one will be
    a CAPs Client for testing).
    For the purpose of this LAB we will be starting with a blank configuration
    (/system-reset no-defaults=yes)
    Notes:
    CAPsMAN = CAPsMAN Router (device holding configurations for CAPs
    clients).
    CAPs = CAPs Client (device we will auto configure).
    CAP to CAPsMAN Connection
    For the CAPsMAN system to function and provide wireless connectivity, a
    CAP must establish management connection with CAPsMAN.
    A management connection can be established using MAC or IP layer
    protocols and is secured using 'DTLS'.
    A CAP can also pass the client data connection to the Manager, but the
    data connection is not secured.
    If this is deemed necessary, then other means of data security needs to
    be used, e.g. IPSec or encrypted tunnels.
    CAP to CAPsMAN Connection
    CAP to CAPsMAN connection can be established using 2 transport
    protocols (via Layer 2 and Layer3).
    MAC layer connection features:
    no IP configuration necessary on CAP
    CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual
    (by means of L2 tunnels)

    IP layer (UDP) connection features:


    can traverse NAT if necessary
    CAP must be able to reach CAPsMAN using IP protocol
    if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with
    the CAPsMAN IP address, because IP multicast based discovery does not work over
    Layer3
    CAP to CAPsMAN Connection
    In order to establish connection with CAPsMAN, CAP executes a discovery
    process.
    During discovery, CAP attempts to contact CAPsMAN and builds an
    available CAPsMANs list.
    CAP attempts to contact to an available CAPsMAN using:
    configured list of Manager IP addresses
    list of CAPsMAN IP addresses obtained from DHCP server
    broadcasting on configured interfaces using both - IP and MAC layer protocols.
    CAP to CAPsMAN Connection
    When the list of available CAPsMANs is built, CAP selects a CAPsMAN
    based on the following rules:
    if caps-man-names parameter specifies allowed manager names (/system
    identity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is
    empty it will connect to any available Manager .
    suitable Manager with MAC layer connectivity is preferred to Manager with IP
    connectivity.
    Implementation
    Step 1:
    Download and Install the CAPsMAN package from www.mikrotik.com/download
    Implementation

    Suitable Manager with MAC layer connectivity is preferred to Manager with


    IP connectivity.
    Implementation
    Step 2:
    Implementation
    Step 3:
    First we will enable CAPs Management on the router:
    [admin@Haydar] /caps-man manager set enabled=yes
    Implementation
    Step 4:
    We will start by creating a basic CAPs channel profile:
    Profile Name: CAPsMAN
    Band: 2ghz-b/g/n
    Frequency / Channel: 2452MHz (Channel 1)
    Channel Width: 20MHz
    [admin@Haydar] /caps-man channel add band=2ghz-b/g/n frequency=2412
    width=20 name=CAPsMAN
    Implementation
    Implementation
    Step 5:
    Now we will create a CAPs security profile:
    Profile Name: security1
    Authentication Type: wpa2-psk (WPA2-PSK Only)
    Encryption: aes-ccm (AES)
    Passphrase: mysecurek3y123
    [admin@Haydar] /caps-man security add name=security1 authentication-
    types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm
    passphrase=mysecurek3y123
    Implementation
    Implementation
    Step 6:
    We will now create a configuration file:
    Profile Name: Config-1
    Wireless Interface Mode: ap
    SSID: Haydar-CAPs
    Channel Profile: channel1 (Step 4)
    Security Profile: security1 (Step 5)
    [admin@Haydar] /caps-man configuration add name=Config-1 mode=ap
    ssid="Haydar-CAPs" channel=CAPsMAN security=security1
    Implementation
    Implementation
    Implementation
    Implementation
    Step 7:
    Create a provision for our CAPs router which will be automatically
    provisioned with the configurations in steps 4-6:
    Radio MAC: D4:CA:6D:90:82:59 (wlan1 mac address we want to auto-provision)
    Action: create-dynamic-enabled (provision this interface dynamically)
    Master Configuration: Config-1
    [admin@Haydar] /caps-man provisioning add radio-mac= D4:CA:6D:27:35:07
    action=create-dynamic-enabled master-configuration=Config-1
    Implementation
    CAP Configuration
    CAP behaviour of AP is configured in /interface wireless cap menu. It
    contains the following settings:
    Property Description
    enabled (yes | no; Default: no) Disable or enable CAP feature
    interfaces (list of interfaces; Default: empty) List of wireless interfaces to be controlled by Manager
    discovery-interfaces (list of interfaces; List of interfaces over which CAP should attempt to
    Default:empty) discover Manager
    caps-man-addresses (list of IP addresses; List of Manager IP addresses that CAP will attempt to
    Default:empty) contact during discovery
    caps-man-names (list of allowed CAPs List of Manager names that CAP will attempt to
    Manager names; Default: empty) connect, if empty - CAP does not check Manager
    name
    bridge (bridge interface; Default: none) Bridge to which interfaces should be added when
    local forwarding mode is used
    CAP Configuration
    When an AP is configured to be controlled by CAPsMAN, configuration
    of selected wireless interfaces entered on the AP itself is ignored.
    Instead, AP accepts configuration for selected wireless interfaces from
    CAPsMAN.
    Notes:
    The CAP wireless interfaces that are managed by CAPsMAN and whose traffic is
    being forwarded to CAPsMAN (ie. they are not in local forwarding mode), are
    shown as disabled, with the note Managed by CAPsMAN.
    Those interfaces that are inlocal forwarding mode (traffic is locally managed by
    CAP, and only management is done by CAPsMAN) are not shown disabled, but the
    note Managed by CAPsMAN is shown
    Implementation
    Step 8:
    We now have to provide a basic configuration on the CAPs client router
    for it to locate the CAPsMAN Controller and receive its wireless
    configuration:
    Start Configuration
    /system identity set name=CAPs
    /interface wireless cap set enabled=yes interfaces=wlan1 caps-man-
    addresses=192.168.3.1
    /ip dhcp-client add interface=ether3 use-peer-dns=yes add-default-route=yes
    disabled=no

    End Configuration
    Implementation
    Implementation
    Step 8:
    Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
    Implementation
    Step 8:
    Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
    Implementation
    Step 8:
    Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
    Implementation
    Step 8:
    Verify that your CAPs client router's wlan1 interface has been provisioned successfully:
    Conclusion
    This tutorial is designed to get you up and running with a basic CAPsMAN
    configuration.
    It covers one of many ways (some of which are more secure) that
    CAPsMAN can be used to provision MikroTik Wireless Interfaces.
    It should only be used in a testing environment until the official release
    (non BETA).
    The END
    MikroTik CAPsMAN

    You might also like