MikroTik CAP and CAPsMAN

CAPsMAN configuration

A simple CAPsMAN configuration consists of five parts:

  • security profile
  • datapath
  • channel(s)
  • configuration template
  • provisioning profile

Let's see what these parts look like.

Security configuration

In this part, you need to configure the WPA key and/or the authentification method.

In my setup I use:

/caps-man security
add authentication-types=wpa2-psk,wpa2-eap encryption=aes-ccm,tkip \
    group-encryption=aes-ccm name=sec_prorfile passphrase=ThisIsNotASafeKey


A datapath determines, how the traffic is forwarded. If you chose local-forwarding=yes, the traffic from the wlanX interface is bridged to a bridge configured on the access point itself. Otherwise, the traffic will be routed to the CAPsMAN device where you can route it further.

My setup:

/caps-man datapath
add bridge=br_loopback client-to-client-forwarding=yes local-forwarding=no \
add bridge=br_loopback client-to-client-forwarding=yes local-forwarding=yes \

As you can see, I configured two datapaths. One allows local forwarding, the other is routing the access points traffic to the CAPsMAN itself.


The channel configuration sets channel frequencies, bandwidths and band:

/caps-man channel
add band=2ghz-b/g/n frequency=2412 name=ch_01_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2417 name=ch_02_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2422 name=ch_03_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2427 name=ch_04_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2432 name=ch_05_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2437 name=ch_06_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2442 name=ch_07_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2447 name=ch_08_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2452 name=ch_09_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2457 name=ch_10_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2462 name=ch_11_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2467 name=ch_12_2400_20_bgn width=20
add band=2ghz-b/g/n frequency=2472 name=ch_13_2400_20_bgn width=20


The "configuration" combines all of the above parts to actually create a complete configuration profile for a wlanX interface.

/caps-man configuration
add channel=ch_07_2400_20_bgn datapath=dp_via_local mode=ap name=cfg_default \
    security=sec_prorfile ssid=WiFi


The provisioning profile maps the configurations to actual access points and/or radios:

/caps-man provisioning
add action=create-dynamic-enabled identity-regexp=AP-FR-Z8* \

In this case the provisioning maps the configuration based on the devices identity setting. If the devices identity begins with "AP-FR-Z8" the given configuration will get applied.

Enabling CAPsMAN

Last thing to do on the CAPsMAN is enabling it and letting it auto-create the required certificates:

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

Access Point configuration

On the "client" access point, you simple enable CAP, enter CAPsMANs IP address and there you go. If you want to route traffic locally on the access point, specify a bridge for that purpose:

/system identity
set name=AP-FR-Z8-01_RB2011UiAS-2HnD

/interface wireless cap
set bridge=br_loopback caps-man-addresses= enabled=yes interfaces=\

Go back