CAPsMAN (Controlled Access Point Manager)

CAPsMAN (Controlled Access Point Manager)

Version Info

RouterOS 7.16 | Min: v6.0+ | :clock1: 30 minutes | :large_orange_diamond: Intermediate

Tested on: 7.16 7.14

Version-specific notes

• v7.21+: Secure data forwarding (on-capsman-secure) for encrypted tunneling
• v7.13+: WiFi CAPsMAN for wifi-qcom devices with WPA3, OWE, 802.11r
• v6.x: Legacy CAPsMAN only; requires wireless-cm2 package

TL;DR (Quick Start)

For the impatient: basic CAPsMAN setup with one SSID.

On CAPsMAN Controller (Legacy):

/caps-man manager set enabled=yes certificate=auto ca-certificate=auto
/caps-man security add name=sec-main authentication-types=wpa2-psk passphrase="SecurePassword123"
/caps-man datapath add name=dp-main bridge=bridge
/caps-man configuration add name=cfg-main ssid=Corporate security=sec-main datapath=dp-main country="united states"
/caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg-main

On CAP Device (Legacy):

/interface wireless cap set enabled=yes interfaces=wlan1,wlan2 caps-man-addresses=192.168.88.1 bridge=bridge

Verify:

/caps-man remote-cap print    # Connected CAPs
/caps-man registration-table print    # Connected clients

Overview

What this does: CAPsMAN provides centralized wireless management for MikroTik access points. A single controller (CAPsMAN server) pushes configurations to multiple CAP devices, handles client authentication, and optionally processes all wireless traffic centrally.

When to use this:

• Managing 3+ access points from one location
• Enterprise WiFi with consistent policies
• Multi-SSID deployments with VLAN segmentation
• Centralized RADIUS/WPA2-Enterprise authentication
• Simplified AP provisioning and firmware upgrades

Two CAPsMAN Systems Exist:

System	Menu Path	Hardware	Key Features
Legacy CAPsMAN	/caps-man	802.11n/ac (wireless package)	Stable, widely deployed
WiFi CAPsMAN	/interface/wifi	802.11ax/ac (wifi-qcom package)	WPA3, OWE, 802.11r, 802.11k/v

Legacy CAPsMAN and WiFi CAPsMAN are not compatible. Legacy CAPs cannot join WiFi CAPsMAN, and vice versa. Mixed hardware fleets require running both systems.

Prerequisites:

• CAPsMAN controller: Any RouterOS device (including CHR)
• CAP devices: Level 4+ license, compatible wireless hardware
• Network connectivity: L2 (same broadcast domain) or L3 (routed) with UDP 5246-5247 allowed
• Bridge configured on controller if using CAPsMAN forwarding

Architecture

Traffic Forwarding Modes

Mode	Data Flow	Performance	Use Case
Local Forwarding	Traffic stays at CAP	Higher (~150 Mbps)	Performance-critical, remote sites
CAPsMAN Forwarding	Traffic tunneled to controller	Lower (~80 Mbps)	Centralized control, monitoring
CAPsMAN Secure (7.21+)	Encrypted tunnel to controller	Lower	Security-sensitive deployments

Community Tips

• WiFiWave2 (wifi-qcom) only supports local forwarding - there is no CAPsMAN forwarding mode for these devices
• Local forwarding requires VLAN configuration on each CAP; CAPsMAN forwarding centralizes this
• Use CAPsMAN forwarding when you need all client ARP entries visible on one bridge

CAP Discovery Methods

Method	Configuration	Use Case
L2 (Broadcast)	discovery-interfaces=bridge	Same network segment
L3 (Unicast)	caps-man-addresses=IP	Routed networks
DHCP Option 138	caps-manager=IP on DHCP server	Zero-touch provisioning

Configuration Steps (Legacy CAPsMAN)

Use these steps for 802.11n/ac hardware using the wireless package.

Step 1: Enable CAPsMAN Manager

On the controller device, enable the CAPsMAN server with automatic certificate generation.

/caps-man manager set enabled=yes certificate=auto ca-certificate=auto

Why certificates? CAPsMAN uses DTLS encryption between controller and CAPs. Auto-generated certificates simplify initial setup.

Step 2: Create Security Profile

Define authentication settings for your wireless network.

/caps-man security add name=sec-corp \
    authentication-types=wpa2-psk \
    encryption=aes-ccm \
    passphrase="YourSecurePassword123"

For enterprise authentication (RADIUS):

/caps-man security add name=sec-enterprise \
    authentication-types=wpa2-eap \
    encryption=aes-ccm \
    eap-methods=passthrough

Step 3: Create Channel Profile (Optional)

Define radio settings. Skip for automatic channel selection.

# 5GHz profile
/caps-man channel add name=ch-5ghz band=5ghz-n/ac width=20/40mhz-Ce

# 2.4GHz profile - use only non-overlapping channels
/caps-man channel add name=ch-2ghz band=2ghz-g/n frequency=2412,2437,2462 width=20mhz

Common Mistakes

• Don’t use all 13 channels on 2.4GHz - use only 1, 6, and 11 (frequencies 2412, 2437, 2462)
• Don’t skip DFS channels unless you experience issues - they provide more spectrum on 5GHz
• Don’t set channel width higher than 40MHz on 2.4GHz

Step 4: Create Datapath Profile

Define how client traffic is handled.

/caps-man datapath add name=dp-main \
    bridge=bridge \
    local-forwarding=no \
    client-to-client-forwarding=yes

For local forwarding (higher performance):

/caps-man datapath add name=dp-local \
    local-forwarding=yes \
    client-to-client-forwarding=yes

Step 5: Create Configuration Profile

Combine security, channel, and datapath into a complete configuration.

/caps-man configuration add name=cfg-main \
    ssid=Corporate \
    security=sec-corp \
    channel=ch-5ghz \
    datapath=dp-main \
    country="united states"

Step 6: Create Provisioning Rule

Define how CAPs receive their configuration.

/caps-man provisioning add \
    action=create-dynamic-enabled \
    master-configuration=cfg-main

For dual-band with multiple SSIDs:

/caps-man provisioning add \
    hw-supported-modes=gn \
    action=create-dynamic-enabled \
    master-configuration=cfg-2ghz \
    slave-configurations=cfg-guest

/caps-man provisioning add \
    hw-supported-modes=an,ac \
    action=create-dynamic-enabled \
    master-configuration=cfg-5ghz \
    slave-configurations=cfg-guest

Step 7: Configure CAP Devices

On each access point, enable CAP mode.

/interface wireless cap set enabled=yes \
    interfaces=wlan1,wlan2 \
    caps-man-addresses=192.168.88.1 \
    discovery-interfaces=bridge \
    bridge=bridge

Configuration Steps (WiFi CAPsMAN)

Use these steps for Wi-Fi 6 or Wave2 hardware using the wifi-qcom or wifi-qcom-ac packages (RouterOS 7.13+).

Step 1: Enable WiFi CAPsMAN

/interface/wifi/capsman set enabled=yes

Step 2: Create Security Profile with WPA3

/interface/wifi/security add name=sec-wpa3 \
    authentication-types=wpa2-psk,wpa3-psk \
    passphrase="SecurePassword123" \
    ft=yes ft-over-ds=yes ft-mobility-domain=12345

Why WPA2+WPA3? Transition mode allows older devices to connect while offering WPA3 to capable clients.

Step 3: Create Channel Profile

/interface/wifi/channel add name=ch-5ghz \
    frequency=5180,5260,5500 \
    width=20/40/80mhz

Step 4: Create Datapath Profile

/interface/wifi/datapath add name=dp-main bridge=bridge

Step 5: Create Configuration

/interface/wifi/configuration add name=cfg-main \
    ssid=Enterprise \
    security=sec-wpa3 \
    channel=ch-5ghz \
    datapath=dp-main \
    country="United States"

Step 6: Create Provisioning Rule

/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    master-configuration=cfg-main

Step 7: Configure WiFi CAP Devices

On each WiFi CAP, specify the CAPsMAN controller address. The CAP will download its configuration from the controller.

# Using static controller address
/interface/wifi set wlan1 configuration.manager=192.168.88.1

# Or using DHCP option 138 for auto-discovery (configure on DHCP server)
# /ip dhcp-server network set [find] caps-manager=192.168.88.1

For dual-band devices, configure both radios:

/interface/wifi set wlan1,wlan2 configuration.manager=192.168.88.1

Multi-SSID with VLANs

Segment traffic for corporate, guest, and IoT networks.

Create Datapath Profiles

/caps-man datapath add name=dp-corp bridge=bridge vlan-mode=use-tag vlan-id=100
/caps-man datapath add name=dp-guest bridge=bridge vlan-mode=use-tag vlan-id=200
/caps-man datapath add name=dp-iot bridge=bridge vlan-mode=use-tag vlan-id=300

Create Security Profiles

/caps-man security add name=sec-corp authentication-types=wpa2-eap eap-methods=passthrough
/caps-man security add name=sec-guest authentication-types=wpa2-psk passphrase="GuestPass123"
/caps-man security add name=sec-iot authentication-types=wpa2-psk passphrase="IoTSecure456"

Create Configurations

/caps-man configuration add name=cfg-corp ssid=Corporate security=sec-corp datapath=dp-corp
/caps-man configuration add name=cfg-guest ssid=Guest security=sec-guest datapath=dp-guest
/caps-man configuration add name=cfg-iot ssid=IoT security=sec-iot datapath=dp-iot

Provision with Slave Configurations

/caps-man provisioning add \
    action=create-dynamic-enabled \
    master-configuration=cfg-corp \
    slave-configurations=cfg-guest,cfg-iot

Common Mistakes

• Configure wired VLANs first and verify functionality before adding wireless VLAN complexity
• Don’t manually add CAPsMAN-managed wireless interfaces to bridges - CAPsMAN does this automatically
• Running commands to admit-only-vlan-tagged packets may lock you out if connected via that interface

Enterprise RADIUS Integration

RADIUS (Remote Authentication Dial-In User Service) enables centralized authentication through external identity providers like Active Directory, LDAP, or dedicated RADIUS servers (FreeRADIUS, NPS).

Configure RADIUS Server

/radius add address=10.0.0.10 secret="RadiusSecret" \
    service=wireless authentication-port=1812 accounting-port=1813

/radius incoming set accept=yes

Configure CAPsMAN AAA

/caps-man aaa set interim-update=5m called-format=ssid

Per-SSID RADIUS Routing

Route different SSIDs to different RADIUS servers:

/caps-man aaa set called-format=ssid
/radius add address=10.0.0.10 secret="Secret1" service=wireless called-id=Corporate
/radius add address=10.0.0.20 secret="Secret2" service=wireless called-id=Guest

Community Tips

• RouterOS cannot authenticate directly to Active Directory via LDAP - you need an intermediate RADIUS server (FreeRADIUS, NPS)
• For User Manager v5 integration, register CAPsMAN as a RADIUS client with matching shared secret

Client Steering and Load Balancing

Load Balancing Groups

Distribute clients across APs:

/caps-man configuration add name=cfg-5ghz ssid=Enterprise load-balancing-group=main-lb
/caps-man configuration add name=cfg-2ghz ssid=Enterprise load-balancing-group=main-lb

Signal-Based Roaming (Access List)

Force clients to roam when signal degrades:

# Accept clients with good signal
/caps-man access-list add action=accept interface=all signal-range=-80..0

# Reject clients with poor signal (forces reassociation)
/caps-man access-list add action=reject interface=all signal-range=-120..-81

802.11r Fast Roaming (WiFi CAPsMAN)

/interface/wifi/security add name=sec-ft \
    authentication-types=wpa2-psk passphrase="Password123" \
    ft=yes ft-over-ds=yes ft-mobility-domain=12345

Requirement: All APs must be managed by the same RouterOS instance for 802.11r to work.

Verification

Check CAPsMAN Status

# Manager status
/caps-man manager print
# Expected: enabled=yes with certificates

# Connected CAPs
/caps-man remote-cap print
# Expected: List of CAPs with STATE=Run

# Available radios
/caps-man radio print
# Expected: Radios with P flag (provisioned)

# Managed interfaces
/caps-man interface print
# Expected: Master/slave interfaces per radio

# Connected clients
/caps-man registration-table print
# Expected: Client MACs with signal strength

Check CAP Device Status

On the CAP device:

/interface wireless cap print
# Expected: enabled=yes, caps-man-state=Connected

WiFi CAPsMAN Verification

/interface/wifi/capsman print
/interface/wifi print where configuration.manager
/interface/wifi/registration-table print

Expected result: CAPs show as connected, clients visible in registration table with signal levels around -60 to -70 dBm for good connections.

Common Scenarios

Scenario: 30+ AP Enterprise Deployment

For large deployments, hardware selection matters:

# Use CCR2004 or RB4011 as controller - NOT CRS switches
# CRS switches work for switching but lack CPU for heavy CAPsMAN processing

# Configure upgrade policy for automated CAP firmware updates
/caps-man manager set upgrade-policy=suggest-same-version package-path=/flash/packages

Scenario: Home with Multiple APs

# Simple dual-band setup
/caps-man configuration add name=cfg-home ssid=MyHome security=sec-home country="united states"
/caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg-home

# Enable RSTP on hAP ax devices for proper roaming
/interface bridge set bridge protocol-mode=rstp

Scenario: RouterOS 6 to 7 Migration

1. Create binary backup AND text export before upgrading
2. Upgrade path: 6.x → 7.12.1 → latest 7.x
3. Legacy CAPsMAN config migrates automatically
4. wAP ac devices cannot run wifi-qcom drivers (not ARM-based)

Troubleshooting

Symptom	Cause	Solution
CAP shows “No Connection”	Firewall blocking UDP 5246-5247	Add accept rules for CAPsMAN ports
Discovery fails	Wrong discovery interface	Use bridge interface, not physical port
5GHz delayed start	DFS channel scanning (up to 10 min)	Wait, or use skip-dfs-channels=yes
”Managed Locally” on controller	Manager set on controller’s own interfaces	Set manager=local on controller WiFi interfaces
All APs on same channel	Simultaneous scan at startup	Use staggered rescanning or explicit frequencies
Duplicate MAC conflicts	Default bridge/WiFi MACs identical	Verify unique MACs on all interfaces
Max 50 Mbps throughput	Datapath misconfiguration	Remove CAP interfaces from manual bridge when using local forwarding
Clients won’t roam	Roaming is client-controlled	Lower TX power, enable 802.11k/r/v, use access-list signal thresholds
WPA3 not available	Using legacy CAPsMAN	Requires WiFi CAPsMAN (7.13+) with wifi-qcom package

Community Tips

• Start TX power at 14 dBm and tune down - target 12 dBm or lower in dense deployments
• Lower TX power actually improves roaming behavior
• For 2.4GHz, disable low data rates to encourage client roaming
• Don’t use the “Provisioning” button in the Radio tab - it destroys and recreates interfaces
• Set reselect-interval=10m with save-selected=yes for channel optimization

Common Mistakes

• Don’t increase TX power from 20dB to 30dB thinking it will improve coverage - it makes roaming worse
• Don’t mix legacy and WiFi CAPsMAN for the same APs - they’re incompatible
• Don’t manually add CAPsMAN-created interfaces to bridges
• Don’t use CAPsMAN forwarding when you need maximum throughput - use local forwarding
• Don’t forget to open UDP 5246-5247 in your firewall

Firewall Rules

Allow CAPsMAN traffic through the firewall:

/ip firewall filter add chain=input protocol=udp dst-port=5246-5247 \
    action=accept comment="CAPsMAN discovery/management" place-before=0

# If using RADIUS
/ip firewall filter add chain=input protocol=udp dst-port=1812-1813 \
    src-address=10.0.0.10 action=accept comment="RADIUS from server"

DHCP Auto-Discovery

Configure DHCP to advertise CAPsMAN server:

/ip dhcp-server network set [find] caps-manager=192.168.88.1

Related Topics

Prerequisites

• IP Address Configuration - controller must have an IP for CAP discovery
• Bridge Configuration - CAPsMAN typically bridges wireless traffic
• DHCP Server - can advertise CAPsMAN server via Option 138

WiFi Topics

• WiFi Basic Setup - single AP configuration without CAPsMAN

Infrastructure

• Bridge VLAN Filtering - VLAN infrastructure for multi-SSID deployments
• VLAN Configuration - segment wireless traffic by SSID
• Firewall Basics - allow CAPsMAN ports (UDP 5246-5247)

Enterprise Features

• RADIUS - enterprise authentication backend (WPA2-Enterprise)
• 802.1X - port-based network access control

Reference

• MikroTik AP Controller CAPsMAN
• MikroTik CAPsMAN Reference
• MikroTik WiFi Documentation
• Enterprise Wireless with User Manager v5