Skip to content
MikroTik RouterOS Docs

CAPsMAN v2: Centralized Wireless Management

CAPsMAN v2: Centralized Wireless Management

Section titled “CAPsMAN v2: Centralized Wireless Management”

CAPsMAN v2 (Controlled Access Point Manager) lets a single RouterOS 7 device manage the entire wireless configuration for a fleet of APs. Every radio’s SSID, security, channel, VLAN, and roaming policy is defined once on the controller and pushed to all APs automatically.

This guide walks through the complete workflow: controller setup, CAP onboarding, profile configuration, provisioning rules, roaming, and managing large deployments.

CAPsMAN v2 requires RouterOS 7 with the wifi package. For the legacy wireless package (RouterOS 6 or RouterOS 7 without wifi), see CAPsMAN Configuration Reference.

Overview

Section titled “Overview”
┌─────────────────────────────────────────────────────────┐
│                    CAPsMAN Controller                   │
│  Defines: channel, security, datapath, configuration,   │
│           provisioning rules                            │
└────────────────────────┬────────────────────────────────┘
          CAP protocol (UDP 5246/5247 or L2)
          ┌─────────────┴──────────────┐
     ┌────▼────┐                  ┌────▼────┐
     │  AP-1   │                  │  AP-2   │
     │  CAP    │    ...           │  CAP    │
     └─────────┘                  └─────────┘

Controller responsibilities:

  • Stores all profile definitions (channel, security, datapath, configuration)
  • Runs provisioning rules that assign profiles to specific radios
  • Manages access lists and client policy
  • Appears as virtual wifiN interfaces for each managed radio

CAP responsibilities:

  • Discovers and authenticates to the controller
  • Executes the provisioned configuration on its radios
  • With local forwarding: handles data plane locally
  • Without a controller: radios remain disabled

Prerequisites

Section titled “Prerequisites”
  • RouterOS 7.x with wifi package installed on all devices
  • CAPsMAN controller: any RouterOS 7 device (CHR, hAP ax, RB5009, etc.)
  • CAPs: MikroTik APs running RouterOS 7 with wifi package
  • Layer 2 adjacency or routed connectivity between CAPs and controller
  • Controller must have valid IP on at least one bridge interface

Configuration

Section titled “Configuration”

Step 1: Enable the CAPsMAN Controller

Section titled “Step 1: Enable the CAPsMAN Controller”

On the device that will act as controller:

# Enable CAPsMAN manager
/interface/wifi/capsman set enabled=yes


# Verify it is running
/interface/wifi/capsman print

For L3 deployments (CAPs on remote subnets), ensure the controller’s firewall accepts CAPsMAN traffic:

/ip/firewall/filter add \
    chain=input \
    protocol=udp \
    dst-port=5246,5247 \
    action=accept \
    comment="CAPsMAN control and data"

Step 2: Create Channel Profiles

Section titled “Step 2: Create Channel Profiles”

Channel profiles define RF parameters. Create one per band/width combination you need across your deployment.

# 5 GHz — 80 MHz wide (Wi-Fi 6 capable)
/interface/wifi/channel add \
    name=5GHz-80 \
    band=5ghz-ax \
    frequency=5180,5200,5220,5240,5745,5765,5785,5805 \
    width=20/40/80mhz \
    skip-dfs-channels=all


# 2.4 GHz — 20 MHz (avoids co-channel interference in dense deployments)
/interface/wifi/channel add \
    name=2.4GHz-20 \
    band=2ghz-ax \
    frequency=2412,2437,2462 \
    width=20mhz

Channel selection options:

ParameterValuesNotes
band5ghz-ax, 2ghz-ax, 5ghz-ac, 2ghz-nWiFi generation
frequencyComma-separated MHz valuesEmpty = auto-select
width20mhz, 20/40mhz, 20/40/80mhz, 20/40/80/160mhzMax channel width
skip-dfs-channelsall, indoor, noSkip DFS to avoid radar delays
reselect-intervale.g. 1hPeriodically re-evaluate channel

Step 3: Create Security Profiles

Section titled “Step 3: Create Security Profiles”
# WPA2/WPA3 mixed for maximum compatibility, with 802.11r fast roaming
/interface/wifi/security add \
    name=Corporate \
    authentication-types=wpa2-psk,wpa3-psk \
    passphrase=YourSecurePassphrase! \
    encryption=ccmp,gcmp \
    management-protection=allowed \
    ft=yes \
    ft-over-ds=yes


# WPA3-only for high-security segments
/interface/wifi/security add \
    name=Secure \
    authentication-types=wpa3-psk \
    passphrase=HighSecurityPassphrase! \
    encryption=gcmp \
    management-protection=required

Enterprise (RADIUS) example:

/interface/wifi/security add \
    name=Enterprise \
    authentication-types=wpa2-eap,wpa3-eap \
    radius-server=10.0.0.50 \
    radius-secret=RadiusSecret \
    radius-accounting=yes \
    tls-mode=verify-certificate \
    certificate=radius-ca

Step 4: Create Datapath Profiles

Section titled “Step 4: Create Datapath Profiles”

Datapath profiles control how client traffic is forwarded.

# Staff VLAN — traffic exits on the CAP's bridge with VLAN tag 10
/interface/wifi/datapath add \
    name=Local-Staff \
    bridge=bridge-staff \
    vlan-id=10


# Guest VLAN — traffic exits on the CAP's bridge with VLAN tag 20
/interface/wifi/datapath add \
    name=Local-Guest \
    bridge=bridge-guest \
    vlan-id=20


# No VLAN tagging — plain bridge forwarding
/interface/wifi/datapath add \
    name=Untagged-Fwd \
    bridge=bridge-central

Forwarding in CAPsMAN v2: The /interface/wifi (CAPsMAN v2) datapath object does not have a local-forwarding parameter. In RouterOS 7 with the wifi package, CAPs always forward traffic locally through the bridge specified in the datapath profile. The legacy local-forwarding parameter belongs to CAPsMAN v1 (/caps-man/datapath). VLAN tagging is controlled by vlan-id on the datapath and by the bridge VLAN table on each CAP.

Step 5: Create Configuration Profiles

Section titled “Step 5: Create Configuration Profiles”

Configuration profiles combine channel, security, and datapath into a complete radio profile. They also enable roaming standards.

# 5 GHz — staff SSID
/interface/wifi/configuration add \
    name=5GHz-Staff \
    channel=5GHz-80 \
    security=Corporate \
    datapath=Local-Staff \
    ssid=CorpWiFi \
    country=Latvia


# 2.4 GHz — staff SSID
/interface/wifi/configuration add \
    name=2.4GHz-Staff \
    channel=2.4GHz-20 \
    security=Corporate \
    datapath=Local-Staff \
    ssid=CorpWiFi \
    country=Latvia


# Guest SSID (slave — added to both bands via provisioning)
/interface/wifi/configuration add \
    name=Guest-Config \
    channel=5GHz-80 \
    security=GuestSec \
    datapath=Local-Guest \
    ssid=CorpGuest

Roaming (802.11r/k/v): Fast BSS Transition (ft=yes, ft-over-ds=yes) is configured in the security profile (/interface/wifi/security), not in the configuration profile. Set ft=yes and ft-over-ds=yes on the security profile that will be shared across all APs. CAPsMAN ensures all APs sharing the same security profile operate in the same Mobility Domain, enabling seamless handoffs.

Country code: Use the RouterOS country name string (e.g. Latvia, United States) or no-country-set to skip regulatory restriction. Multi-word country names must be quoted when typed interactively but work unquoted in scripts: country="United States".

Step 6: Create Provisioning Rules

Section titled “Step 6: Create Provisioning Rules”

Provisioning rules map incoming CAPs to configuration profiles. Rules are evaluated top-to-bottom; first match wins.

# Rule 1: 5 GHz radios → 5 GHz config with staff + guest SSIDs
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    master-configuration=5GHz-Staff \
    slave-configurations=Guest-Config


# Rule 2: 2.4 GHz radios → 2.4 GHz config
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=2ghz-ax \
    master-configuration=2.4GHz-Staff

Re-provisioning: In CAPsMAN v2 (wifi package), provisioning rules are re-evaluated automatically when rules change or when a CAP reconnects. There is no manual /interface/wifi/provisioning provision command (unlike CAPsMAN v1). To force re-provisioning, disconnect and reconnect the CAP by toggling its CAP mode: /interface/wifi/cap set enabled=no then enabled=yes.

Provisioning actions:

ActionBehavior
create-dynamic-enabledCreate enabled interface; remove when CAP disconnects
create-enabledCreate persistent enabled interface
create-dynamic-disabledCreate disabled interface; remove on disconnect
create-disabledCreate persistent disabled interface
noneAccept CAP but do not create interfaces

Step 7: Configure CAPs

Section titled “Step 7: Configure CAPs”

Run the following on each AP that will be managed by the controller:

# Ensure WiFi interfaces are in a bridge
/interface/bridge add name=bridge-wifi
/interface/bridge/port add bridge=bridge-wifi interface=wifi1
/interface/bridge/port add bridge=bridge-wifi interface=wifi2


# Enable CAP mode — L2 discovery (same subnet)
/interface/wifi/cap set \
    enabled=yes \
    discovery-interfaces=bridge-wifi


# OR: Enable CAP mode — L3 discovery (controller on different subnet)
/interface/wifi/cap set \
    enabled=yes \
    caps-man-addresses=10.0.0.1 \
    discovery-interfaces=bridge-wifi

CAP configuration options:

ParameterDescription
caps-man-addressesController IP(s); multiple for redundancy
discovery-interfacesBridge interface to use for discovery (must be a bridge)
caps-man-namesController identity name — restricts which controller to join
lock-to-caps-manyes — only join controller with matching certificate
lock-to-caps-man-common-namesList of valid controller certificate CNs

Critical: discovery-interfaces must be a bridge, not a physical port. Using ether1 directly will not work.

Roaming Configuration

Section titled “Roaming Configuration”

CAPsMAN v2 enables seamless roaming when all APs are managed by the same controller.

How It Works

Section titled “How It Works”

With 802.11r/k/v enabled in the configuration profile:

  1. 802.11k — APs include neighbor reports in beacons. Clients learn adjacent AP MAC addresses and signal conditions without scanning.
  2. 802.11v — The controller (via the AP) can proactively suggest a better AP to a roaming client based on signal strength thresholds.
  3. 802.11r — Fast BSS Transition pre-authenticates the client with the target AP before the roam, reducing handoff to ~1–50 ms (vs 200–500 ms without FT).

Enabling Roaming

Section titled “Enabling Roaming”

Fast BSS Transition is enabled in the security profile (Step 3 above). All APs that share the same security profile automatically participate in the same mobility domain.

# Verify FT is enabled on the security profile
/interface/wifi/security print where name=Corporate

You should see ft=yes and ft-over-ds=yes in the output.

Blocking Weak-Signal Clients (Band Steering)

Section titled “Blocking Weak-Signal Clients (Band Steering)”

Use the access list to reject clients below a signal threshold, pushing them toward a closer AP:

# Reject associations from clients with very weak signal
/interface/wifi/access-list add \
    action=reject \
    signal-range=-120..-80 \
    comment="Block weak-signal clients"

Access-list actions in the wifi package are accept and reject. The CAPsMAN v1 query-then-allow action does not exist in the wifi package.

Roaming Notes

Section titled “Roaming Notes”
  • WPA3 + FT: Some WPA3-only clients do not support FT. Use wpa2-psk,wpa3-psk mixed mode if roaming is more important than WPA3-only enforcement.
  • FT over-DS vs over-air: ft-over-ds=yes uses the wired distribution system for key exchange (usually more reliable in CAPsMAN deployments). Both can be enabled.
  • PMF and FT: If using management-protection=required, ensure all clients support both PMF and FT simultaneously.

Managing Multiple APs

Section titled “Managing Multiple APs”

Naming Strategy

Section titled “Naming Strategy”

Use name-format in provisioning to control how managed interfaces are named on the controller, making large deployments navigable:

# Name by CAP identity (e.g. "office-ap1")
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    master-configuration=5GHz-Staff \
    name-format=identity

Set a descriptive identity on each CAP:

# On CAP device
/system/identity set name=office-ap1

The managed interface on the controller will appear as office-ap1.

name-prefix does not exist in /interface/wifi/provisioning. The name-format=identity option names managed interfaces directly from the CAP device identity. If you need band-prefixed names, set distinct identities on each AP radio or use name-format=prefix-identity (prepends the provisioning rule index).

Site-Based Provisioning

Section titled “Site-Based Provisioning”

For multi-site deployments, use identity-regexp to assign site-specific configurations:

# Building A gets its own configs
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    identity-regexp="^building-a-.*" \
    master-configuration=BuildingA-5G \
    name-format=identity


# Building B gets different configs
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    identity-regexp="^building-b-.*" \
    master-configuration=BuildingB-5G \
    name-format=identity


# Catch-all for everything else
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    supported-bands=5ghz-ax \
    master-configuration=5GHz-Default \
    name-format=identity

Name your APs accordingly: building-a-floor1-ap1, building-b-lobby-ap1, etc.

MAC-Based Provisioning for Specific APs

Section titled “MAC-Based Provisioning for Specific APs”

Pin a specific AP to a specific configuration (e.g., a lobby AP needing a different SSID):

# This rule must appear ABOVE the band-based catch-all
/interface/wifi/provisioning add \
    action=create-dynamic-enabled \
    mac-address=AA:BB:CC:DD:EE:01 \
    master-configuration=Lobby-AP-5G \
    comment="Lobby AP - special config"

Re-Provisioning After Changes

Section titled “Re-Provisioning After Changes”

When you modify provisioning rules, CAPsMAN v2 re-evaluates rules automatically. To force immediate re-provisioning for a specific CAP, toggle its CAP mode:

# On the CAP device — reconnect to trigger re-provisioning
/interface/wifi/cap set enabled=no
/interface/wifi/cap set enabled=yes

CAP Redundancy (Multiple Controllers)

Section titled “CAP Redundancy (Multiple Controllers)”

A CAP can fail over to a backup controller:

# On CAP — list primary then backup controller
/interface/wifi/cap set \
    enabled=yes \
    caps-man-addresses=10.0.0.1,10.0.0.2 \
    discovery-interfaces=bridge-wifi

The CAP tries controllers in order. If the primary is unreachable after a timeout, it connects to the backup.

Verification

Section titled “Verification”

On the Controller

Section titled “On the Controller”
# List all connected CAPs
/interface/wifi/capsman/remote-cap print


# List all managed interfaces (one per radio per CAP)
/interface/wifi print where mac-address~":"


# View client associations
/interface/wifi/registration-table print


# Show active interfaces with signal/rate data
/interface/wifi/registration-table print detail

Expected output for a CAP with two radios:

# /interface/wifi/capsman/remote-cap print
 # NAME           STATE     RADIOS  ADDRESS
 0 office-ap1     running   2       10.0.1.100


# /interface/wifi print (excerpt)
 # NAME            TYPE  CHANNEL       SSID           STATE
 0 5g-office-ap1   wifi  5180/80       CorpWiFi       running
 1 2g-office-ap1   wifi  2437/20       CorpWiFi       running

On the CAP

Section titled “On the CAP”
# Check CAP connection status
/interface/wifi/cap print


# Should show: state=running, controller=<ip>

Verify Roaming

Section titled “Verify Roaming”
# Watch for FT associations (fast roam events appear with ft-auth in log)
/log/print follow where topics~"wireless"


# Check which APs a client has visited
/interface/wifi/registration-table print where mac-address=AA:BB:CC:DD:EE:FF

Troubleshooting

Section titled “Troubleshooting”

CAP Not Registering

Section titled “CAP Not Registering”
# On CAP: check state
/interface/wifi/cap print


# Common causes:
# - caps-man-addresses wrong or unreachable
# - discovery-interfaces set to physical port (must be bridge)
# - WiFi interfaces not added to discovery bridge
# - Firewall blocking UDP 5246/5247 on controller


# Test reachability from CAP
/ping 10.0.0.1 count=4

SSID Not Broadcasting

Section titled “SSID Not Broadcasting”
# On controller: check if interfaces are running
/interface/wifi print


# Check provisioning matched the radio
/interface/wifi/provisioning print


# If provisioning rules changed, reconnect the CAP to re-provision
# (run on the CAP device)
/interface/wifi/cap set enabled=no
/interface/wifi/cap set enabled=yes

Clients Not Roaming Smoothly

Section titled “Clients Not Roaming Smoothly”
  • Verify same SSID and same security profile across all APs
  • Confirm ft=yes and ft-over-ds=yes are set on the shared security profile
  • Check client device supports 802.11r (some enterprise clients disable FT)
  • Try ft-over-ds=yes if over-air FT is failing
  • For WPA3-only clients struggling with FT, switch to wpa2-psk,wpa3-psk mixed

VLANs Not Working with Local Forwarding

Section titled “VLANs Not Working with Local Forwarding”
# On CAP: verify VLAN is configured on local bridge
/interface/bridge/vlan print


# The CAP's bridge must have the VLAN configured as tagged/untagged
/interface/bridge/vlan add bridge=bridge-wifi \
    tagged=bridge-wifi,ether1 \
    vlan-ids=10

CAP Connects But No Interfaces Created

Section titled “CAP Connects But No Interfaces Created”
# On controller: check provisioning rules match the radio
/interface/wifi/capsman/remote-cap print detail


# The "supported-bands" must match what the radio reports
# Check what bands the CAP radio actually supports
/interface/wifi/capsman/remote-cap print detail where name=<cap-name>

See Also

Section titled “See Also”