Today, I meet with a challenge. I need to set up good and working Wifi network over the building. I need to use sixteen access points (AP). My previous configurations was simple deployment of this access points with laborious configuration of each AP. And there were many channels, and things, that I must configure.
So I create centralized Access Point management setup for office environment that is scalable to many Access Point. This can be done by setting up Controlled Access Point system Manager (CAPsMAN) on your router and connecting Controlled Access Points (CAPs) to it. I have two bands: 2,4GHz and 5GHz. Everything with one SSID. I use this howto:
As CAPSMAN I used powerfull hardware: MikroTik CCR1009-7G-1C-1S+. As CAPs I will use HAP AC – dual band wifi AP.
I assume, that you have some skills with Mikrotiks and configuration. So I will use only terminal commands in this post with explanation.
So, lets begin.
Assume, that we have default VLAN 600, with no DHCP and now internet connection. Its dummy vlan, lead to nowhere. Than we have more 3 VLANs. One vlan is management (3), one si for guests (4) and one for employees (5). Routing between this vlans provides linux router beyond our scope here. We used:
- 192.168.1.0/24 – management vlan ID 3
- 192.168.2.0/24 – management vlan ID 4
- 192.168.3.0/24 – management vlan ID 5
Create a Bond with four links, to high bandwidth, with default vlan 600:
/system identity set name=CAPSMAN /interface bonding add slaves=ether1,ether2,ether3,ether4 mode=802.3ad lacp-rate=30secs link-monitoring=mii transmit-hash-policy=layer-2-and-3 /interface bridge add name=bridge1 vlan-filtering=no pvid=600 /interface bridge port add bridge=bridge1 interface=bond1 pvid=600
At bridge configuration, create setting for vlan:
/interface bridge vlan add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=3 add bridge=bridge1 untagged=bridge1,bond1 vlan-ids=600 add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=4 add bridge=bridge1 tagged=bridge1,bond1 vlan-ids=5
Now we set each vlan: name and interfaces, and IP addres for management vlan.
/interface vlan add interface=bridge1 vlan-id=3 name=vlan-management /ip address add address=192.168.1.2 interface=vlan-management /ip route add dst-address=192.168.2.0/24 gateway=192.168.1.1 /ip route add dst-address=192.168.3.0/24 gateway=192.168.1.1 /interface vlan add interface=bridge1 vlan-id=4 name=vlan-guests /interface vlan add interface=bridge1 vlan-id=5 name=vlan-users
And now, we set vlan-filtering, to ensure, that this configuration start working:
/interface bridge set bridge1 vlan-filtering=yes
Corresponding to this, we must set appropriate switch device for bonding in 802.3ad. I use Cisco switch:
interface port-channel 1 description PCH:to-CAPSMAN switchport mode trunk no macro auto smartport no eee enable switchport trunk allowed vlan add 3 switchport trunk allowed vlan add 4 switchport trunk allowed vlan add 5 switchport trunk native vlan 600 flowcontrol off exit interface range giga 1-4 no macro auto smartport no eee enable channel-group 1 mode auto description upport:CAPSMAN no shutdown exit write
Now set some more thinks, like timezone, clock, disable Winbox connect via MAC.
/system clock set time-zone-name=Europe/Bratislava /system ntp client set enabled=yes primary-ntp=192.168.1.1 /system clock print /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no /passwd #I use: test123
I create a CA (Certificate Authority), which ensure, that only approved CAPs will connect and with encrypted data. So:
/certificate add name=CA-CAPSMAN common-name=CA country=SK key-size=4096 organization=AAA state=Slovakia add name=CAPSMAN common-name=CAPSMAN /certificate sign CA-CAPSMAN-new ca-crl-host=192.168.1.2 name=CA #wait minute for complete /system resource print /certificate sign CAPSMAN ca=CA name=CAPSMAN /certificate export-certificate CA export-passphrase=test123 /certificate scep-server add ca-cert=CA path=/scep/CAPSMAN /caps-man manager set ca-certificate=CA certificate=CAPSMAN /caps-man manager set require-peer-certificate=yes
Now, create some configs for CAPs. Security and so on…
/caps-man security add name="home-employees" authentication-types=wpa2-eap eap-methods=passthrough eap-radius-accounting=yes add name="home-guests" authentication-types=wpa2-psk passphrase="test12345" /caps-man configuration add name="Config_AAA-guests_2-4" ssid="AAA-guests" country=slovakia installation=indoor security=home-guests datapath.bridge=bridge1 datapath.vlan-mode=use-tag datapath.vlan-id=4 channel.band=2ghz-g/n add name="Config_AAA-employees_2-4" ssid="AAA-employees" country=slovakia installation=indoor security=home-employees security.eap-radius-accounting=no datapath.bridge=bridge1 datapath.vlan-mode=use-tag datapath.vlan-id=5 channel.band=2ghz-g/n add name="Config_AAA-employees_5" ssid="AAA-employees" country=slovakia installation=indoor security=AAA-employees security.eap-radius-accounting=no datapath.bridge=bridge1 datapath.vlan-mode=use-tag datapath.vlan-id=5 channel.band=5ghz-n/ac add name="Config_AAA-guests_5" ssid="AAA-guests" country=slovakia installation=indoor security=AAA-guests datapath.bridge=bridge1 datapath.vlan-mode=use-tag datapath.vlan-id=4 channel.band=5ghz-n/ac
Now, we can configure our first CAP. This happened only once. Any WIFI setting will be configured via CAPSMAN itself. So I set CAPs up for using, accessing and sending data only via management vlan (vlan id = 3). Every traffic will be forwarded to the CAPSMAN.
/system identity set name=CAP1 /interface bridge add name=bridge1 vlan-filtering=no pvid=600 /interface bridge port add bridge=bridge1 interface=ether1 pvid=600 add bridge=bridge1 interface=ether2 pvid=3 /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2 vlan-ids=3 add bridge=bridge1 untagged=ether1,bridge1 vlan-ids=600 /interface bridge set bridge1 protocol-mode=none /interface vlan add interface=bridge1 vlan-id=3 name=vlan-management /ip address add address=192.168.1.3/24 interface=vlan-management /system clock set time-zone-name=Europe/Bratislava /system ntp client set enabled=yes primary-ntp=192.168.1.1 /system clock print /interface bridge set bridge1 vlan-filtering=yes /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no /ip service print /ip service disable numbers=0,1,2,5,7 /password #set password
Now, we download our CA public certificate from our CAPSMAN, import it. Then we create a local certificate, and send it as template to Scep server running on CAPSMAN. Then we must manually approve this template, and it will be signed by our previously created CA certificate on CAPSMAN. And this signed certificate will by user for encrypted communication between CAPs and CAPSMAN. This step must by manually set for each CAP separately.
/tool fetch address=192.168.1.2 src-path=cert_export_CA.crt user=admin password="test123" mode=ftp /certificate import file-name=cert_export_CA.crt passphrase=test123 /certificate add name=CAP1 common-name=CAP1 country=SK key-size=4096 organization=AAA state=Slovakia /certificate add-scep template=CAP1 scep-url="http://192.168.1.2/scep/CAPSMAN"
Now, we can see at CAPSMAN, that there is pending certificate for grant:
/certificate scep-server requests print 0 CA pending CAP1 feb/19/2020 12:21:11 5ceb9b622v8badde58316abtec0b7ecff6a /certificate scep-server requests grant numbers=0 /certificate scep-server requests print
So, after we grant this certificate, we can continue on CAP1:
/interface wireless cap set certificate=CAP1 /interface wireless cap set bridge=none discovery-interfaces=vlan-management enabled=yes interfaces=wlan1 lock-to-caps-man=yes caps-man-addresses=192.168.1.2
And finally, we set this on CAPSMAN for provision radio setting to CAP1, or next CAP2…We can limit these for MAC address of CAP1. This my setting allow to connect any CAP with certificate, that has been previously granted.
/caps-man provisioning add action=create-dynamic-enabled master-configuration="Config_AAA-guests_2-4" slave-configurations=Config_AAA-employees_2-4,Config_AAA-employees_5,Config_AAA-guests_5 name-format=prefix-identity /caps-man manager interface set [ find default=yes ] forbid=yes add disabled=no interface=vlan-management /caps-man manager set enabled=yes
And now, we can add next CAP, like CAP2:
/system identity set name=CAP2 /interface bridge add name=bridge1 vlan-filtering=no pvid=600 /interface bridge port add bridge=bridge1 interface=ether1 pvid=600 add bridge=bridge1 interface=ether2 pvid=3 /system logging add topics=caps /system logging add topics=stp /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether1 untagged=ether2 vlan-ids=3 add bridge=bridge1 untagged=ether1,bridge1 vlan-ids=600 /interface bridge set bridge1 protocol-mode=none /interface vlan add interface=bridge1 vlan-id=3 name=vlan-management /ip address add address=192.168.1.4/24 interface=vlan-management /system clock set time-zone-name=Europe/Bratislava /system ntp client set enabled=yes primary-ntp=192.168.1.1 /system clock print /interface bridge set bridge1 vlan-filtering=yes /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no /password /ip service print /ip service disable numbers=0,1,2,5,7 /tool fetch address=192.168.1.2 src-path=cert_export_CA.crt user=admin password="test123" mode=ftp /certificate import file-name=cert_export_CA.crt passphrase=test123 /certificate add name=CAP2 common-name=CAP2 country=SK key-size=4096 organization=AAA state=Slovakia /certificate add-scep template=CAP2 scep-url="http://192.168.1.2/scep/CAPSMAN" #### now approve certificate on CAPSMAN via: certificate scep-server requests print.... #### after grant we can continue: /interface wireless cap set certificate=CAP2 /interface wireless cap set bridge=none discovery-interfaces=vlan-management enabled=yes interfaces=wlan1 lock-to-caps-man=yes caps-man-addresses=192.168.1.2