capsman - mikrotik · ƒinstall capsman package (on old ros versions) ... ƒlist of interfaces,...
TRANSCRIPT
![Page 1: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/1.jpg)
CAPsMAN
Recent changes, spectrum usage, security features
MUM 2017 Milan | Patrik Schaub | © FMS Internetservice GmbH
![Page 2: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/2.jpg)
FMS Internetservice GmbH
Company Profile
![Page 3: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/3.jpg)
FMS Internetservice GmbH
ƒ Value Added Distributorƒ Distributionƒ Trainingƒ Consultingƒ Support
ƒ Founded 1997ƒ 11 employeesƒ Southern Germany
![Page 4: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/4.jpg)
Get in Touch
ƒ Website: http://www.fmsweb.deƒ MikroTik Mirror: http://www.mikrotik-software.deƒ Shop: http://www.mikrotik-shop.deƒ Wiki: http://wiki.fmsweb.deƒ Twitter: https://twitter.com/fmsweb_deƒ Facebook: https://www.facebook.com/fmsinternetservice
ƒ Phone: +49 761 2926500ƒ Email: [email protected]
![Page 5: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/5.jpg)
Training Center
ƒ Official MikroTik trainingsƒ All certification levelsƒ First German speaking
partnerƒ Two trainersƒ Own training facilityƒ Inquiries: [email protected]
Sebastian Inacker: TR11Patrik Schaub: TR23
![Page 6: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/6.jpg)
Distributor Table
![Page 7: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/7.jpg)
Distributor Table
Live Demonstrations:
ƒ Nokia Vplus setup
ƒ Nokia AMS demonstration
ƒ CRS 10G on 10 meter copper(see tomorrow’s CRS presentation)
![Page 8: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/8.jpg)
Distributor Table
ƒ Learn about Vectoring,VDSL+ and G.FAST withAlcatel-Lucent
MikroTik Based Accesspoint
Do you need towers or masts? Contact [email protected]
![Page 9: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/9.jpg)
CAPsMAN
What is it about and how to get it running
![Page 10: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/10.jpg)
CAPsMAN Basic Features
ƒ Provisioning (configuration) of access points
ƒ Authentication and access control of clients
ƒ Handling of client traffic
ƒ Monitoring of client connections
![Page 11: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/11.jpg)
Client Traffic: Local Forwarding
CAPsMAN
AP AP AP APLocal
network
ƒ Access point handles trafficƒ Manual access point configuration
![Page 12: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/12.jpg)
Manager Forwarding
CAPsMAN
AP AP AP APLocal
network
ƒ CAPsMAN handles trafficƒ No access point configurationƒ Automatic UDP tunnel
![Page 13: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/13.jpg)
Getting Started
ƒ Install CAPsMAN package (on old ROS versions)ƒ Configure CAPsMANƒ Create provisioning and config on CAPsMANƒ Configure APs (CAPs) to use manager
CAPsMAN configuration CAP configuration
![Page 14: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/14.jpg)
Minimum CAP Configuration (Layer 2)
ƒ Enableƒ Choose CAP interfacesƒ Choose discovery interfaces
![Page 15: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/15.jpg)
Minimum CAPsMAN Configuration
ƒ Enable
ƒ Createbridge
ƒ Add port
![Page 16: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/16.jpg)
Minimum CAPsMAN Configuration
ƒ Provisioning (Condition/Action)ƒ Wireless Config: SSIDƒ Datapath Config: Bridge
![Page 17: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/17.jpg)
Latest CAPsMAN Features
See what’s new
![Page 18: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/18.jpg)
Changes wireless-rep Package
wireless-cm2 wireless (formerly wireless-rep)
ƒ Optimize 2.4GHz performanceƒ Disable 802.11b legacy mode
![Page 19: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/19.jpg)
Optimize performance w/o 802.11b
ƒ 802.11b uses DSSSmodulation
ƒ 802.11g/n uses OFDMmodulation
ƒ OFDM node have to take care on DSSS nodesƒ DSSS nodes use more air time
![Page 20: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/20.jpg)
Latest Changes: Discovery Interface
ƒ List of interfaces, CAPsMAN will listen for CAPsƒ For bridges: use bridge, not port
Curent Stable Current RC
![Page 21: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/21.jpg)
Latest Changes: Static Virtual
ƒ capsman - added support for static virtualinterfaces on CAP;
![Page 22: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/22.jpg)
Latest Changes: Static Virtual
ƒ Virtual interface e.g. individual: SSIDs, securitysetting, traffic forwarding (VLAN, bridging …)ƒ New virtual interface with each CAPsMAN connect
![Page 23: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/23.jpg)
Latest Changes: Static Virtual
ƒ Local forwarding: enabled interfaceƒ Local interface configuration necessary
ƒ E.g. local traffic handling:
ƒ Forwarding traffic to VLANƒ By using virtual interface as bridge port
![Page 24: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/24.jpg)
Latest Changes: Static Virtual
1
2
![Page 25: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/25.jpg)
Latest Changes: Static Virtual
ƒ wlan7 just disabled, not removed
![Page 26: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/26.jpg)
ƒ Dynamic bridge port
ƒ Alternative to staticvirtual for
ƒ Only one bridge
ƒ No other settings(e.g IP, routing …)
Static Virtual vs. CAP Bridge Setting
![Page 27: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/27.jpg)
Latest Changes: Save Selected
ƒ Save selected channelƒ No frequency set = “auto”ƒ Speeds up frequency selection on CAPsMAN start
![Page 28: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/28.jpg)
Save Selected: CAPsMAN Disabled
![Page 29: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/29.jpg)
Save Selected: CAPsMAN Reconnect
Channelselection
2Running
1Inactive
3
![Page 30: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/30.jpg)
Latest Changes: Save Selected
ƒ Auto channel selection sequentiallyƒ The more CAPs the longerƒ Save selected saves last used channelƒ Speeds up CAPsMAN restartƒ Especially with many CAPs
![Page 31: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/31.jpg)
Channel Planning and Regulation
Missing CAPsMAN Feature
![Page 32: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/32.jpg)
2,4GHz Channel Planning
ƒ No channel 12/13 with FCCdevicesƒ Public WiFi limited to
channel 1 – 11
ƒ Non overlapping channels:1,6,11
Channel ETSI FCC
1 20dBm 30dBm
2 20dBm 30dBm
3 20dBm 30dBm
4 20dBm 30dBm
5 20dBm 30dBm
6 20dBm 30dBm
7 20dBm 30dBm
8 20dBm 30dBm
9 20dBm 30dBm
10 20dBm 30dBm
11 20dBm 30dBm
12 20dBm n/a
13 20dBm n/a
![Page 33: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/33.jpg)
2,4GHz Channel Planning
ƒ Auto channel selection sequentiallyƒ The more CAPs the longerƒ Save selected saves last used channelƒ Speeds up CAPsMAN restartƒ Especially with many CAPs
![Page 34: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/34.jpg)
2,4GHz Channel Planning
ƒ Without CAPsMAN: Use Scan List & Channels
![Page 35: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/35.jpg)
2,4GHz Channel Planning
ƒ Problem: No scan list option in CAPsMAN
ƒ Configure CAPsMAN interfaces one by one?ƒ Controller advantage reduced
ƒ Work around using CAPsMAN strengthsƒ Provisioning rulesƒ Modular hierarchical configuration
ƒ RegEx and Overrides
![Page 36: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/36.jpg)
Channel 1-6-11 Setup
![Page 37: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/37.jpg)
Channel 1-6-11 Setup
4
Catch-All Rule | Avoids static interface creationFind unwanted and misconfigured CAP (802.11b or identity not set)
Require 802.11g, noLegacy support
Check CAP identityby RegEx for wantedchannel
Use configurationaccording to RegEx
12 3
![Page 38: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/38.jpg)
Channel 1-6-11 Setup
Common central setting blocks for maximum modularity
Just frequency override within every configuration
![Page 39: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/39.jpg)
Channel 1-6-11 Setup
Interface useschannel 1 (2412MHz)
Identity contains „--2.4CH01“
![Page 40: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/40.jpg)
Channel 1-6-11 Setup
Interface not provisionedCatch all rule | Action = noneReason: not supporting 802.11g
![Page 41: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/41.jpg)
5GHz Regulation
ƒ Radar detection / DFSƒ Not yet possible with CAPsMAN
ƒ Is currently being implemented
ƒ Frequencies < 5470 MHz only indoorƒ Outdoor setups without scan list?
![Page 42: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/42.jpg)
5GHz Outdoor Channels
ƒ Solution: etsi 5.5 – 5.7 outdoor
![Page 43: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/43.jpg)
Forcing 30dBm EIRP
ƒ Use etsi 5.5 – 5.7 even indoors?ƒ Force high EIRPƒ Regulation in Germany: 30dBm instead of 23dBmƒ Actually 27dBm due to ATPC missing
Antenna gain setting of CAP accounted!
![Page 44: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/44.jpg)
Tx Power: The more the better?
ƒ WiFi connection is bidirectionalƒ Mobile devices have small Tx power
High EIRP + low gain AP antenna = pointlessƒ Mobile device will hear AP but can not reach itƒ Unnecessary interferenceƒ Hard to select best AP for clientƒ Smartphone shows full bars but can’t connect
ƒ iPhone 5 ~ 12dBm Tx, -0,8dBi = 11,2dBm EIRP
![Page 45: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/45.jpg)
CAPsMAN Security
Keeping CAPsMAN safe
![Page 46: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/46.jpg)
Upgrade Policy
ƒ automatic CAPRouterOS update
ƒ none: do nothingƒ suggest: try update but
accept different versionƒ require: try update and reject if not possible
ƒ CAP doesn’t need internet connection
![Page 47: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/47.jpg)
Upgrade Policy
ƒ CAP gets software packet from CAPsMANƒ Same architecture: works automaticallyƒ Different architecture: CAP needs extra .npk
ƒ hAP lite (smips) CAP can’t use npk of RB750UPCAPsMAN (mipsbe)
![Page 48: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/48.jpg)
Upgrade Policy
1
2
3
Create folder by FTP
4
![Page 49: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/49.jpg)
WIFI Security
Security types supported by CAPsMAN
![Page 50: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/50.jpg)
Security Overview
ƒ Common WPA2 PSKƒ Conditional WPA2 PSK
(Access List)ƒ MAC based WPA2 PSK
ƒ WPA2 EAP using localcertificates (EAP-TLS)ƒ WPA2 EAP using Radius (passthrough)
ƒ Hotspot
![Page 51: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/51.jpg)
CAPsMAN with Hotspot
1
42
3
ƒ UDP tunnels directly to hotspot
Secure | Efficient | Scales well | Easy traffic handling
![Page 52: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/52.jpg)
HSNM a MikroTik Hotspot Extension
Tight MikroTik integration
ƒ Installation + update scriptsƒ PPPoE supportƒ Experienced support team
Excellent addon
ƒ High level Captive Portal featuresƒ Emphasis on graphical design
![Page 53: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/53.jpg)
HS Network Manager
Advertising, surveys,quizzes
Responsive login
Payment options
GPS tracking(e.g coaches)
Social login
Redundancy,load balancing
SMS authentication
Ticket printer
![Page 55: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/55.jpg)
MAC based PSK with Usermanager
ƒ Separate PSKs per MACƒ Stored in Usermanagerƒ Easy to setupƒ No full Radius necessaryƒ Enhanced securityƒ Access restrictions by device
ƒ Configuration not nicely embedded in CAPsMAN concept
![Page 56: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/56.jpg)
MAC based PSK with Usermanager
ƒ Device wants to connectƒ CAPsMAN sends MAC to
Radiusƒ Radius returns personal
PSKƒ CAPsMAN compares PSK
ƒ Grant or decline access
![Page 57: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/57.jpg)
MAC based PSK: Radius
ƒ Setup Radius connectionƒ Serviceƒ IP Addressƒ Optional secret
![Page 58: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/58.jpg)
MAC based PSK: CAPsMAN
1
2
3
![Page 59: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/59.jpg)
MAC based PSK: Usermanager
![Page 60: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/60.jpg)
WPA-Enterprise
Internally Supportedƒ EAP-TLS
Externally Supportedƒ all EAP methodsƒ passthrough
![Page 61: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/61.jpg)
WPA-Enterprise releated Terms
ƒ 802.1X = 802 AA Standardƒ EAP = Extensible
Authentication Protocolƒ EAP-TLSƒ EAP-TTLSƒ PEAP (EAP-PEAP)
Protected ExtensibleAuthentication Protocol
ƒ PEAPv0 with MSCHAPv2 often called PEAP
![Page 62: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/62.jpg)
PEAP with MSCHAP
ƒ Authenticate server by serverside certificateƒ Create TLS tunnelƒ Create EAP session through
encrypted tunnelƒ Use EAP-MSCHAP for client
authentication
ƒ WARNING: not secure if server certificate isn’t validated atclient. MSCHAP isn’t secure if fake AP can collect handshakes
![Page 63: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/63.jpg)
Prepare CAPsManager for PEAP
![Page 64: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/64.jpg)
RADIUS Server Selection
ƒ No support in Usermanagerƒ Freeradius common choiceƒ Microsoft offers Radius
Zeroshellƒ Ready to run applianceƒ Linux basedƒ Includes Freeradiusƒ Includes certificate handling
www.zeroshell.org
![Page 65: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/65.jpg)
Zeroshell Setup
ƒ Download the imageƒ Install VM from CD imageƒ Change IP / set DHCPƒ Change admin password
Default IP: 192.168.0.75User: adminPass: zeroshell
www.zeroshell.org
![Page 66: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/66.jpg)
ƒ Enable the Radius Server
Zeroshell Configuration
![Page 67: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/67.jpg)
Zeroshell Configuration
www.zeroshell.org2
1
3
ƒ Add an authorised client
![Page 68: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/68.jpg)
Zeroshell Configuration
2
13
ƒ Add an user account
![Page 69: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/69.jpg)
Connect an iPhone with PEAP
![Page 70: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/70.jpg)
Connect an iPhone with PEAP
![Page 71: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/71.jpg)
THANK YOU
… and enjoy the Usermeeting
MUM 2017 Milan | Patrik Schaub | © FMS Internetservice GmbH
![Page 72: CAPsMAN - MikroTik · ƒInstall CAPsMAN package (on old ROS versions) ... ƒList of interfaces, CAPsMAN will listen for CAPs ƒFor bridges: use bridge, not port Curent Stable Current](https://reader033.vdocuments.net/reader033/viewer/2022043012/5fa9a76af2346c2623021a73/html5/thumbnails/72.jpg)
FMS Internetservice GmbH
Phone: +49 761 2926500Web: www.fmsweb.deShop: www.mikrotik-shop.deEmail: [email protected]: https://twitter.com/fmsweb_de
MUM 2017 Milan | Patrik Schaub | © FMS Internetservice GmbH