I have a similar setup with one CRS326 and two cAP-ax. I struggled quite a bit, but in hindsight it is very simple. One remark: On the CRS326, do not use the "Wireless" menu if you have it, that's the old capsman, only needed for non-qcom devices. Everything you need for the cAP AX is in w...

Did you ever resolve this? I have the same problem with my capsman setting and query-radius action. I opened a support ticket just now. If you haven't solved it, you could join in on the ticket (give me your support username and I can "invite" you to the ticket). Nevermind. The solution i...

Did you ever resolve this? I have the same problem with my capsman setting and query-radius action. I opened a support ticket just now. If you haven't solved it, you could join in on the ticket (give me your support username and I can "invite" you to the ticket).

Solved, see viewtopic.php?p=1103096#p1103096

This is correct. PSK == PreSharedKey == you enter the wifi password EAP == Extensible Authentication Protocol == radius authentication Right... now that you put it that way, it makes sense. So with PSK, we want MAC address authentication. This has to be done though an Access List entry with query-r...

there are 3 attributes which come to play here maybe this guide helps or clearifies some stuff -> https://administrator.de/forum/mikrotik-dyn-vlan-und-mac-auth-in-ros-7-2-2466135253.html EDIT: the article shows the mikrotik user-manger radius implementation but the 3 attributes are standardized no ...

I have dynamic vlan assignment working with cAP ax and freeradius (works both with and without capsman), but only when I use WPA-EAP. Weirdly enough, when using WPA-PSK, the radius server is not even contacted. I am planning to write to support about this soonish. As a workaround, the new PPSK funct...

If a port of bridge has pvid set, then it's automatically added as untagged port to appropriate VLAN in the section you mentioned. But this doesn't work if the same port is explicitly configured already (either tagged or untagged). This automagic works reliably, so it's advisable to skip explicit a...

Are you sure that ether port on cAP is properly access port? The big difference between windows (most ether drivers) and linux is that linux properly works wiith VLAN tags while windows (often) simply ignores them ... That was it. In /interface bridge vlan, I didn't have my ethernet port set as unt...

I have this very weird problem and I am at a loss where to even start looking for the cause. I have a pfsense acting as router and doing VLANS and dhcp and so on, a CRS326 and two CAP AX. The CAP AX are chained, meaning CAP 1 is connected to the switch, CAP 2 is connected to CAP1. After CAP 2, I hav...

We have multiple AP's at work with same SSID. device mac-auth is controlled by daloradius server which is working fine. Could you share the relevant capsman and caps configs that make this work? I am trying to achieve the same , but so far I only got auth and vlan assignment working with EAP, but n...

query-radius is new action (compared to WLAN driver). So no experience. But is this a 2 phase authentication? First access-list, then additional PSK or EAP authentication, or not? Yes, I guess that is how it works? I am not sure about the order though, but both the PSK and a positive reply from the...

Yo. I will try to help. There is more in two heads and stuff. Radius server - you have set it for wireless service as well, correct? https://help.mikrotik.com/docs/display/ROS/RADIUS Capsman aaa - you have a definition? https://help.mikrotik.com/docs/display/ROS/CAPsMAN Thanks! Yes, I have defined ...

Anyone?

There are 2 different wifi drivers for ac and ax devices. The ax devices work with dynamic vlan tagging as you mentioned. The ac ones not yet.

Oh right, that makes sense. Thanks!

I just noticed that my WPA2-PSK client shows up with an 'A' in the registration table, I assume that means it is authenticated. So I deduce that the access-list rule with 'query-radius' that I entered is not triggered because the client gets authenticated elsewhere, before the rule is applied. Is th...

Your setup isn't possible when running wave2/wifi drivers. The new driver doesn't handle VLAN tags natively (neither per user set by radius or ACLs nor static set as datapath property). We're quite a large group of users hoping and waiting for this support to get added. Could you elaborate please? ...

Hi I have just switched to Mikrotik APs (having owned a switch for some time) and got almost everything working. I have a CRS326 and two cAP AX, and a pfsense router. What works is Wifi with WPA-EAP and auth and dynamic VLAN assignment through a radius server on the pfsense. What not yet works is WP...