The Objective

The request from the client was to have a WiFi network for the company employees
and a separate WiFi network for company guests.

The Network
I have a network similar to the one in the diagram bellow.

The MikroTik CCR acts as a router for Internet connectivity and VPN for
interconnecting with the main office.

The Hardware
The company central router was already a MikroTik CCR so I decided to use it for
managing the access points via Controlled Access Point system Manager (CAPsMAN). I
choose 6 MikroTik cAP 2n as access points which will be distributed across 3 floors
because they had the possibility to be installed on the ceiling. Also there were
Cisco SG 300-52 switches installed in the location.

Configuring the CCR router and CAPsMAN

We need to Vlan interfaces on the router for routing and NAT purposes.
I already use Ethernet port 12 on the CCR for Vlan's so i will make the example
based on it.

/interface vlan
add interface=ether12 name=WLAN vlan-id=600
add interface=ether12 name=WiFiGuest vlan-id=700

Now let's add some IP addresses on the interfaces. they will serve for gateway for
the clients.

/ip address
add address=10.0.0.1/24 interface=WLAN network=10.0.0.0
add address=172.30.90.1/24 interface=WiFiGuest network=172.30.90.0

Now let's create the CAPsMAN datapaths for the 2 VLANS

/caps-man datapath
add local-forwarding=yes name=inet_vlan_600 vlan-id=600 \ vlan-
mode=use-tag
add local-forwarding=yes name=guest_vlan_700 vlan-id=700 \ vlan-
mode=use-tag

As you see we use local-forwarding=yes in this mode the wireless interface on CAP
behaves as a normal interface and takes part in normal data forwarding. Wireless
interface will accept/pass data to networking stack on CAP. CAPsMAN will not
participate in data forwarding and will not process any of data frames, it will
only control interface configuration and client association process.

Now let's create the wireless security profiles for the networks

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm \ name=Intranet
passphrase=somecoolintranet password
add authentication-types=wpa2-psk encryption=aes-ccm name=Guests \
passphrase=guestpassword

Now we will configure the WiFi channel and frequencies for the networks

/caps-man channel
add band=2ghz-onlyn extension-channel=Ce frequency=2412 name=Intranet \ width=20
add band=2ghz-onlyn extension-channel=Ce frequency=2462 name=Guests \ width=20

Now let's set-up the configurations we will provide to the remote access points and
enable CAPsMAN

/caps-man configuration
add channel=Intranet country=russia datapath=inet_vlan_600 mode=ap \ name=intranet
security=Intranet ssid=WiFi-Intranet
add channel=Guests country=russia datapath=guest_vlan_700 mode=ap \ name=guests
security=Guests ssid=WiFi-Guests

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=intranet \
slave-configurations=guests

/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes

Configuring the Cisco SG 300-52 switches

Because we have separate Vlan's for the 2 networks the switch ports going to the
MikroTik CCR router and to the cAP 2n access points have to be trunk ports.

Assuming we have port Gi52 going to the CCR and ports Gi43-49 going to the cAP 2n
access points let's do the configuration

SW2#conf t
SW2(config)#interface gigabitethernet52
SW2(config-if)#switchport mode trunk
SW2(config-if)switchport trunk allowed vlan add 600,700

SW2(config)#interface range gi43-49

SW2(config-if-range)#switchport mode trunk
SW2(config-if-range)#switchport trunk allowed vlan add 600,700

Enabling Controlled Access Point (CAP) on the Wireless Access points

Enabling CAP on the access point requires only one command

[admin@AP1-1] > /interface wireless cap set enabled=yes

We do that for all our access points.

That's all now we have all our access points managed by central CAPsMAN

Any suggestions and comments are accepted.