Workbench WiFi

Per-device PSK with CAPsMAN



For larger or more critical WLANs, I primarily use Cisco APs and WLCs. I’ve had many successes with Cisco and am comfortable installing their equipment in challenging environments. But for smaller networks or when cost a major concern, I often turn to MikroTik for a CAPsMAN-managed solution.

There is no shortage of CAPsMAN tutorials online, but many skip past some of the more handy features, especially those involving access lists. I hope to post more many examples in the future, but for now, here is one I use fairly often with IoT devices in a home or small office environment: per-device Private Passphrase.

To configure via the WinBox GUI, add a new item in the Access List tab of the CAPsMAN window. Use the MAC address of the wireless client. This can also be done by using the “Copy to Access List” button in the details window of an already-associated client from the Registration Table tab.

Once the client has been identified, additional parameters can be added. In this example, I specified the 5 GHz Lobby interface as this device is 5 GHz capable and happens to be located near that specific AP. The device-specific PSK can entered in the field below. Changes are applied immediately upon clicking Apply or OK.

To prevent the device from associating to another AP on the system, and to keep it from using 2.4 GHz on the lobby AP, I have added an explicit reject rule below the PSK rule.

The configuration looks like this from the CLI:

/caps-man access-list
add disabled=no interface=Lobby_5GHz mac-address=xx:xx:xx:xx:xx:xx private-passphrase=supersecretpsk ssid-regexp=""
add action=reject disabled=no interface=all mac-address=xx:xx:xx:xx:xx:xx ssid-regexp=""

Many other configuration options can be specified in these access list rules. You may want to assign these IoT devices to a specific VLAN. A minimum RSSI can also be defined here.


Leave a Reply

Your email address will not be published. Required fields are marked *