Workbench WiFi

Per-device PSK with CAPsMAN



For larger or more critical WLANs, I primarily use Cisco APs and WLCs. I’ve had many successes with Cisco and am comfortable installing their equipment in challenging environments. But for smaller networks or when cost a major concern, I often turn to MikroTik for a CAPsMAN-managed solution.

There is no shortage of CAPsMAN tutorials online, but many skip past some of the more handy features, especially those involving access lists. I hope to post more many examples in the future, but for now, here is one I use fairly often with IoT devices in a home or small office environment: per-device Private Passphrase.

To configure via the WinBox GUI, add a new item in the Access List tab of the CAPsMAN window. Use the MAC address of the wireless client. This can also be done by using the “Copy to Access List” button in the details window of an already-associated client from the Registration Table tab.

Once the client has been identified, additional parameters can be added. In this example, I specified the 5 GHz Lobby interface as this device is 5 GHz capable and happens to be located near that specific AP. The device-specific PSK can entered in the field below. Changes are applied immediately upon clicking Apply or OK.

To prevent the device from associating to another AP on the system, and to keep it from using 2.4 GHz on the lobby AP, I have added an explicit reject rule below the PSK rule.

The configuration looks like this from the CLI:

/caps-man access-list
add disabled=no interface=Lobby_5GHz mac-address=xx:xx:xx:xx:xx:xx private-passphrase=supersecretpsk ssid-regexp=""
add action=reject disabled=no interface=all mac-address=xx:xx:xx:xx:xx:xx ssid-regexp=""

Many other configuration options can be specified in these access list rules. You may want to assign these IoT devices to a specific VLAN. A minimum RSSI can also be defined here.

MikroTik RouterOS hints and tips

It’s no secret that I am a fan of MikroTik products for low- to mid-range layer 3 router tasks. MikroTik’s RouterOS is based on Linux, not unlike many other router appliances, and has a similarly wide feature set. The low cost of most MikroTik devices means I can easily build a full switch and router test lab for less than the cost of a single Cisco AP, freeing time and money for layer 1 and 2 challenges.

The only way to learn RouterOS is to purchase a RouterBoard and get your hands dirty. Download winbox, browse the release notes, explore the forums, search the wiki, and challenge yourself to build many different configs. Please, please, please use Winbox. The RouterOS web interface is helpful in a pinch, but is nowhere near as nice to use as the Winbox client. And as much as I love the CLI, the Winbox GUI is much more conducive to exploring than stumbling around in an alien text environment (the RouterOS CLI is nothing like Cisco IOS). I have successfully used Winbox in Windows versions XP through 10, and in Linux and Mac OS X via wine. You may have to tinker with wine font settings, but it will work fairly well on most versions of Linux and OS X.

The MikroTik User Meetings, or MUMs, are regional conferences full of presentations and vendor exhibits. The MUM Archive is a great place to browse slides and videos from past MUM presentations, some of which are linked below.

Manito Networks has published a very useful MikroTik Router Hardening guide along with many other handy RouterOS-related posts.

Rick Frey, a consultant and certified MikroTik instructor, has a great MikroTik firewall presentation from about two years ago.

Andis Arins, another MikroTik consultant and instructor, presented his Top 10 Configuration Mistakes at the USA MUM last year. This is available as both a PDF of his slides, and as a YouTube video.

These should be enough resources to get started. It took me a few weeks of casually playing with my first RouterBoard before I got the hang of it. It’s not Cisco, but that’s sort of the point!

Wireless tools on a MikroTik RouterBoard

As a cheap thrifty person, I enjoy finding flexible and low-cost tools to use and share with others. The MikroTik RouterBoard family has a lot to offer in the $50 – $100 range and is often found in my toolkit. While I am a fan of products from NetScout, Ekahau, and MetaGeek, I do use MikroTik equipment for the occasional test, especially in situations where I have to leave equipment in place in my absence.

/interface/wireless/spectral-scan and spectral-history provide a quick overview of RF conditions:

Spectral-scan is a live view, while spectral-history is a low resolution waterfall graph. Both can be utilized remotely via telnet, ssh, winbox, and The Dude.

For the occasional wireless packet capture can be performed using the Wireless Sniffer feature. These can be saved to internal flash, external USB storage, or streamed via TZSP to a remote protocol analyzer such as Wireshark.

Selecting the desired frequency range is less than obvious. One easy method is to partially configure the wireless interface as a station. SSID doesn’t matter, but be sure to specify the band, width, and frequency.

MikroTik DHCP Server Option 43

I often use MikroTik routers for DHCP, NAT, management VPN, and other tasks for the WLANs I manage. Utilizing DHCP Option 43 to provide Cisco APs with the IP address of the WLC(s) helps simplify the AP provisioning process. The MikroTik RouterOS configuration segment below is a glimpse of how I accomplish this.

The only potential gotcha is the format of the hex string value. Per the Cisco WLC documentation, the string always starts with 0xf1, followed by the length of the IP address lists expressed in number of octets. In this example, I have just one IP address for one WLC, so that number is 04 (one IPv4 address is made up of 4 octets). The remainder of the string, ac14640c, refers to the IP address, the WLC. A simple decimal to hex calculator can help with this conversion. Decimal 172 is hex ac, decimal 20 is hex 14, and so on. Note that single-digit values must be padded with a leading zero: decimal 12 is hex c, padded with a leading zero to become 0c.

/ip pool
add name="AP Management Pool" ranges=

/ip dhcp-server option
add code=43 name=apmgmtopt43 value=0xf104ac100105

/ip dhcp-server network
add address= dhcp-option=apmgmtopt43 gateway=