OP self answering after discovering the solution: CAPsMAN.
On LHG R device (or any other Router Board device for that matter) configure CAPsMAN to control all access points. Access points then configured as CAPs. To restrict access point association to specific devices, set up Access List in CAPsMAN to accept specific MAC addresses and then (final rule) reject all others.
Some specific notes:
1. on access points using CAP mode the interface that will talk to the CAPsMAN needs to be set to be a discovery interface (for example at CLI type /interface wireless cap set discovery-interfaces=bridge1 if you're bridging all the interfaces)
2. connected devices need to told to not use a private MAC (or at least, the private MAC needs to be the one added to the Access List)
3. couldn't always get the reset-button trick (press hold for about 10s until flashing user LED) to work so "easier" to reset wAP and remove all config and configure manually
The complete config (at CLI type "export") for a wAP ac needs to only be:
/interface bridge
add admin-mac=D4:01:C3:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-Ce/gn(17dBm), SSID: X, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(17dBm), SSID: X, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/interface wireless cap
#
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=\
wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/system clock
set time-zone-name=X
/system identity
set name=X
On LHG R device (or any other Router Board device for that matter) configure CAPsMAN to control all access points. Access points then configured as CAPs. To restrict access point association to specific devices, set up Access List in CAPsMAN to accept specific MAC addresses and then (final rule) reject all others.
Some specific notes:
1. on access points using CAP mode the interface that will talk to the CAPsMAN needs to be set to be a discovery interface (for example at CLI type /interface wireless cap set discovery-interfaces=bridge1 if you're bridging all the interfaces)
2. connected devices need to told to not use a private MAC (or at least, the private MAC needs to be the one added to the Access List)
3. couldn't always get the reset-button trick (press hold for about 10s until flashing user LED) to work so "easier" to reset wAP and remove all config and configure manually
The complete config (at CLI type "export") for a wAP ac needs to only be:
/interface bridge
add admin-mac=D4:01:C3:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
# managed by CAPsMAN
# channel: 2432/20-Ce/gn(17dBm), SSID: X, CAPsMAN forwarding
set [ find default-name=wlan1 ] ssid=MikroTik
# managed by CAPsMAN
# channel: 5180/20-Ceee/ac/P(17dBm), SSID: X, CAPsMAN forwarding
set [ find default-name=wlan2 ] ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
/interface wireless cap
#
set bridge=bridge discovery-interfaces=bridge enabled=yes interfaces=\
wlan1,wlan2
/ip dhcp-client
add comment=defconf disabled=no interface=bridge
/system clock
set time-zone-name=X
/system identity
set name=X
Statistics: Posted by aeronell — Tue Jan 07, 2025 10:49 pm