вторник, 20 мая 2014 г.

CAPsMAN контроллер для управления точками доступа Mikrotik


CAPsMAN контроллер для управления точками доступа Mikrotik
В Mikrotik ROS 6.11 появился дополнительный пакет wireless-fp - Wireless CAPsMAN для mipsbe - Wireless CAPsMAN и tile - CCR series Wireless CAPsMAN включающий функционал CAPsMAN (контроллер управления для любых беспроводных точек доступа MikroTik).

Настраиваем CAPsMAN

/system-reset no-defaults=yesполностью стираем конфигурацию роутера включая конфигурацию по умолчанию
берем конфигурацию роутера из beta для продвинутых пользователей
/caps-man manager set enabled=yesвключаем функционал контроллера
/caps-man channel add band=2ghz-b/g/n frequency=2412 width=20 name=channel1 extension-channel=Ceзадаем параметры беспроводного интерфейса конфигурации контроллера
/caps-man security add name=security1 authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm passphrase=1234567890задаем параметры безопасности конфигурации контроллера
/caps-man datapath add name="datapath1" client-to-client-forwarding=yes local-forwarding=yesbridge -- bridge interface to add interface to, as a bridge port, when enabled
bridge-cost -- bridge port cost to use when adding as bridge port
bridge-horizon -- bridge horizon to use when adding as bridge port
client-to-client-forwarding -- controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by CAP, otherwise it is performed by CAPsMAN.
local-forwarding -- controls forwarding mode
openflow-switch -- OpenFlow switch to add interface to, as port when enabled
vlan-id -- VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
vlan-mode -- VLAN tagging mode specifies if VLAN tag should be assigned to interface (causes all received data to get tagged with VLAN tag and allows interface to only send out data tagged with given tag)

In this mode wireless interface on CAP behaves as a normal interface and takes part in normal data forwarding. Wireless interface will accept/pass data to networking stack on CAP. CAPsMAN will not participate in data forwarding and will not process any of data frames, it will only control interface configuration and client association process.
/caps-man configuration add name=cfg1 mode=ap ssid=unisi tx-chains=0,1 rx-chains=0,1 channel=channel1 security=security1 datapath=datapath1создаем конфигурацию контроллера включающую предыдущие параметры
  • channel - channel related settings, such as frequency and width
  • datapath - data forwarding related settings, such as bridge to which particular interface should be automatically added as port
  • interworking - IEEE 802.11u, Hotspot 2.0 related settings
  • security - security related settings, such as allowed authentication types or passphrase
  • configuration - main wireless settings group, includes settings such as SSID, and additionally binds together other setting groups - that is, configuration profile can refer to channel, security, etc. named setting groups. Additionally any setting can be overridden directly in configuration profile.
[admin@MikroTik] /caps-man configuration>> print
0 name="cfg1" mode=ap ssid="unisi" tx-chains=0,1 rx-chains=0,1 security=security1 datapath=datapath1 channel=channel1 


/caps-man provisioning add radio-mac=00:00:00:00:00:00 action=create-dynamic-enabled master-configuration=cfg1включаем поиск контроллером точек доступа (CAP)
[admin@MikroTik] /caps-man>> radio print
# RADIO-MAC INTERFACE REMOTE-AP-IDENT
0 P 4C:5E:0C:22:FC:E1 cap20 [4C:5E:0C:22:FC:E1]
1 P D4:CA:6D:DD:3D:F3 cap21 [D4:CA:6D:DD:3D:F3] 
Настройка списка доступа /caps-manager access-list
правила в нем обрабатываются в порядке очередности, последнее правило запрещает все что не в списке доступа
/caps-man access-list add mac-address=00:00:00:00:00:01 comment="ipad1" signal-range=-83..120 interface=all action=accept
/caps-man access-list add mac-address=00:00:00:00:00:02 comment="ipad2" signal-range=-83..120 interface=all action=accept
/caps-man access-list add mac-address=00:00:00:00:00:03 comment="ipad3" signal-range=-83..120 interface=all action=accept
/caps-man access-list add mac-address=00:00:00:00:00:00 mac-address-mask=00:00:00:00:00:00 comment="all reject" interface=all action=reject
  • client matching parameters:
    • address - MAC address of client
    • mask - MAC address mask to apply when comparing client address
    • interface - optional interface to compare with interface to which client actually connects to
    • time - time of day and days when rule matches
    • signal-range - range in which client signal must fit for rule to match
  • action parameter - specifies action to take when client matches:
    • accept - accept client
    • reject - reject client
    • query-radius - query RADIUS server if particular client is allowed to connect
  • connection parameters:
    • ap-tx-limit - tx speed limit in direction to client
    • client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
    • client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface
    • private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
    • radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
    • vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
    • vlan-id - VLAN ID to use if doing VLAN tagging.

Настройки точки доступа - CAPs

/system-reset no-defaults=yes
полностью стираем конфигурацию роутера включая конфигурацию по умолчанию
/system identity set name=AP
/interface bridge add name="bridge1" protocol-mode=rstp
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=wlan1
модель роутера может быть любой
/interface wireless cap set enabled=yes interfaces=wlan1 caps-man-addresses=192.168.1.1вариант когда точка и контроллер — это одно устройство
/interface wireless cap set enabled=yes interfaces=wlan1 discovery-interface=bridge1вариант когда точка и контроллер — это разные устройства
/ip dhcp-client add interface=bridge1 use-peer-dns=yes add-default-route=yes disabled=no


[admin@MikroTik] /interface wireless cap> pr
enabled: yes
interfaces: wlan1
certificate: none
lock-to-caps-man: no
discovery-interfaces:
caps-man-addresses: 192.168.1.1
caps-man-names:
caps-man-certificate-common-names:
bridge: none

Комментариев нет:

Отправить комментарий