Whitelisting on CAPsMAN

I love Mikrotik's CAPsMAN. A beautiful way to control and automatically provision wireless interfaces over multiple Mikrotik routers.

It is not perfect - one of the more annoying absences is the default channel list (albeit you can create your own channels) and lack of the whitelisting for the AP clients. Unlike with the standard Mikrotik interface, you cannot simply make configuration where registrations would be disabled by default.

However, there is one nice trick you can do. Under CAPsMANConfigurations adjust VLAN Mode to use tags and set VLAN ID to some unused number (my favorite is 4094). This will cause all wireless traffic using that configuration to be tagged with otherwise unconfigured number. In effect we are blackholing all the traffic with that VLAN ID.

Now under CAPsMANAccess List you can add any allowed client with VLAN Mode set to "no tag" (or, if you are using VLANs, to a configured VLAN ID). This will override setting from the configuration and thus only devices explicitly listed will have their packets processed.

I admit, it is not as flexible as rejecting registration but absence of any communication is usually a good signal that one needs to move to another network.

PS: Whitelisting AP clients doesn't necessarily improve your security. Do not rely on it as a security feature.

Leave a Reply

Your email address will not be published. Required fields are marked *