Posted  by  admin

Download CAPS Wizard For Mac 2.2

This program is the most visually friendly and non-confounding imposition application available for the Mac. Please, Dylan, add N-up settings to Cheap Imposter, or even produce 'Expensive Imposter', and if it's anything like this application, a grateful community would be happy to throw money at you. Download Postman. Download the app to quickly get started using the Postman API Platform. Or, if you prefer a browser experience, you can try the new web version of Postman.

  1. Download CAPS Wizard For Mac 2.2 Key
  2. Download Caps Wizard For Mac 2.25
  3. Download CAPS Wizard For Mac 2.2 Full
  4. Download CAPS Wizard For Mac 2.2 Pro
  1. Download new and previously released drivers including support software, bios, utilities, firmware and patches for Intel products.
  2. The Most Advanced Data Collection Software in Science Education. PASCO is pushing the limits of technology, so you can push your students to their potential. Working closely with educators, we continuously develop Capstone™, making improvements and enhancing the teaching features. Capstone is designed to handle large data sets, high-speed.

Overview

Controlled Access Point system Manager (CAPsMAN) allows centralization of wireless network management and if necessary, data processing. When using the CAPsMAN feature, the network will consist of a number of 'Controlled Access Points' (CAP) that provide wireless connectivity and a 'system Manager' (CAPsMAN) that manages the configuration of the APs, it also takes care of client authentication and optionally, data forwarding.

When a CAP is controlled by CAPsMAN it only requires the minimum configuration required to allow it to establish connection with CAPsMAN. Functions that were conventionally executed by an AP (like access control, client authentication) are now executed by CAPsMAN. The CAP device now only has to provide the wireless link layer encryption/decryption.

Depending on configuration, data is either forwarded to CAPsMAN for centralized processing (default) or forwarded locally at the CAP itself (#Local_Forwarding_Mode).

CAPsMAN features

  • RADIUS MAC authentication
  • WPA/WPA2 security
  • TBA

MISSING CAPsMAN features

  • Nstreme AP support
  • Nv2 AP support
  • TBA

CAPsMAN v2

NOTE: CAPsMAN v2 is NOT compatible with current CAPsMAN v1 (CAPsMAN v1 CAP devices will not be able to connect to CAPsMAN v2 and CAPsMAN v2 CAP devices will not be able to connect to CAPsMAN v1). It means that both CAPsMAN and CAP devices should have wireless-cm2 package enabled/installed in order to make CAPsMAN v2 system to work.

If you want to try out the CAPsMAN v2 upgrade all the CAPs and the CAPsMAN to latest RouterOS version and enable/install wireless-cm2 package.

CAPsMAN v2 features:

  • CAPsMAN automatic upgrade of all CAP clients (configurable)
  • improved CAP<->CAPsMAN data connection protocol
  • added 'Name Format' and 'Name Prefix' setting for Provision rules
  • improved logging entries when client roams between the CAPs
  • added L2 Path MTU discovery

Upgrade options from v1 to v2:

Option1: Install a new temporary CAPsMAN v2 router in same network where the current CAPsMAN router is and start enabling/upgrading wireless-cm2 package on the CAPs. All CAPs with the v2 will connect to the new temporary CAPsMAN v2 router. After every CAP is upgraded to v2, upgrade your current CAPsMAN to v2 and then turn off the temporary CAPsMAN v2 router.

Option2: Upgrade your CAPs and then CAPsMAN to v2 at the same time. In this case you could have little more downtime unless you schedule all the CAPs to reboot/install at the same time.

Requirements

CAPsMAN works on any RouterOS device from v6.11, wireless interfaces are not required (since it manages the wireless interfaces of CAPs)

CAPsMAN v2 is working starting from RouterOS v6.22rc7.

CAPsMAN v1 is discontinued starting from 6.37.

CAP device should have at least Level4 RouterOS license

Limitations

unlimited CAPs (access points) supported by CAPsMAN

32 Radios per CAP

32 Virtual interfaces per master radio interface

CAP to CAPsMAN Connection

For the CAPsMAN system to function and provide wireless connectivity, a CAP must establish management connection with CAPsMAN. A management connection can be established using MAC or IP layer protocols and is secured using 'DTLS'.

A CAP can also pass the client data connection to the Manager, but the data connection is not secured. If this is deemed necessary, then other means of data security needs to be used, e.g. IPSec or encrypted tunnels.

CAP to CAPsMAN connection can be established using 2 transport protocols (via Layer 2 and Layer3).

  • MAC layer connection features:
    • no IP configuration necessary on CAP
    • CAP and CAPsMAN must be on the same Layer 2 segment - either physical or virtual (by means of L2 tunnels)
  • IP layer (UDP) connection features:
    • can traverse NAT if necessary
    • CAP must be able to reach CAPsMAN using IP protocol
    • if the CAP is not on the same L2 segment as CAPsMAN, it must be provisioned with the CAPsMAN IP address, because IP multicast based discovery does not work over Layer3

In order to establish connection with CAPsMAN, CAP executes a discovery process. During discovery, CAP attempts to contact CAPsMAN and builds an available CAPsMANs list. CAP attempts to contact to an available CAPsMAN using:

  • configured list of Manager IP addresses
  • list of CAPsMAN IP addresses obtained from DHCP server
  • broadcasting on configured interfaces using both - IP and MAC layer protocols.

When the list of available CAPsMANs is built, CAP selects a CAPsMAN based on the following rules:

  • if caps-man-names parameter specifies allowed manager names (/system identity of CAPsMAN), CAP will prefer the CAPsMAN that is earlier in the list, if list is empty it will connect to any available Manager
  • suitable Manager with MAC layer connectivity is preferred to Manager with IP connectivity

After Manager is selected, CAP attempts to establish DTLS connection. There are the following authentication modes possible:

  • no certificates on CAP and CAPsMAN - no authentication
  • only Manager is configured with certificate - CAP checks CAPsMAN certificate, but does not fail if it does not have appropriate trusted CA certificate, CAPsMAN must be configured with require-peer-certificate=no in order to establish connection with CAP that does not possess certificate
  • CAP and CAPsMAN are configured with certificates - mutual authentication

After DTLS connection is established, CAP can optionally check CommonName field of certificate provided by CAPsMAN. caps-man-certificate-common-names parameter contains list of allowed CommonName values. If this list is not empty, CAPsMAN must be configured with certificate. If this list is empty, CAP does not check CommonName field.

If the CAPsMAN or CAP gets disconnected from the network, the loss of connection between CAP and CAPsMAN will be detected in approximately 10-20 seconds.

CAP Auto Locking to CAPsMAN

CAP can be configured to automatically lock to particular CAPsMAN. Locking is implemented by recording certificate CommonName of CAPsMAN that CAP is locked to and checking this CommonName for all subsequent connections. As this feature is implemented using certificate CommonName, use of certificates is mandatory for locking to work.

Locking is enabled by the following command:

Once CAP connects to suitable CAPsMAN and locks to it, it is reflected like this:

From now on CAP will only connect to CAPsMAN with this CommonName, until locking requirement is cleared, by setting lock-to-caps-man=no. This approach needs to be used if it is necessary to force CAP to lock to another CAPsMAN - by at first setting lock-to-caps-man=no followed by lock-to-caps-man=yes.

Note that CAP can be manually 'locked' to CAPsMAN by setting caps-man-certificate-common-names.

Auto Certificates

To simplify CAPsMAN and CAP configuration when certificates are required (e.g. for automatic locking feature), CAPsMAN can be configured to generate necessary certificates automatically and CAP can be configured to request certificate from CAPsMAN.

Automatic certificates do not provide full public key infrastructure and are provided for simple setups. If more complicated PKI is necessary - supporting proper certificate validity periods, multiple-level CA certificates, certificate renewal - other means must be used, such as manual certificate distribution or SCEP.

CAPsMAN has the following certificate settings:

  • certificate - this is CAPsMAN certificate, private key must be available for this certificate. If set to none, CAPsMAN will operate in no-certificate mode and none of certificate requiring features will work. If set to auto, CAPsMAN will attempt to issue certificate to itself using CA certificate (see ca-certificate description). Note that CommonName automatically issued certificate will be 'CAPsMAN-<mac address>' and validity period for will be the same as for CA certificate.
  • ca-certificate - this is CA certificate that CAPsMAN will use when issuing certificate for itself if necessary (see certificate description) and when signing certificate requests from CAPs. If set to none, CAPsMAN will not be able to issue certificate to itself or sign certificate requests from CAPs. If set to auto, CAPsMAN will generate self-signed CA certificate to use as CA certificate. CommonName for this certificate will take form 'CAPsMAN-CA-<mac address>' and validity period will be from jan/01/1970 until jan/18/2038.

When CAPsMAN will auto-generate certificates, this will be reflected like this:

And certificates:

CAP can be configured to request certificate from CAPsMAN. In order for this to work, CAP must be configured with setting certificate=request and CAPsMAN must have CA certificate available (either specified in ca-certificate setting or auto-generated).

CAP will initially generate private key and certificate request with CommonName of form 'CAP-<mac address>'. When CAP will establish connection with CAPsMAN, CAP will request CAPsMAN to sign its certificate request. If this will succeed, CAPsMAN will send CA certificate and newly issued certificate to CAP. CAP will import these certificates in its certificate store:

On subsequent connections to CAPsMAN, CAP will use generated certificate.

Note: CAPsMAN uses UDP port 5246 for manager traffic and UDP port 5247 for data traffic


CAP Configuration

Sub-menu:/interface wireless cap


When an AP is configured to be controlled by CAPsMAN, configuration of the managed wireless interfaces on the AP is ignored (exceptions: antenna-gain,antenna-mode). Instead, AP accepts configuration for the managed interfaces from CAPsMAN.

Note: The CAP wireless interfaces that are managed by CAPsMAN and whose traffic is being forwarded to CAPsMAN (ie. they are not in local forwarding mode), are shown as disabled, with the note Managed by CAPsMAN. Those interfaces that are in local forwarding mode (traffic is locally managed by CAP, and only management is done by CAPsMAN) are not shown disabled, but the note Managed by CAPsMAN is shown


CAP behaviour of AP is configured in /interface wireless cap menu.It contains the following settings:

PropertyDescription
enabled (yes no; Default: no)Disable or enable CAP feature
interfaces (list of interfaces; Default: empty)List of wireless interfaces to be controlled by Manager
certificate (certificate name none; Default: none)Certificate to use for authenticating
discovery-interfaces (list of interfaces; Default: empty)List of interfaces over which CAP should attempt to discover Manager
caps-man-addresses (list of IP addresses; Default: empty)List of Manager IP addresses that CAP will attempt to contact during discovery
caps-man-names (list of allowed CAPs Manager names; Default: empty)An ordered list of CAPs Manager names that the CAP will connect to, if empty - CAP does not check Manager name
caps-man-certificate-common-names (list of allowed CAPs Manager CommonNames; Default: empty)List of Manager certificate CommonNames that CAP will connect to, if empty - CAP does not check Manager certificate CommonName
bridge (bridge interface; Default: none)Bridge to which interfaces should be added when local forwarding mode is used
static-virtual (Static Virtual Interface; Default: no)CAP will create Static Virtual Interfaces instead of Dynamic and will try to reuse the same interface on reconnect to CAPsMAN if the MAC address will be the same. Note if two or more interfaces will have the same MAC address the assignment from the CAPsMAN could be random between those interfaces.

CAPsMAN Configuration Concepts

Each wireless interface on a CAP that is under CAPsMAN control appears as a virtual interface on the CAPsMAN. This provides maximum flexibility in data forwarding control using regular RouterOS features, such as routing, bridging, firewall, etc.

Many wireless interface settings are able to be grouped together into named groups ('profiles') that simplifies the reuse of configuration - for example, common configuration settings can be configured in a 'configuration profile' and multiple interfaces can then refer to that profile. At the same time any profile setting can be overridden directly in an interface configuration for maximum flexibility.

Currently there are the following setting groups:

  • channel - channel related settings, such as frequency and width
  • datapath - data forwarding related settings, such as bridge to which particular interface should be automatically added as port
  • security - security related settings, such as allowed authentication types or passphrase
  • configuration - main wireless settings group, includes settings such as SSID, and additionally binds together other setting groups - that is, configuration profile can refer to channel, security, etc. named setting groups. Additionally any setting can be overridden directly in configuration profile.

Interface settings bind together all setting groups, but additionally any setting can be overridden directly in interface settings.

By means of setting groups, configuration is organized in hierarchical structure with interface (actual user of configuration) as the root. In order to figure out the effective value of some setting this structure is consulted in a fashion where a higher level setting value overrides a lower level value.

For example, when WPA2 passphrase to be used by a particular interface needs to be found, the following places are consulted and the first place with WPA2 passphrase configured specifies effective passphrase. '->' denotes referring to setting profile (if configured):

  • interface passphrase
  • interface->security passphrase
  • interface->configuration passphrase
  • interface->configuration->security passphrase

There are 2 types of interfaces on CAPsMAN - 'master' and 'slave'. The master interface holds the configuration for an actual wireless interface (radio), while a slave interface links to the master interface and is intended to hold the configuration for a Virtual-AP (multiple SSID support). There are settings that are meaningful only for master interface, i.e. mainly hardware setup related settings such as radio channel settings. Note that in order for a radio to accept clients, it's master interface needs to be enabled. Slave interfaces will become operational only if enabled and the master interface is enabled.

Interfaces on CAPsMAN can be static or dynamic. Static interfaces are stored in RouterOS configuration and will persist across reboots. Dynamic interfaces exist only while a particular CAP is connected to CAPsMAN.

CAPsMAN Global Configuration

Sub-menu:/caps-man manager


Settings to control CAPsMAN functionality are found in /caps-man manager menu:

PropertyDescription
enabled (yes no; Default: no)Disable or enable CAPsMAN functionality
certificate (auto certificate name none; Default: none)Device certificate
ca-certificate (auto certificate name none; Default: none)Device CA certificate
require-peer-certificate (yes no; Default: no)Require all connecting CAPs to have a valid certificate
package-path (string ; Default: )Folder location for the RouterOS packages. For example, use '/upgrade' to specify the upgrade folder from the files section. If empty string is set, CAPsMAN can use built-in RouterOS packages, note that in this case only CAPs with the same architecture as CAPsMAN will be upgraded.
upgrade-policy (none require-same-version suggest-same-upgrade; Default: none)Upgrade policy options
  • none - do not perform upgrade
  • require-same-version - CAPsMAN suggest to upgrade the CAP RouterOS version and if it fails it will not provision the CAP. (Manual provision is still possible)
  • suggest-same-version - CAPsMAN suggests to upgrade the CAP RouterOS version and if it fails it will still be provisioned

CAPsMAN AAA Configuration

Sub-menu:/caps-man aaa


Settings to configure CAPsMAN AAA functionality are found in /caps-man aaa menu:

PropertyDescription
mac-format (string; Default: XX:XX:XX:XX:XX:XX)Controls how MAC address of the client is encoded by Access Point in the User-Name attribute of the MAC authentication and MAC accounting RADIUS requests.
mac-mode (as-username as-username-and-password; Default: as username)By default Access Point uses an empty password, when sending Access-Request during MAC authentication. When this property is set to as-username-and-password, Access Point will use the same value for User-Password attribute as for the User-Name attribute.
mac-caching (disabled time-interval; Default: disabled)If this value is set to time interval, the Access Point will cache RADIUS MAC authentication responses for specified time, and will not contact RADIUS server if matching cache entry already exists. Value disabled will disable cache, Access Point will always contact RADIUS server.
interim-update (disabled time-interval; Default: disabled)When RADIUS accounting is used, Access Point periodically sends accounting information updates to the RADIUS server. This property specifies default update interval that can be overridden by the RADIUS server using theAcct-Interim-Interval attribute.
called-format (mac mac:ssid ssid; Default: mac:ssid)Format of how the 'called-id' identifier will be passed to RADIUS. When configuring radius server clients, you can specify 'called-id' in order to separate multiple entires.

Example

Assuming that rest of the settings are already configured and only the 'Security' part have been left.

Radius authentication with one server

1. Create CAPsMAN security configuration

2. Configure Radius server client

Download CAPS Wizard For Mac 2.2 Key

3. Assign the configuration to your master profile (or directly to CAP itself)


Radius authentication with different radius servers for each SSID

1. Create CAPsMAN security configuration

2. Configure AAA settings

3. Configure Radius server clients

4. Assign the configuration to your master profile (or directly to CAP itself)

Now everyone connecting to CAP's with ssid=SSID1 will have their radius authentication requests sent to x.x.x.x and everyone connecting to CAP's with ssid=SSID2 will have their radius authentication requests sent to y.y.y.y

Radio Provisioning

Sub-menu:/caps-man provisioning


CAPsMAN distinguishes between CAPs based on a common-name identifier. The identifier is generated based on the following rules:

  • if CAP provided a certificate, the identifier is set to the Common Name field in the certificate
  • otherwise identifier is based on Base-MAC provided by CAP in the form: '[XX:XX:XX:XX:XX:XX]'.

When the DTLS connection with CAP is successfully established (which means that CAP identifier is known and valid), CAPsMAN makes sure there is no stale connection with CAP using the same identifier. Currently connected CAPs are listed in /caps-man remote-capmenu:

CAPsMAN distinguishes between actual wireless interfaces (radios) based on their builtin MAC address (radio-mac). This implies that it is impossible to manage two radios with the same MAC address on one CAPsMAN. Radios currently managed by CAPsMAN (provided by connected CAPs) are listed in /caps-man radio menu:

When CAP connects, CAPsMAN at first tries to bind each CAP radio to CAPsMAN master interface based on radio-mac. If an appropriate interface is found, radio gets set up using master interface configuration and configuration of slave interfaces that refer to particular master interface. At this moment interfaces (both master and slaves) are considered bound to radio and radio is considered provisioned.

If no matching master interface for radio is found, CAPsMAN executes 'provisioning rules'. Provisioning rules is an ordered list of rules that contain settings that specify which radio to match and settings that specify what action to take if a radio matches.


Provisioning rules for matching radios are configured in /caps-man provisioning menu:

PropertyDescription
action (create-disabled create-enabled create-dynamic-enabled none; Default: none)Action to take if rule matches are specified by the following settings:
  • create-disabled - create disabled static interfaces for radio. I.e., the interfaces will be bound to the radio, but the radio will not be operational until the interface is manually enabled;
  • create-enabled - create enabled static interfaces. I.e., the interfaces will be bound to the radio and the radio will be operational;
  • create-dynamic-enabled - create enabled dynamic interfaces. I.e., the interfaces will be bound to the radio, and the radio will be operational;
  • none - do nothing, leaves radio in non-provisioned state;
comment (string; Default: )Short description of the Provisioning rule
common-name-regexp (string; Default: )Regular expression to match radios by common name. Each CAP's common name identifier can be found under '/caps-man radio' as value 'REMOTE-CAP-NAME'
hw-supported-modes (a a-turbo ac an b g g-turbo gn; Default: )Match radios by supported wireless modes
identity-regexp (string; Default: )Regular expression to match radios by router identity
ip-address-ranges (IpAddressRange[,IpAddressRanges] max 100x; Default: ')Match CAPs with IPs within configured address range.
master-configuration (string; Default: )If action specifies to create interfaces, then a new master interface with its configuration set to this configuration profile will be created
name-format (cap identity prefix prefix-identity; Default: cap)specify the syntax of the CAP interface name creation
  • cap - default name
  • identity - CAP boards system identity name
  • prefix - name from the name-prefix value
  • prefix-identity - name from the name-prefix value and the CAP boards system identity name
name-prefix (string; Default: )name prefix which can be used in the name-format for creating the CAP interface names
radio-mac (MAC address; Default: 00:00:00:00:00:00)MAC address of radio to be matched, empty MAC (00:00:00:00:00:00) means match all MAC addresses
slave-configurations (string; Default: )If action specifies to create interfaces, then a new slave interface for each configuration profile in this list is created.

Note: If no rule matches radio, then implicit default rule with action create-enabled and no configurations set is executed.


To get the active provisioning matchers:

For user's convenience there are commands that allow the re-execution of the provisioning process for some radio or all radios provided by some AP:

and

Interface Configuration

Sub-menu:/caps-man interface


CAPsMAN interfaces are managed in /caps-man interface menu:

Master Configuration Profiles

Sub-menu:/caps-man configuration


Configuration profiles permit pre-defined 'top level' master settings to be applied to CAP radios being provisioned.

2.2


Configuration Profiles are configured in /caps-man configuration menu:

PropertyDescription
channel (list; Default: )User defined list taken from Channel names (/caps-man channels)
channel.band (2ghz-b 2ghz-b/g 2ghz-b/g/n 2ghz-onlyg 2ghz-onlyn 5ghz-a 5ghz-a/n 5ghz-onlyn 5ghz-a/n/ac 5ghz-only-ac; Default: )Defines set of used channels.
channel.control-channel-width (40mhz-turbo 20mhz 10mhz 5mhz; Default: )Defines set of used channel widths.
channel.extension-channel (Ce Ceee eC eCee eeCe eeeC xx xxxx disabled; Default: )Extension channel configuration. (E.g. Ce = extension channel is above Control channel, eC = extension channel is below Control channel)
channel.frequency (integer [0..4294967295]; Default: )Channel frequency value in MHz on which AP will operate. If left blank, CAPsMAN will automatically determine the best frequency that is least occupied.
channel.reselect-interval (time [00:00:00]; Default: )Interval after which least occupied frequency is chosen. Works only if channel.frequency is left blank.
channel.save-selected (yes no; Default: no)If channel frequency is chosen automatically and channel.reselect-interval is used, then saves the last picked frequency.
channel.secondary-frequency (integer [0..4294967295]; Default: auto)Specifies the second frequency that will be used for 80+80MHz configuration. Set it to Disabled in order to disable 80+80MHz capability.
channel.skip-dfs-channels (yes no; Default: no)If channel.frequency is left blank, the selection will skip DFS channels
channel.tx-power (integer [-30..40]; Default: )TX Power for CAP interface (for the whole interface not for individual chains) in dBm. It is not possible to set higher than allowed by country regulations or interface. By default max allowed by country or interface is used.
channel.width (; Default: )Sets Channel Width in MHz.
comment (string; Default: )Short description of the Configuration profile
country (name of the country no_country_set; Default: no_country_set)Limits available bands, frequencies and maximum transmit power for each frequency. Also specifies default value of scan-list. Value no_country_set is an FCC compliant set of channels.
datapath (list; Default: )User defined list taken from Datapath names (/caps-man datapath)
datapath.bridge (list; Default: )Bridge to which particular interface should be automatically added as port. Required only when local-forwarding is not used.
datapath.bridge-cost (integer [0..4294967295]; Default: )bridge port cost to use when adding as bridge port
datapath.bridge-horizon (integer [0..4294967295]; Default: )bridge horizon to use when adding as bridge port
datapath.client-to-client-forwarding (yes no; Default: no)controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by CAP, otherwise it is performed by CAPsMAN
datapath.interface-list (; Default: )
datapath.l2mtu (; Default: )set Layer2 MTU size
datapath.local-forwarding (yes no; Default: no)Controls forwarding mode. If disabled, all L2 and L3 data will be forwarded to CAPsMAN, and further forwarding decisions will be made only then.
Note, if disabled, make sure that each CAP interface MAC Address that participates in the same broadcast domain is unique (including local MAC's, like Bridge-MAC).
datapath.mtu (; Default: )set MTU size
datapath.openflow-switch (; Default: )OpenFlow switch port (when enabled) to add interface to
datapath.vlan-id (integer [1..4095]; Default: )VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
datapath.vlan-mode (use-service-tag use-tag; Default: )Enables and specifies the type of VLAN tag to be assigned to the interface (causes all received data to get tagged with VLAN tag and allows the interface to only send out data tagged with given tag)
disconnect-timeout (; Default: )
distance (; Default: )
frame-lifetime (; Default: )
guard-interval (any long; Default: any)Whether to allow the use of short guard interval (refer to 802.11n MCS specification to see how this may affect throughput). 'any' will use either short or long, depending on data rate, 'long' will use long only.
hide-ssid (yes no; Default: )
  • yes - AP does not include SSID in the beacon frames and does not reply to probe requests that have broadcast SSID.
  • no - AP includes SSID in the beacon frames and replies to probe requests that have broadcast SSID.
This property has effect only in AP mode. Setting it to yes can remove this network from the list of wireless networks that are shown by some client software. Changing this setting does not improve the security of the wireless network, because SSID is included in other frames sent by the AP.
hw-protection-mode (; Default: )
hw-retries (; Default: )
installation (any indoor outdoor; Default: any)
keepalive-frames (enabled disabled; Default: enabled)
load-balancing-group (string; Default: )Tags the interface to the load balancing group. For a client to connect to interface in this group, the interface should have the same number of already connected clients as all other interfaces in the group or smaller. Useful in setups where ranges of CAPs mostly overlap.
max-sta-count (integer [1..2007]; Default: )Maximum number of associated clients.
mode (; Default: ap)Set operational mode. Only ap currently supported.
multicast-helper (default disabled full; Default: default)When set to full multicast packets will be sent with unicast destination MAC address, resolvingmulticast problem on a wireless link. This option should be enabled only on the access point, clients should be configured in station-bridge mode. Available starting from v5.15.
  • disabled - disables the helper and sends multicast packets with multicast destination MAC addresses
  • full - all multicast packet mac address are changed to unicast mac addresses prior sending them out
  • default - default choice that currently is set to disabled. Value can be changed in future releases.
name (string; Default: )Descriptive name for the Configuration Profile
rates (; Default: )User defined list taken from Rates names (/caps-man rates)
rates.basic (1Mbps 2Mbps 5.5Mbps 6Mbps 11Mbps 11Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps; Default: )
rates.supported (1Mbps 2Mbps 5.5Mbps 6Mbps 11Mbps 11Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps; Default: )
rates.ht-basic-mcs (list of (mcs-0 mcs-1 mcs-2 mcs-3 mcs-4 mcs-5 mcs-6 mcs-7 mcs-8 mcs-9 mcs-10 mcs-11 mcs-12 mcs-13 mcs-14 mcs-15 mcs-16 mcs-17 mcs-18 mcs-19 mcs-20 mcs-21 mcs-22 mcs-23); Default: mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7)Modulation and Coding Schemes that every connecting client must support. Refer to 802.11n for MCS specification.
rates.ht-supported-mcs (list of (mcs-0 mcs-1 mcs-2 mcs-3 mcs-4 mcs-5 mcs-6 mcs-7 mcs-8 mcs-9 mcs-10 mcs-11 mcs-12 mcs-13 mcs-14 mcs-15 mcs-16 mcs-17 mcs-18 mcs-19 mcs-20 mcs-21 mcs-22 mcs-23); Default: mcs-0; mcs-1; mcs-2; mcs-3; mcs-4; mcs-5; mcs-6; mcs-7; mcs-8; mcs-9; mcs-10; mcs-11; mcs-12; mcs-13; mcs-14; mcs-15; mcs-16; mcs-17; mcs-18; mcs-19; mcs-20; mcs-21; mcs-22; mcs-23)Modulation and Coding Schemes that this device advertises as supported. Refer to 802.11n for MCS specification.
rates.vht-basic-mcs (none MCS 0-7 MCS 0-8 MCS 0-9; Default: none)Modulation and Coding Schemes that every connecting client must support. Refer to 802.11ac for MCS specification.

You can set MCS interval for each of Spatial Stream

  • none - will not use selected Spatial Stream
  • MCS 0-7 - client must support MCS-0 to MCS-7
  • MCS 0-8 - client must support MCS-0 to MCS-8
  • MCS 0-9 - client must support MCS-0 to MCS-9
rates.vht-supported-mcs (none MCS 0-7 MCS 0-8 MCS 0-9; Default: none)Modulation and Coding Schemes that this device advertises as supported. Refer to 802.11ac for MCS specification.

You can set MCS interval for each of Spatial Stream

  • none - will not use selected Spatial Stream
  • MCS 0-7 - devices will advertise as supported MCS-0 to MCS-7
  • MCS 0-8 - devices will advertise as supported MCS-0 to MCS-8
  • MCS 0-9 - devices will advertise as supported MCS-0 to MCS-9
rx-chains (list of integer [0..3]; Default: 0)Which antennas to use for receive.
security (string; Default: none)Name of security configuration from /caps-man security
security.authentication-types (list of string; Default: none)Specify the type of Authentication from wpa-psk, wpa2-psk, wpa-eap or wpa2-eap
security.disable-pmkid (; Default: )
security.eap-methods (eap-tls passthrough; Default: none)
  • eap-tls - Use built-in EAP TLS authentication.
  • passthrough - Access point will relay authentication process to the RADIUS server.
security.eap-radius-accounting (; Default: )specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
security.encryption (aes-ccm tkip; Default: )Set type of unicast encryption algorithm used
security.group-encryption (aes-ccm tkip; Default: aes-ccm)Access Point advertises one of these ciphers, multiple values can be selected. Access Point uses it to encrypt all broadcast and multicast frames. Client attempts connection only to Access Points that use one of the specified group ciphers.
  • tkip - Temporal Key Integrity Protocol - encryption protocol, compatible with legacy WEP equipment, but enhanced to correct some of the WEP flaws.
  • aes-ccm - more secure WPA encryption protocol, based on the reliable AES (Advanced Encryption Standard). Networks free of WEP legacy should use only this cipher.
security.group-key-update (time: 30s..1h; Default: 5m)Controls how often Access Point updates the group key. This key is used to encrypt all broadcast and multicast frames. property only has effect for Access Points.
security.passphrase (string; Default: )WPA or WPA2 pre-shared key
security.tls-certificate (none name; Default: )Access Point always needs a certificate when security.tls-mode is set to value other than no-certificates.
security.tls-mode (verify-certificate dont-verify-certificate no-certificates verify-certificate-with-crl; Default: )This property has effect only when security.eap-methods contains eap-tls.
  • verify-certificate - Require remote device to have valid certificate. Check that it is signed by known certificate authority. No additional identity verification is done. Certificate may include information about time period during which it is valid. If router has incorrect time and date, it may reject valid certificate because router's clock is outside that period. See also theCertificates configuration.
  • dont-verify-certificate - Do not check certificate of the remote device. Access Point will not require client to provide certificate.
  • no-certificates - Do not use certificates. TLS session is established using 2048 bit anonymous Diffie-Hellman key exchange.
  • verify-certificate-with-crl - Same as verify-certificate but also checks if the certificate is valid by checking the Certificate Revocation List.
ssid (string (0..32 chars); Default: )SSID (service set identifier) is a name broadcast in the beacons that identifies wireless network.
tx-chains (list of integer [0..3]; Default: 0)Which antennas to use for transmit.

Channel Groups

Sub-menu:/caps-man channels


Channel group settings allows for the configuration of lists of radio channel related settings, such as radio band, frequency, Tx Power extension channel and width.

Channel group settings are configured in the Channels profile menu /caps-man channels

PropertyDescription
band (2ghz-b 2ghz-b/g 2ghz-b/g/n 2ghz-onlyg 2ghz-onlyn 5ghz-a 5ghz-a/n 5ghz-onlyn; Default: )Define operational radio frequency band and mode taken from hardware capability of wireless card
comment (string; Default: )Short description of the Channel Group profile
extension-channel (Ce Ceee eC eCee eeCe eeeC disabled; Default: )Extension channel configuration. (E.g. Ce = extension channel is above Control channel, eC = extension channel is below Control channel)
frequency (integer [0..4294967295]; Default: )Channel frequency value in MHz on which AP will operate.
name (string; Default: )Descriptive name for the Channel Group Profile
tx-power (integer [-30..40]; Default: )TX Power for CAP interface (for the whole interface not for individual chains) in dBm. It is not possible to set higher than allowed by country regulations or interface. By default max allowed by country or interface is used.
width (; Default: )Sets Channel Width in MHz. (E.g. 20, 40)
save-selected (; Default: yes)Saves selected channel for the CAP Radio - will select this channel after the CAP reconnects to CAPsMAN and use it till the channel Re-optimize is done for this CAP.

Datapath Configuration

Sub-menu:/caps-man datapath


Datapath settings control data forwarding related aspects. On CAPsMAN datapath settings are configured in datapath profile menu /caps-man datapath or directly in a configuration profile or interface menu as settings with datapath. prefix.

There are 2 major forwarding modes:

  • local forwarding mode, where CAP is locally forwarding data to and from wireless interface
  • manager forwarding mode, where CAP sends to CAPsMAN all data received over wireless and only sends out the wireless data received from CAPsMAN. In this mode even client-to-client forwarding is controlled and performed by CAPsMAN.

Forwarding mode is configured on a per-interface basis - so if one CAP provides 2 radio interfaces, one can be configured to operate in local forwarding mode and the other in manager forwarding mode. The same applies to Virtual-AP interfaces - each can have different forwarding mode from master interface or other Virtual-AP interfaces.

Most of the datapath settings are used only when in manager forwarding mode, because in local forwarding mode CAPsMAN does not have control over data forwarding.

There are the following datapath settings:

  • bridge -- bridge interface to add interface to, as a bridge port, when enabled
  • bridge-cost -- bridge port cost to use when adding as bridge port
  • bridge-horizon -- bridge horizon to use when adding as bridge port
  • client-to-client-forwarding -- controls if client-to-client forwarding between wireless clients connected to interface should be allowed, in local forwarding mode this function is performed by CAP, otherwise it is performed by CAPsMAN.
  • local-forwarding -- controls forwarding mode
  • openflow-switch -- OpenFlow switch to add interface to, as port when enabled
  • vlan-id -- VLAN ID to assign to interface if vlan-mode enables use of VLAN tagging
  • vlan-mode -- VLAN tagging mode specifies if VLAN tag should be assigned to interface (causes all received data to get tagged with VLAN tag and allows interface to only send out data tagged with given tag)

Local Forwarding Mode

In this mode wireless interface on CAP behaves as a normal interface and takes part in normal data forwarding. Wireless interface will accept/pass data to networking stack on CAP. CAPsMAN will not participate in data forwarding and will not process any of data frames, it will only control interface configuration and client association process.

Wireless interface on CAP will change its configuration to 'enabled' and its state and some relevant parameters (e.g. mac-address, arp, mtu) will reflect that of the interface on CAPsMAN. Note that wireless related configuration will not reflect actual interface configuration as applied by CAPsMAN:

Virtual-AP interfaces in local forwarding mode will appear as enabled and dynamic Virtual-AP interfaces:

The fact that Virtual-AP interfaces are added as dynamic, somewhat limits static configuration possibilities on CAP for data forwarding, such as assigning addresses to Virtual-AP interface. This does not apply to master wireless interface.

To overcome this it is possible to use the static-virtual setting on the CAP which will create Static Virtual Interfaces instead of Dynamic and allows the possibility to assign IP configuration to those interfaces. MAC address is used to remember each static-interface when applying the configuration from the CAPsMAN. If two or more static interfaces will have the same MAC address the configuration could be applied in random order.

To facilitate data forwarding configuration, CAP can be configured with bridge to which interfaces are automatically added as ports when interfaces are enabled by CAPsMAN. This can be done in /interface wireless cap menu.

Download Caps Wizard For Mac 2.25

Manager Forwarding Mode

In this mode CAP sends all data received over wireless to CAPsMAN and only sends out over wireless, data received from CAPsMAN. CAPsMAN has full control over data forwarding including client-to-client forwarding. Wireless interface on CAP is disabled and does not participate in networking:

Virtual-AP interfaces are also created as 'disabled' and do not take part in data forwarding on CAP.

Access List

Sub-menu:/caps-man access-list


Access list on CAPsMAN is an ordered list of rules that is used to allow/deny clients to connect to any CAP under CAPsMAN control. When client attempts to connect to a CAP that is controlled by CAPsMAN, CAP forwards that request to CAPsMAN. As a part of registration process, CAPsMAN consults access list to determine if client should be allowed to connect. The default behaviour of the access list is to allow connection.

Access list rules are processed one by one until matching rule is found. Then the action in the matching rule is executed. If action specifies that client should be accepted, client is accepted, potentially overriding it's default connection parameters with ones specified in access list rule.

Access list is configured in /caps-man access-list menu. There are the following parameters for access list rules:

  • client matching parameters:
    • address - MAC address of client
    • mask - MAC address mask to apply when comparing client address
    • interface - optional interface to compare with interface to which client actually connects to
    • time - time of day and days when rule matches
    • signal-range - range in which client signal must fit for rule to match
    • allow-signal-out-of-range - option which permits client's signal to be out of the range always or for some time interval
  • action parameter - specifies action to take when client matches:
    • accept - accept client
    • reject - reject client
    • query-radius - query RADIUS server if particular client is allowed to connect
  • connection parameters:
    • ap-tx-limit - tx speed limit in direction to client
    • client-tx-limit - tx speed limit in direction to AP (applies to RouterOS clients only)
    • client-to-client-forwarding - specifies whether to allow forwarding data received from this client to other clients connected to the same interface
    • private-passphrase - PSK passphrase to use for this client if some PSK authentication algorithm is used
    • radius-accounting - specifies if RADIUS traffic accounting should be used if RADIUS authentication gets done for this client
    • vlan-mode - VLAN tagging mode specifies if traffic coming from client should get tagged (and untagged when going to client).
    • vlan-id - VLAN ID to use if doing VLAN tagging.

Registration Table

Sub-menu:/caps-man registration-table


Registration table contains a list of clients that are connected to radios controlled by CAPsMAN and is available in /caps-man registration-table menu:

Examples

Basic configuration with master and slave interface

Download CAPS Wizard For Mac 2.2

Create security profile for WPA2 PSK, without specifying passphrase:

Create configuration profile to be used by master interface

  • specify WPA2 passphrase in configuration
  • specify channel settings in configuration:

Create configuration profile to be used by virtual AP interface

Download CAPS Wizard For Mac 2.2
  • specify different WPA2 passphrase in configuration:

Create provisioning rule that matches any radio and creates dynamic interfaces using master-cfg and slave-cfg:

Now when AP connects and is provisioned 2 dynamic interfaces (one master and one slave) will get created:

Consider an AP, that does not support configured frequency connects and can not become operational:

We can override channel settings for this particular radio in interface settings, without affecting master-cfg profile:

Allow Specific MAC address range to match the Access-list, for example, match all the Apple devices:

Configuring DHCP Server Option 138 for setting the CAPsMAN address on the CAP boards

DHCP client this CAPsMAN IP will see in '/ip dhcp-client print detail'

Configuration with certificates

You would want to configure certificates in your CAPsMAN to use options as Require Peer Certificate and Lock To Caps Man. These options increase security and in some cases stability of your CAPsMAN network. CAPs won't connect to CAPsMAN without a specific certificate and vice versa.

Fast and easy configuration

This is a basic configuration for using certificates in your CAPsMAN setup. This example assumes that you already have basic configuration on your CAPsMAN and CAP. It is best to use this configuration in CAPsMAN networks which are not constantly growing. For more details read about CAP to CAPsMAN Connection.

CAPsMAN device:

In CAPsMAN Manager menu set Certificate and CA Certificate to auto:

Print output:

CAPsMAN device first will generate CA-Certificate and then it will generate Certificate which depends on CA-Certificate.

CAP device:

Set in CAP configuration to request certificate:

CAP will connect to CAPsMAN and request certificate. CAP will receive CA-Certificate form CAPsMAN and another certificate will be created for use on CAP.

In Result

On CAP device in CAP menu Requested Certificate is set:

Also, two certificates are gained and are seen in Certificate menu:

On CAPsMAN device in Certificate menu three certificates are created. CAPsMAN and CAPsMAN-CA certificates, as well as a certificate which is issued to CAP:

Additionally

If you want to allow only CAPs with a valid certificate to connect to this CAPsMAN you can set Require Peer Certificate to yes on CAPsMAN device:

However, when you will want to add new CAP devices to your CAPsMAN network you will have to set this option to no and then back to yes after CAP has gained certificates. Every time you change this option CAPsMAN will drop all dynamic interfaces and CAPs will try to connect again.

If you want to lock CAP to specific CAPsMAN and be sure it won't connect to other CAPsMANs you should set option Lock To CAPsMAN to yes. Additionally, you can specify CAPsMAN to lock to by setting CAPsMAN Certificate Common Names on CAP device:

Manual certificates and issuing with SCEP

With this example, you can create your own certificates for CAPsMAN and take control over issuing certificates to CAPs. This configuration can be useful in big, growing CAPsMAN networks. Many segments of this example can be done differently depending on your situation and needs. At this point, some knowledge about Certificates and their application can be useful.

CAPsMAN device:

In Certificate menu add certificate templates for CA certificate and CAPsMAN server certificate:

Now Sign the certifiace templates. First Sign the CA certificate and use CAPsMAN device IP as CA CRL Host:

Alternatively, previous two steps can be done with auto setting in Certificate and CA-Certificate option in CAPsMAN Manager menu, see the Fast and easy configuration.

Export CA certificate. You will have to Import it on CAP device. You can use Download -> Drag&Drop to CAP device, in this example fetch command is used later from CAP device. Using long passphrase is advisable - longer passphrase will take longer to crack if it gets into the wrong hands:

Create SCEP server which will be used to issue and grant certificates to CAP devices:

Set certificates in CAPsMAN Manager menu and set Require Peer Certificate to yes:

At this point, only CAPs with a valid certificate will be able to connect.

CAP device

Download export of CA certificate from CAPsMAN device to CAP device. In this example fetch is used, however, there are multiple other ways:

Import CA certificate from CAPsMAN device in Certificate menu:

Add certificate template for CAP:

Ask CAPsMAN device to grant this certificate with a key using SCEP:

You will have to return to CAPsMAN device to grant key to this certificate.

In CAP menu set just created certificate:

CAPsMAN device:

Return to CAPsMAN device to grant a key to CAP certificate in Certificate Request menu:

In Result

Now CAP should be able to connect to CAPsMAN, see in CAPsMAN interfaces if it connects. In CAPsMAN device Certificate menu three certificates can be seen: CA, CAPsMAN, and the one which is issued to CAP:

In CAP devices Certificate menu two acquired certificates can be seen:

Retrieved from 'https://wiki.mikrotik.com/index.php?title=Manual:CAPsMAN&oldid=34191'

Community Edition 21.3.0

Released on November 29, 2021 (Milestones).
It is free and open source (license).
Also you can get it from the GitHub mirror.

Enterprise Edition 21.2

Released on September 6, 2021
EE version web site: dbeaver.com
Trial version is available.

Windows

  • Chocolatey (choco install dbeaver)

Mac OS X

  • Brew Cask (brew install --cask dbeaver-community)
  • MacPorts (sudo port install dbeaver-community)

Linux

  • Snap (sudo snap install dbeaver-ce)
  • Flatpak (flatpak install flathub io.dbeaver.DBeaverCommunity)

Eclipse Plugin

  • Update site URL: https://dbeaver.io/update/latest/ (Multiplatform)
  • Eclipse Marketplace direct install: https://marketplace.eclipse.org/content/dbeaver
Note: plugin is compatible with Eclipse platform (from Neon to 2020-09). Required plugins: gef and draw2d.

Checksums

Previous versions

Enterprise Edition features:
  • Support of NoSQL databases:
  • Advanced extensions for:
    • Informix
    • Netezza
    • Oracle
    • Redshift
    • Snowflake
    • SQL Server
  • AWS IAM, Kerberos and Active Directory authentication support
  • Advanced security (secure storage for user credentials, configuration encryption, master password, etc)
  • Additional drivers configuration for BigData/Cloud databases (Hadoop).
  • Most popular JDBC drivers are included in distribution and can be used in offline/limited internet access environment.
  • Additional EE plugins:
    • Visual SQL query builder
    • Task scheduler
    • Analytical charts generation
    • Mock data generator
    • Advanced schema compare/migration tools
    • Data compare tool
    • Office formats support (XLS) for data export
    • Advanced SQL execution plan viewer
    • Integrated Git (version control for scripts and configuration)
    • Persistent Query Manager database (allows to track SQL history)
    • Time series charts renderer
    • Eclipse Marketplace (allows to easily install 3rd party plugins)
    • All CE features of course
    • Online customer support
Usually we release a new Minor Community Edition version once per two weeks. Major version is released quarterly (every 3 months). Information about previous releases you can find here.

Download CAPS Wizard For Mac 2.2 Full

Tested and verified for MS Windows, Linux and Mac OS X.

Install:

Windows installer – run installer executable. It will automatically upgrade version (if needed).
MacOS DMG – just run it and drag-n-drop DBeaver into Applications.
Debian package – run sudo dpkg -i dbeaver-<version>.deb. Then execute “dbeaver &”.
RPM package – run sudo rpm -ivh dbeaver-<version>.rpm. Then execute “dbeaver &”. Note: to upgrade use “-Uvh” parameter.
ZIP archive – extract archive and run “dbeaver” executable. Do not extract archive over previous version (remove previous version before install).

Upgrade – don’t be afraid to remove previous DBeaver version – your settings won’t be lost. All settings are kept in the separate folder (DBeaverData in user home)

Java notes:
DBeaver requires Java 11 or higher. Since version 7.3.1 all distributions include OpenJDK 11 bundle.
If you want to use you own locally installed Java you may delete folder “jre” in the DBeaver installation folder.


Debian repository:


Ubuntu PPA:
You can use PPA repository to easily install/upgrade DBeaver on Debian Linuxes. Mostly it is the same as regular Debian repo but it is hosted on Launchpad.

Early Access:

You may get latest build (EA version) of DBeaver. Usually it contains all major bug fixes found in current stable version. Just choose the archive corresponding to your OS and hardware from the following folder: EA version downloads.

Source code:

We are on GitHub.
Community Edition sources, issue tracker, older releases, etc: https://github.com/dbeaver/dbeaver

Archive:

All recent DBeaver versions are available in the archive.

Download CAPS Wizard For Mac 2.2 Pro

CloudBeaver

DBeaver is desktop application.
If you are looking for a web-based database management system – please check another of our products: CloudBeaver.

It is also open-source and free.