Last reviewed on February 19th, 2020

Certified Enterprise Wireless Engineer (MTCEWE)

Full Training Syllabus

Duration: 3 days
Objectives: By the end of this training session, the student will be able to understand major RouterOS enterprise WiFi
features, how WiFi works and implement CAPsMAN into real life WiFi setups.
Target Audience: Network engineers and technicians wanting to deploy and support:
 Corporate WiFi networks based on CAPsMAN v2
 Simple Layer 2 wireless bridges using MikroTik 60GHz Wireless Wire Technology

Course prerequisites: MTCNA certificate

THIS DOCUMENT IS FOR TRAINERS ONLY - NOT TO BE PUBLISHED!

BEFORE EDITING ENSURE YOU HAVE 'TRACK CHANGES' and COMMENTS ENABLED!

Trainer Notes:

To enable CAPsMAN labs to work more effectively, it is suggested that each student is supplied with two routers. One can be any model with or
without wireless which they will configure to enable them to obtain internet access through your trainer's network and also act as a CAPsMAN
controller. Then supply an additional second router with at least a dual band 802.11ac capable wireless chipset. One low cost example could be to
supply each student with two hAP ac lite.

1
 Last reviewed on February 19th, 2020

Title Objective Details

• Wireless routers Show examples of standalone RouterBOARDs with embedded wireless (e.g. the various
Module 1
• RouterBOARD hardware cAP and wAP models) versus building an AP using RouterBOARDs and add on PCI type
Wireless
• Wireless cards cards. Explain the benefits of each of those two methods, especially with Regulatory
Introduction
Certification (CE, FCC, etc.). Cover that some RouterBOARDs have single band radios
and some have two radios and some have dual band radios.

Module 2 • The RF Radio Spectrum Describe the electromagnetic spectrum and where the 2.4GHz, 5GHz and 60GHz bands
RF Wireless and Electromagnetic are located relative to the visible light spectrum. Show how wavelength and frequency are
Characteristics Energy inversely proportional. Explain very briefly how an RF electromagnetic field is created from
an changing electrical current in a wire.

• Decibels Explain Decibels and their logarithmic to linear relationship for dBm's and dBi's and the
rules of 3's and 10's.

• Decibels Lab Create a simple Lab / or group game / discussion to convert between various dBm and
mW values to reinforce the learning of the rules of 3's and 10's.

• Antenna Theory and Explain very basic theory of antenna radiation propagation, how an EMF field is generated
examples of use from an AC current along a simple wire antenna and how the energy expands outward as
 Isotropic an ever expanding sphere to infinity, how EMF consists of an electric and magnetic field at
 Directional 90 degrees to each other, how polarization is referred to the electric field and the definition
 Omnidirectional of and purpose of an Isotropic source with regard to Regulatory EIRP calculations (Show
 Antenna that EIRP is Tx power + Antenna Gain).
Polarization
Discuss directional properties of the most common types of simple WiFi antennas, such as
the quarter wave omnidirectional internal antenna with the doughnut-like radiation shape,
2
 Last reviewed on February 19th, 2020

patch panels for enhanced directivity and dishes for longer distance bridges.

• Initial class setup lab Allow students to connect to a trainer router using CAT5 or wireless through to the internet
via their own router and the trainer's. Ensure students backup this configuration in case
they wish to use this for taking exam at end of course. You may use DHCP to simplify the
initial configuration or get the students to use static IPs.

• Attenuation/absorption Explain how the denser the material, the greater the losses through that material which
and reflective properties results in a reduction in coverage distance. Explain how reflections occur on flat surfaces.
of building materials and Explain how reflections and edge refraction can therefore provide a 'Non Line of Sight'
how they affect radio effect, thus providing coverage into areas not directly covered by an AP. Also cover that
signals humans absorb RF energy and therefore in very dense deployments (stadium, theater,
concerts) so that people will absorb the signal and lower the expected coverage compared
to any survey when the location is empty of people.

• 2.4/5GHz Indoor/outdoor Explain the benefits of small 5GHz cell sizes indoors and how it helps to limit interference
cell sizes and transmitter and increase total system throughput, versus using large outdoor cells on 2.4GHz
powers
Compare the different characteristics between cell sizes of WiFi installation indoors and
outdoor and 2.4GHz versus 5GHz. Explain how 2.4GHz propagates further than 5GHz
which alters cell size. Explain how to use a building's construction to help with limiting cell
size and how a reduced cell size provides less interference and stronger signals due to
lower distances between AP and client.

Explain why 2.4GHz suffers less loss over distance than 5GHz and therefore always
appears stronger to clients unless steps are taken to reduce Tx power on 2.4GHz radios
compared to 5GHz to bring them back to parity on dual band APs.

3

• Client Roaming
• RouterOS station
roaming
• Co-Channel and
Adjacent-Channel
Interference
• Choosing correct Access
Point placement
Last reviewed on February 19th, 2020
Explain that it is the station/client device that chooses when to roam and which other AP to
roam to. Explain a typical roaming decision algorithm and that each vendor does it
differently and many of these methods are not even published by vendors. Study those
published by Apple for example algorithms to discuss. (See https://support.apple.com/en-
us/HT206207 and https://support.apple.com/en-us/HT203068)
Mention 'sticky clients' and how access list rules set to a minimum required signal level
could be an answer.
Explain about the 'station roaming' feature, that it is only available in '802.11' mode which
could be used when a RouterOS client is used to connect to a CAPsMAN system. Explain
that when a RouterOS wireless client in station mode is already connected to an AP, it will
periodically perform a background scan with specific time intervals. When the background
scan finds an AP with a better signal this setting will ensure the station device will try to
roam to that new AP. The time intervals between the background scans will become
progressively shorter when the wireless signal becomes worse and become longer when
the currently connected wireless client signal gets better.
Explain how Co-channel and Adjacent Channel interference occurs and explain how 'noise'
from ACI and 802.11 signals from CCI are detected differently especially with CSMA/CA
and also that even a 20MHz channel is actually wider than 20MHz. Provide advice about
using non-overlapping channels.
Having already described the problems with CCI between APs and the doughnut like
radiation diagrams of Access Points, explain how it is best to locate APs on ceilings, in the
center of a room, rather than on a wall, how they are best mounted up in the open air
above the users than lower down where they will likely be obstructed by furniture and
people and the beneficial use of directional patch panel type sectors antennas for large
outdoor public events.
Explain that we will discuss in more detail later in the course about site surveys and how to
more accurately measure losses through walls and doors etc, which will be important to
knowing the best place to locate an AP in the building so as to provide the required
4

• Physical Network
Infrastructure
• Understanding 'Airtime'
and Practical Lab
 Airtime Lab
• 802.11a/b/g/n/ac
Module 3
Wireless Protocol
Wireless
Standards
• 802.11 Standards
Features Overview
• Bands, Channels
(Frequencies) and
Channel Widths
Last reviewed on February 19th, 2020
coverage and performance as it will take the characteristics of the building into account.
Wireless data rates are constantly increasing and explain why installations should have
sufficient network cabling and switch infrastructure bandwidth to support those ever
increasing throughput speeds.
Explain how airtime is a finite resource and is easily consumed by multiple beacons (one
per SSID per AP) and are always transmitted at the MBR (Minimum Basic Rate) therefore
students should consider removing support for the lower data rates and removing support
for old legacy standards such as 802.11b/g.
Create two labs that shows the difference in measured throughput when students work in
pairs on empty unoccupied radio channels compared to the whole class using one single
frequency. (Use the new CLI speed-test tool).
Provide a basic history of the different WiFi standards in use today. Explain how each
standard supports all previous standards (appropriate to the radio band, e.g. 802.11g
supports 802.11b and 802.11n supports 802.11b/g on 2.4GHz and 802.11a on 5GHz).
Explain in simple terms how each standard has developed and evolved with each
incremental change to increase throughput. E.g. that 802.11g introduced OFDM, 802.11n
increased the number of sub-carriers, introduced multiple antennas/chains/streams,
channel bonding and frame aggregation techniques and that 802.11ac brought us even
greater bandwidths up to 160MHz and MU-MIMO. Do not go into too much detail at this
stage as these topics will be expanded on later in the course. (It is just an overview at this
stage).
Inform students of the two main radio bands used for WiFi (2.4/5GHz) and how the
channels vary between various countries, highlighting USA/FCC, EU and Japan channels
for 2.4GHz (11/13/14 channels) and for 5GHz where each country can be different, even in
5
 Last reviewed on February 19th, 2020

a single region, especially in UNII-3.

Explain about the channel widths of 802.11b/g transmissions and the 802.11n/ac channel
widths of 20, 40, 80 and 160MHz plus which standards introduced which channel widths.
Show the Spectral masks from your region (e.g. ETSI/FCC) that explain that there is no
such thing as a truly 'non overlapping' channel when you also take into account the
permitted spectral shape which is not a vertical edge on each side but a gradual slope.

• Scan List Explain how the default scan list has some frequencies in a bold font which denote them
as being 'standard' frequencies and how that affects the ability of a client to connect if
choosing such a 'non-standard' frequency.

Explain that with DFS, a radar detection will force a new channel selection from the scan
list and not from the frequency field and therefore with DFS one cannot rely on an AP
remaining on the frequency set in the frequency field. Suggest that the scan-list may
require editing to restrict the channels to be chosen from by the DFS scan algorithm.

Explain the CLI and Winbox methods for creating such a new scan-list.

Explain about the new Installation 'any/indoor/outdoor' setting and how that affects the
scan-list and it's purpose.

Explain the meaning of the 'auto' frequency setting.

• Modulation schemes and Starting with 802.11b Prime and working up to 802.11ac, discuss each type of modulation
MCS data rates scheme used by each standard. I.e. BPSK, QPSK and 16-256 QAM.

Show for each modulation scheme the number of bits carried by one symbol (i.e. BPSK =
1 bit per symbol change, 256QAM = 8 bits per symbol) and that this translates into every
increases in efficiency but at the expense of reliability.

Show examples of both theoretical IQ constellation diagrams and those with noise and/or
interference to illustrate how difficult it becomes to reliably decode higher orders of QAM

6
 Last reviewed on February 19th, 2020

unless the signal to noise ratio is higher than for BPSK.

Explain that BPSK is used for beacons and initial connection to a device due to it being the
most reliable modulation scheme.

Explain in simple terms how OFDM is made from a number of equally spaced sub-carriers
transmitted at a constant symbol rate. That each 802.11 standard (g/a/n/ac) and the
different channel widths modifies the total number of sub-carriers actually used. That there
are also pilot sub-carriers which are only used to calibrate the signal's reception to
compensate for any amplitude and phases changes caused by the transmission
environment (e.g. reflections and the resultant time delays introduced from them) and that
there are some sub-carrier positions that are not used at all (especially at the center).
Therefore not all sub-carriers are used for forwarding data between devices but are for
management.

Provide an overview of how FEC allows the receiver to correct some errors but also has an
impact on throughput. I.e. 1/2 is highly robust, but not as efficient as 5/6 which has a higher
throughout, but a lower robustness against noise and interference.

Discuss that there are two guard intervales, long and short and that it protects inter-symbol
interference.

Show how all the different parameters of modulation scheme, number of chains, long and
short guard interval, bandwidths and FEC rate all combine into a large table of MCS data
rates. (Use the website mcsindex.com as an example)

• Channel Bonding Describe how 802.11n introduced the concept of adjacent channel bonding. Explain the
MikroTik meaning of Ce, eC and XX.

Describe how 80MHz was introduced by 802.11ac and later still 160MHz with Wave2.
Explain the MikroTik meaning of Ceee, eCee, eeCe, eeeC and XXXX. Explain the meaning
of and usage of the 'Secondary Frequency' setting.

Warn that as you double the number of channels bonded together, the transmit power on
7
 Last reviewed on February 19th, 2020

each channel decreases.by 3dB (to ensure the total power remains the same). This means
that increasing the total channel width from 20MHz to 160MHz decreases the power of the
original 20MHz control channel by 9dB! This in turn also increases the number of other
signals and noise that are received and worsens the signal's SNR. That in turn may
actually lower the data rates thus negating the purpose of increasing the bandwidth in the
first place. It is therefore recommended not to use the much higher bandwidths such as
80MHz and 160MHz on 5GHz unless there are no other signals present.

• Frame Aggregation Provide a high level and simple overview of the two different methods (AMPDU and
AMSDU) of frame aggregation of multiple MSDU data frames into a single MPDU
transmission and explain that 802.11ac now sends all data frames as A-MPDU even if it
only contains a single MSDU. Also explain that all MSDUs included into a single AMPDU
transmission must all be of the same 802.11e QoS priority. Explain the impact on latency
of sending such large AMPDU wireless data frames and thus the reason for MikroTik
providing the "AMPDU Priorities" setting to allow one to select/deselect priorities to be
aggregated (note that the default value is only '0' selected (i.e. "Best Effort")).

Show that the AMSDU limit and AMSDU Threshold values are not normally required to be
changed.

• Chains (SISO, MIMO and Explain in simple terms how legacy systems such as 802.11b only had one antenna and
MU-MIMO) even with 802.11a/g adding a second antenna only added diversity, therefore were still a
SISO system. SISO system suffer from multipath and destructive Inter-Symbol
Interference. MIMO systems allow for the signals to be additively combined thus improving
the SNR, and thus in turn, the throughput.

Explain that with 802.11n MIMO allowed up to 4 antennas (chains) and with 802.11ac
Wave 2 it was increased to a max of 8 antennas.

Explain in simple terms that 802.11ac introduced TxBF (Transmit Beam Forming) and that
in Wave2 that allowed for MU-MIMO. Explain about MU-MIMO and why MU-MIMO has not
delivered the promised speed increases.

8
 Last reviewed on February 19th, 2020

Explain in simple terms how MIMO MRC (Maximal-ratio combining) allows for a stronger
SNR to be received and how STBC (Space-time Block Code) benefits SISO clients
connected to a MIMO AP.

Explain the system of "Tx:Rx:Streams", e.g. 2x2:2 or 4x4:3 and what each part means.

• CSMA/CA Briefly explain that accessing the wireless medium involves a protocol called CSMA/CA
(not CSMA/CD) and that there are two mechanisms to determine if the channel is
unoccupied, Clear Channel Assessment and Carrier Detect and that after determining the
channel is empty, the radio then waits for a fixed period of time called DIFS and then a
further 'random' period of time calculated from the CCA process and if the channel is still
not busy, is allowed to access the channel.

• HW protection Describe the RTS/CTS system, discuss how it helps to solve the 'hidden node effect' and
(RTS/CTS) the purpose of setting the 'Hardware Protection Threshold' value.

• Priorities / WMM® Explain that WMM® has 4 priority categories and modifies the DIFS wait time with a system
called AIFS instead. That each AIFS time period is determined from the assigned priority of
the data frame. Mention that the priority cannot be assumed by RouterOS, it must be set
by a mangle rule first.

• Future Standards Provide a quick and simple insight into future standards (currently 802.11ax) highlighting
(802.11ax) the new features - no depth required, just an overview of what is to come.

• Antenna Gain and control Explain that MikroTik RouterOS calculates the maximum EIRP from the regulatory
Module 4
of maximum EIRP information stored in RouterOS and ensues that the antenna gain set on the CAP is then
Country /
added to the transmitter power set so that it cannot exceed the power permitted for the
Regulatory
country code selected.
Domain Settings in

9

CAPsMAN • Setting Antenna Gain on
CAP
• Antenna Gain on CAP
Lab
• Selecting the Country
Code
• 'Installation' Setting
• Country Code and
Installation Setting Lab
• Dynamic frequency
selection (radar detect)
• DFS Lab
Last reviewed on February 19th, 2020
Explain the importance of setting the antenna gain onto the CAP before provisioning and
explain that CAPsMAN obtains the antenna gain figure from the CAP when setting Tx
power to ensure compliance with local regulations.
Create a lab with a very high antenna gain figure (e.g. 10dBi) on the CAP, allow students
to observe the effect on the resultant Tx Power selected by CAPsMAN.
Describe the reasons for setting the regulatory domain settings in CAPsMAN Configuration
settings via the 'country' variable and that not configuring them, results in the radio
complying with USA FCC rules.
Explain about the new 'Installation" setting and the differences between 'any', 'indoors' and
'outdoors'. Explain that it is available on both normal wireless and CAPsMAN.
Create a lab where the students compare the effect on the available channels when
selecting 'US 2.4 5.8' and then another country. Ensure that by the end of the Lab all
students are using the correct country for the location of their training and Installation
Setting (most likely 'indoors').
Discuss that DFS is mandatory on 5GHz in most countries and cannot be disabled and the
very basics of how it operates with two types of Radar monitoring, namely CAC and ISM.
Explain the effect of what occurs when the radio hears a radar and where RouterOS
obtains a selection of frequencies to scan to, to find an alternative frequency. namely
'scan-list' for normal wireless and creating a 'Channel' name with multiple channels as a list
for CAPsMAN.
Create a lab where the students select different operational frequencies across the 5GHz
band and note the amount of time taken to complete the initial CAC monitoring period
which varies according to local regulatory requirements. (Suggest students enable
'cap,debug' system logging).
10
 Last reviewed on February 19th, 2020

Module 5 • Extending coverage with Explain the difference between a repeater and an extender. That a repeater replicates all
Non CAPsMAN repeaters and extenders the SSID and encryption settings of another nearby AP and retransmits every data frame,
Wireless Modes whereas an extender connects to another AP similar to a repeater but broadcasts a totally
different SSID and/or encryption type, possibly even on a different radio band.

Explain the wireless repeater 'setup wizard' that enables this. Show that it creates a
bridged AP and a virtual Station Pseudobridge interface on the same physical wlan
interface, thus creating a layer 2 bridged connection between the AP and the station. Show
how the AP must share the same Layer 1 physical properties of the remote AP (same
channel, bandwidth, SSID and encryption if any). Explain that station-bridge will only
reliably connect to other MikroTik based Wireless APs running in 802.11 mode and that to
enable connection to other vendor's wireless systems the station mode should be changed
to 'station-pseudobridge'. Mention that when connecting to a CAPsMAN CAP, Station-
pseudobridge should also be used as CAPsMAN is operating in true '802.11 mode' and
therefore does not support the proprietary MikroTik bridging protocols included in 'AP-
Bridge' and 'Station-Bridge' modes.

Explain how to configure an extender by altering the AP settings to be different to the

remote AP and show that an additional wlan interface on a different band on a dual band
RouterBOARD could also be configured and joined into the bridge to provide better
performance.

Warn about the use of repeaters and wireless extenders instead of cabling a new AP. That
they can significantly increase cell size and increase Co-Channel Interference between the
repeater and the remote AP being repeated (by also instantly halving the airtime due to
data frame re-transmissions).

• Bridging with MikroTik's Do not discuss the more complex forms of bridging - this course is 'enterprise wireless' and
60GHz Wireless Wire should not include more complex setups such as using AP-Bridge<>Station-Bridge or
products VPLS, EoIP, WDS, Mesh, StationPseudo Bridge modes etc (leave that for the MTCWE!)

Describe the simplicity and convenience of the 'Wireless Wire' product range and how it
replaces a CAT5 or fiber cable at 1Gbps Full Duplex speeds up to approx 1.5km. Thus not
11
 Last reviewed on February 19th, 2020

requiring complex setups on 2.4GHz or 5GHz using other MikroTik Radios. Warn about
the loss of signal due to Oxygen and and rain but do not go into depth and do not explain
any configuration.

Explain that alignment is best carried out using just the LEDs on the radios.

Suggest that for longer distance Wireless Wire Dish links, using the solidMOUNT is
preferred.

Module 6 • Authentication (Open / Explain how using Open authentication currently only has a valid purpose for guest
Wireless Security Shared) access to hotspots, hotels and Cafe internet connections. Briefly mention the forthcoming
arrival of WPA3™ to ensure such guest connections will be more secure in the future

• Basic Access list (ACL) Discuss the Access List function within RouterOS. Explain how it is processed in order,
management from top to bottom and that as soon as a match is found, no further Access Lists are
processed.

Highlight the way in which the default settings on the main wireless interface interacts with
the Access Lists rules. That Access Lists are processed first, then the default settings but
only if no match is found.

Connect List rules do not need covering in depth as they are not supported on CAPsMAN
anyway, although a brief mention may be useful for how they can be used to aid the
securing of a Point to Point link.

• Encryption (WEP, WPA™ Explain each of the different types of encryption and authentication, how their methods
TKIP, WPA2™ AES) differ and where to configure their settings in RouterOS.

• Weaknesses of older Highlight the problems of WEP and the link between WEP and TKIP that use the same
encryption (WEP / WPA™ weak RC4 cipher.
TKIP)
Recommend disablement of WPA™ (TKIP) and usage of WPA2™ (AES) only

12
 Last reviewed on February 19th, 2020

• Overview of 802.11X Mention that RouterOS wireless interfaces supports 802.1X passthrough to a RADIUS
(RADIUS and EAP) server for authentication.

Explain the wireless security profile and Radius Server settings required to be configured
on RouterOS to enable a remote RADIUS server to authenticate a wireless client using
802.1X.

Explain that the MAC address can be sent to the RADIUS server in different formats and
must be configured to match the format required by the RADIUS server to ensure success.

There is no requirement to perform a lab to demonstrate this unless the trainer has a
preconfigured RADIUS server they wish to use, therefore do not require the student to
install a RADIUS server for themselves! (Note: v7 User Manager appears to have the
ability to offer 802.1X RADIUS EAP Authentication, therefore at time of launch in Spring
2020 it may be possible to provide a locally installed copy of v7 UM to provide this demo)

• Performance difference of Explain the speed differences between a wireless connection operating with TKIP and AES
TKIP vs. AES and the reasons why TKIP is slower than AES.

• Mitigating against most Discuss various vulnerabilities of 802.11 such as CVE-2004-0459, PiP attack, the KRACK
common known Attack, the De-Auth DOS attack, PMKID Attack, Beck-Tews, passphrase dictionary / brute
vulnerabilities of 802.11 force attacks, faked 802.11h CSA Frames, fake NAV attack, and WPS PIN vulnerabilities
and their solutions (if there are any). Plus of course simple basic RF Jamming.

(This is not intended to be MikroTik specific topic or to compare one vendor against
another. Only refer to general problems affecting all 802.11 based wireless systems
including MikroTik due to the inherent design of 802.11.) Solutions can however be
MikroTik specific, for example disabling PMKID, disabling WPS etc.

Module 7 • Troubleshooting wireless Go through the various tools available to troubleshoot wireless problems (listed below)
Wireless clients
Troubleshooting • Registration table Examine the most common features available in the registration table and how to add
additional columns. Explain the meaning of the client's Tx and Rx signal strength values (in
13

analysis
• TX/RX signal strength
• Signal to Noise Ratio
• CCQ, Frames and HW
frames, Hardware retries
• Data rates
• Analyzing the System
Log for wireless problems
• Scan, background scan
• Frequency usage
• Snooper
• Sniffer
• Wireless
Troubleshooting labs
Last reviewed on February 19th, 2020
all chains if present), SNR and how CCQ is related to Frames, Hardware Frames and
Retries. Also explain the Data Rates status screen and how it can be ordered in 'last seen'
order too.
Explain that enabling wireless and debug system logging can also provide a much larger
quantity of useful information regarding the wireless connection of a client.
Show how scanning for other wireless systems can be performed by the scan and snooper
tools.
The sniffer tool to be only covered in a very basic way! No labs, just a quick overview that
it exists, that you can capture packets on one radio channel constantly or multiple channels
with a dwell time on each, which may result in lost data on one channel while monitoring
another and that the output is Wireshark compatible.
Allow the students time to try out each of the following tools in turn and identify what
information it provides them, ensure students make notes of the results obtained and that
they compare results. E.g. do all students see the same SSIDs and do they see them with
all of the same signal strength. Ask them to question why they get different results. Ask
them if the channel with the least amount of SSIDs, is also the least busy and to question
themselves as to why scanning for the quantity of SSIDs seen on a channel does not
equate to what may be the best channel to operate an AP on. Get the students to note the
signal strengths too and to compare that against frequency usage data.
Get the students to use Background Scanner, Frequency Usage and Wireless Snooper. If
any students have WireShark, allow them to also test out Wireless Sniffer and analyze the
results obtained.
Leave a description of the spectrum analyzer built into RouterOS until the next chapter on
Site surveys
14
 Last reviewed on February 19th, 2020

Module 8 • Pre-install site surveys Explain that a pre-install site survey especially with a spectrum analyzer will reveal future
Wireless Surveys problems such as potential sources of interference which will cause any installation to fail
to function well. While surveying, one can also locate existing cabling data points and data
cabinet locations and identify if they are working, if they will require upgrading or they will
need additional cabling to support new AP positions.

Demonstrate to the students how to measure the absorption of walls and doors etc by
taking a measurement of an AP on either side of the object and comparing received signal
levels and why by knowing the losses of these objects, we can better plan the placement
of APs later on using predictive software.

Provide very basic overview of the different software tools available for passive wireless
survey. E.g. Ekahau Site Survey, iBwave, Netspot, Tamograph Site Survey and VisiWave
Site Survey. The purpose of this topic is not sell the virtues of one vendor's product over
another, but to just highlight some of the reasons why these tools are so very useful. I.e.
that they can passively measure all the 802.11 signals in the two radio bands and plot their
signals as a colored heat map of the rooms / area being surveyed. If you have one or more
of these tools already installed, provide a quick demonstration of previous surveys you
may have conducted.

Discuss APOAS (AP On A Stick) surveys and their usefulness in measuring real coverage
in a building with a Test AP as opposed to using prediction software, especially before any
deployment or installation. Explain how this saves time and expense by ensuring APs are
positioned optimally to provide the coverage required due to the measurements taken
rather than finding out after an install is completed that the coverage is not as good as
hoped, when moving APs or adding new ones can add significantly to the delay in handing
over the installation and it being 'signed off'.

• Spectrum Analysis Provide an overview of the importance of performing a spectral analysis of the site to be
overview installed. State that Spectrum analyzers are able to identify sources of non-802.11
interference than can have very severe effects on WiFi performance.

Mention that spectral analysis is available on RouterOS when using older 802.11n chipsets
15
 Last reviewed on February 19th, 2020

and when utilizing the Dude, the spectrum analyzer tool can be very effective tool as a
diagnostic weapon against sources of interference.

• Spectrum Analysis Lab If using the recommended hAP ac Lite, the 2.4GHz band uses an older 802.11n chipset
and therefore supports Spectrum Analysis. Therefore provide a lab for the students where
they can use this tool. Optionally ask the students to attempt to locate any interference
they may be able to observe.

• Prediction software Provide an overview that predictive software is available and can be very expensive (many
overview thousands of $). It is never going to be 100% accurate, unless accurate absorption data is
available from a live survey of the walls and doors of the building etc.

• Post-Install Validation
Surveys
Explain how any post install validation measurements of coverage and performance should
be conducted on the "least capable, most important" client device and not your own
portable laptop or mobile phone equipment which may have totally different characteristics
to those the customer will use. In environments where the customer has no control over
the device (BYOD environment) then it is recommended to survey with a few different
types of devices to confirm the install is working correctly for the customer's users.

Module 9 • MikroTik CAPsMAN v2 Explain that many vendors provide APs with a simple HTTP web interface and no
CAPsMAN v2 features centralized controller for an entire wireless network, which is time consuming to configure,
especially with with dozens, or even hundreds of APs and in addition there is a risk of
configuration variations between different APs occurring.

Explain that CAPsMAN solves this problem by providing a centralized solution for
managing multiple APs with one or more easy to create configurations, configurations that
can be made with very minimum settings for simple networks, right up to much more highly
complex setups.

State that MikroTik initially supported the original CAPWAP protocol (RFC5415) with
CAPsMAN v1, but it lacked support for a number of enhancements and thus MikroTik

16
 Last reviewed on February 19th, 2020

introduced CAPsMAN v2 which is incompatible with v1.

Provide a brief overview that CAPsMAN can provide the full auto-provisioning and control
of raw / blank unconfigured CAPs over both Layer 2 and Layer 3. Optionally that
certificates can also be applied to provide authentication of CAPs and the CAPsMAN
controller(s).

Also briefly explain that data from the CAPs can either be configured to be forwarded
locally onto the LAN where the CAP is located or forwarded via a tunnel back to
CAPsMAN.

Explain also very briefly about RADIUS support for wireless client authentication.

Explain that the number of CAPs is unlimited but that any one single CAP can only have a
maximum of 32 radios and a maximum of 32 interfaces per radio.

• CAP Hardware/Software Explain that any RouterOS (x86, CHR or RouterBOARD) with wireless package installed
Requirements can be a CAPsMAN controller and does not have to have a wireless card installed.

CAPs can be a DIY x86 PC with a Qualcomm Atheros Chipset wireless card(s) or more
preferably a MikroTik RouterBOARD AP.

State that all CAPs must have a L4 license.

• L2 (Broadcast/multicast) Describe how a CAP can communicate with CAPsMAN either via Layer 2 or Layer 3. If
vs L3 (via UDP) CAPs Layer 2 it uses multicast and if via Layer 3 it uses Unicast UDP packets to a pre-configured
communication methods IP address.

Explain that when the CAP needs to forward user IPv6 to IPv6 traffic to the CAPsMAN, it
can switch to using UDP-Lite instead of UDP which is used for IPv4.

Explain that user data is unencrypted, unlike the management traffic for the CAP which is
encrypted with DTLS.

Explain that on connecting, before the provisioning process starts, it can optionally check
17
 Last reviewed on February 19th, 2020

software versions and upgrade/downgrade the CAP software to be the same as the
CAPsMAN software version. Explain the difference between 'requires same version' and
'suggest same version'.

• Using DHCP Option 138 Describe that when the CAP powers up, and if a DHCP Client is configured, it attempts to
obtain DHCP-Option 138 from the DHCP Server to discover the IP address of the
CAPsMAN.

• Configuration of CAP Explain that if DHCP Option 138 fails it attempts to send a broadcast 'Discovery Request'
 CAPsMAN packet to find a CAPsMAN on Layer 2. If CAPsMAN responds with a suitable 'Discovery
Discovery and Response' packet, the CAP will connect to CAPsMAN and start a DTLS connection.
selection by CAP
Explain that if the CAP is configured to connect with a remote CAPsMAN IP Address, then
it uses Layer 3 communications to the unicast address instead but still sends a 'Discovery
Request' and 'Discovery Response' interchange before moving to DTLS.

Explain the mechanism that RouterOS uses to control the situation where more than one
CAPsMAN responds to a CAP's 'Discovery Request' packet.

Describe that once connected, the communications between a CAP and CAPsMAN is kept
alive with 'keep alive' packets and if the CAP loses connection with the CAPsMAN, after
10-20 seconds, all settings are removed form the CAP and any connected clients will be
dropped.

Explain that the security and reliability of the CAPsMAN controller discovery process on a
CAP can be improved by specifying the discovery interface(s).

Describe how a CAP can be provided with an ordered list of CAPsMAN controllers to
connect to either by System ID or Certificate CommonName.

• Authentication and Describe the three levels of authentication between a CAP and CAPsMAN : 'none', 'one
locking by SSL way authentication' and 'mutual authentication'.
Certificates
Describe how CAP and CAPsMAN can check for valid SSL Certificates before permitting
18
 Last reviewed on February 19th, 2020

communications to take place between them.

Describe the method CAPsMAN and CAPs can initially auto-generate SSL certificates
between them.

Describe how 'Lock To CAPsMAN' functions and the mandatory requirement to use SSL
Certificates to use this feature.

• SSL Authentication and Create a lab for the students that demonstrates using the auto creation of SSL Certificates
Locking Labs for Authentication and a further lab to demonstrate CAPsMAN locking

• Auto-Upgrade Feature Explain how the CAPsMAN can control the automatic upgrade of CAPs by downloading
RouterOS packages directly from CAPsMAN.

• Auto-Upgrade Lab Provide the students with a lab where they can auto-upgrade their secondary router
automatically via CAPsMAN via the provisioning rule and get them to re-provision the CAP
and test it has upgraded the CAP

• Securing the CAP Explain that the CAP is open to attack if left unsecured on an open network. Provide basic
configuration advice on securing the CAP in the same way one would secure a router. Give an example
of how deploying CAPs in a hotel is at risk of attack and ensuring they are regularly
updated to current RouterOS versions to disable the risk of hotel guests discovering
commonly used user accounts and passwords. Suggest use of RADIUS for authentication.
Disable any unused ports to stop unauthorized physical access. Disable all unused
services such as api, www and telnet, disable neighbor discovery, MAC-Telnet and BTest
services from any guest accessible interfaces. Disable the reset button!

• CAPsMAN Configuration Explain the layered approach to configuring CAPsMAN. That Channels, Datapaths,
settings Security Config and Rates settings can be overruled / changed on 'Configurations' and that
 Channels settings on Configurations can again be overruled / changed on static CAP Interfaces.
 DataPaths
Explain that at each level of settings, each one can over-rule / change the previous. E.g.
19
 Last reviewed on February 19th, 2020

 Security from creating a channel with a frequency, that channel definition can be changed in the
Configurations configuration, and the configuration can be changed by what is on the static CAP interface.
 Data Rates
Explain that the same hierarchical principle applies to 'Channels', 'Rates' and 'Security
Configuration'.

Explain the purpose behind this very powerful feature is so that one can have general
settings for an entire installation, but be able to over rule the settings in a granular way for
individual APs on a site.

• CAPsMAN Provide a Lab where a channel (frequency) is defined and applied to a configuration. Then
Configuration Labs on that configuration the frequency can be altered to something else, then on a static CAP
interface with that configuration applied to it, the frequency can be modified again but this
time on the interface and show how the CAP Interface 'status' reflects each change as they
are performed at each layer of the configuration.

Provide a second Lab for students to program in some example channels so that they can
use channel names instead of frequencies, for example by mapping a channel called
"Channel1" to 2412 MHz with 20MHz channel width (no extension channel), "Channel 6" to
2437MHz with 20MHz width and no extension channel, etc.

• Provisioning CAP Explain how CAPsMAN matches the connecting CAP to pre-existing CAP Interfaces based
Interfaces (Single and on a unique ID, namely a Certificate CommonName or the CAPs Base-MAC address.
Dual band APs) Explain that if matching against MAC address only, you cannot therefore have two CAP
interfaces with the same MAC Address!

Explain that if a pre-existing CAP Interface is not found, CAPsMAN then matches the CAP
to the provisioning rules and if a match is found, the appropriate configuration is then
applied and a new CAP Interface is created with the required settings

Explain that provisioning rules are processed from top to bottom, in order and the first rule
that matches is actioned and no further rules are processed.

Explain the different settings that can be matched against, such as MAC address, type of
20
 Last reviewed on February 19th, 2020

radio chipset (a/b/g/n/ac), CommonName, Router System ID, IP Addresses, and the
various actions available (e.g. create dynamic enabled, create enabled, create disabled
and none)

Explain the difference between a master interface which contains the radio band / channel
/ frequency / bandwidth and rates settings and a slave interface for adding additional
SSIDs and how these are created using slave configurations

• Provisioning Lab Create a Lab to enable students to create provisioning rules matching on radio chipset
hardware, so that different configurations can be automatically applied to all 2.4GHz and
5GHz radios.

Create a second lab where students utilize the "prefix" naming option. Get them to delete
the original static interfaces created and then to re-provision them.

 Datapath / Local Explain that by default all client traffic is tunneled back to CAPsMAN. However by using
Forwarding 'Local Forwarding' the wireless connections on a CAP can instead be forwarded to a local
bridge interface on the CAP.

Mention the advantage of Remote Forwarding where each different SSID / CAP Interface
can be assigned to a different bridge on CAPsMAN whereas with Local Forwarding their is
the possible increased complexity of VLAN aware switches and a more complex CAP
configuration.

 Dynamic vs Static CAP Explain the difference between static CAP interfaces and Dynamic interfaces and the
Interfaces on CAPsMAN advantage of choosing static interfaces allows for much finer control of the channel
frequency used by each AP.

 Virtual AP (Additional Explain how to use slave configurations attached to an existing master configuration to
SSIDs) provide additional SSIDs.

Provide practical examples of why additional SSIDs may be required

21

• Virtual AP Lab
 Static Interfaces on CAPs
(Slave Virtual Interfaces
with VLANs)
• Static Virtual Lab
 Access List features
Last reviewed on February 19th, 2020
Create lab set with a new additional SSID and assign it to the master configuration already
attached to a radio. Have them assign the CAP interface into a new "Guest" bridge, with a
new IP range and a new DHCP Server. Get them to check with a mobile device that when
they connect to the new secondary SSID, they obtain the new IP from the new bridge
interface.
Explain why "static Virtual" CAP interfaces on CAPs are very important when using Local
Forwarding with multiple SSIDs / VLANs as it allows the static CAP interfaces to be
manually assigned to different Bridges on the CAP.
Create a lab so that students will create a second SSID for "Guests". They need to create
a new bridge interface on the CAP, enable static virtual. The students could then edit their
existing datapath config for 'VLAN Mode" set to 'use tag' and set the VLAN ID to an
unused number (e.g. 100+X where X is their student number). Then they create a
secondary "Guest" datapath config with local-forwarding enabled and 'VLAN Mode' set to
'use tag' and chose a unique VLAN ID number, different to the first, e.g. 200+X. Students
can then add two matching VLAN interfaces to the main router's interface (e.g. ether5)
which connects to their secondary router and add them to the two bridges on the
CAPsMAN router, one VLAN to the original bridge, one VLAN to the "Guest" bridge.
Get the students to test that when they connect to the guest SSID, they obtain a different
IP.
Explain each match variable on an Access Rule. Specifically discuss the MAC Mask match
capability and suggest a possible scenario of matching against the first three octets and
therefore matching against a specific manufacturer such as Samsung, Apple, etc.
Explain that unlike in normal MikroTik Wireless there is no 'default authenticate' option on
the main wireless interface. Explain that each Access Rule is checked for a match and if
none found the list is processed from top to bottom. If no rule matches, it authenticates the
client (as long as their security configuration is correct).
22
 Last reviewed on February 19th, 2020

• Access List Lab Create a lab where the students test for a manufacturer OUI of their own mobile device
and see the effect of applying a rule to only allows that one make of device to connect.

23