In environments with multiple access points—such as office buildings, warehouses, or campuses—managing each device individually can quickly become inefficient and error-prone. MikroTik offers a centralized wireless management solution called CAPsMAN (Controlled Access Point System Manager) that simplifies the deployment, configuration, and monitoring of all access points (CAPs) from a single controller.
This guide walks you through the initial setup of CAPsMAN using MikroTik’s tools and shows how to connect access points, configure wireless settings, and manage them centrally.
What Is CAPsMAN ?
CAPsMAN is MikroTik’s centralized management system for wireless access points. It allows one MikroTik Router to act as the controller, managing multiple CAPs (Controlled Access Points) across the network. Instead of logging into each AP individually, administrators can control SSID, wireless frequency, security settings, and firmware updates from one place.
When Should You Use CAPsMAN?
You should consider using CAPsMAN in the following scenarios:
- You manage more than two MikroTik access points in your network.
- You want unified wireless SSIDs and roaming across your building.
- You want to apply wireless security and configuration policies from a central point.
- You want real-time monitoring and simplified troubleshooting of all APs.
For small home setups with a single AP, CAPsMAN might not be necessary. But for business or enterprise networks, it’s a powerful tool.
Difference Between CAP and CAPsMAN
| Term | Description |
|---|---|
| CAP | A MikroTik device (usually a wireless router or AP) that acts as a Controlled Access Point, managed by CAPsMAN. |
| CAPsMAN | The controller running on a MikroTik router that sends configurations and controls CAPs. |
CAPs don’t manage their own wireless settings—those come from the CAPsMAN.
How to Enable CAPsMAN on a MikroTik Router
Enabling CAPsMAN (Controlled Access Point System Manager) is the first step toward centralized wireless management with MikroTik. Follow these steps to activate and prepare your MikroTik router to serve as a CAPsMAN controller.
Step 1: Make Sure Your Router Supports CAPsMAN
- CAPsMAN is available in RouterOS v6.11 or later, and fully supported in RouterOS v7.
- It’s recommended to use RouterBOARD devices with sufficient CPU and RAM, such as hEX, RB4011, or CCR series.
Step 2: Install and Enable CAPsMAN Package
This step applies only to RouterOS v6. In RouterOS v7, CAPsMAN is built-in.
For RouterOS v6:
Go to System > Packages in Winbox.
Look for the capsman package.
If not present:
Download the extra packages from MikroTik’s website for your RouterOS version.
Upload the
capsman.npkfile via Winbox or FTP.Reboot the router.
After reboot, verify that
capsmanis now in the list and enabled.
For RouterOS v7:
No installation needed. CAPsMAN is included and ready to be configured.
Step 3: Enable the CAPsMAN Manager
- Open Winbox or WebFig.
- Go to Wireless > CAPsMAN.
- Under the Manager tab:
- Check the “Enabled” box.
Leave default settings for now or configure as needed later (such as interfaces and certificate settings).
Click Apply and OK.
Now the router is officially acting as a CAPsMAN controller.
Step 4: Set Up Datapath (Optional but Recommended)
A datapath defines how wireless traffic from the CAPs is bridged or routed.
Go to CAPsMAN > Datapaths.
Click Add New.
Name it (e.g.,
bridge-datapath).Select the local bridge interface (e.g.,
bridge1) to which wireless clients will be added.Save the configuration.
Step 5: Create a Wireless Configuration Profile
Go to CAPsMAN > Configurations.
Add a new profile:
Set SSID (e.g.,
ITMan-WiFi)Choose security (WPA2 or WPA3, and password)
Set band/frequency/channel width
Link the datapath created earlier
Save the configuration.
You will apply this configuration to CAPs in the provisioning step.
Step 6: Prepare for Access Point Provisioning
Go to CAPsMAN > Provisioning.
Add a new provisioning rule:
Match by MAC address, interface name, or leave to
any.Choose the wireless configuration.
Select the action (
create dynamic enabled).
Click Apply.
Once your controller is active and provisioning is configured, the next step is to connect the CAP devices (access points) to the controller, which will automatically push settings to them.
Adding Access Points to CAPsMAN
Now that CAPsMAN is active, you need to prepare your access points to join the controller.
On the CAP device (AP):
Reset the device to default config (if needed).
Connect the CAP device to the same network as the CAPsMAN controller.
Open Winbox, log in to the AP, and go to Wireless > CAP.
Enable CAP mode and choose:
CAPsMAN Discovery Interface (e.g., ether1)
Interfaces to manage (e.g., wlan1, wlan2)
Apply settings. The AP should now appear under CAPsMAN > Remote CAP on the controller.
Setting SSID, Security, and Frequency via CAPsMAN
To apply a consistent wireless configuration:
Go to CAPsMAN > Configurations.
Create a new configuration:
Set SSID (e.g., ITMan-WiFi)
Choose Security (WPA2, WPA3)
Select Channel and Band (e.g., 2.4GHz or 5GHz)
Assign this configuration under Provisioning rules:
Match by interface or MAC address
Assign the configuration
Apply and restart CAPs if necessary.
All CAPs will now broadcast the same SSID with unified wireless settings.
Centralized Monitoring and Management
CAPsMAN makes it easy to:
- Monitor signal strength, clients, and traffic per AP.
- Apply firmware updates to all CAPs from the controller.
- View logs and perform diagnostics without accessing individual APs.
Use Tools > Wireless Sniffer or Scanner for deeper analysis.
Common Issues When Setting Up CAPsMAN (and Fixes)
| Issue | Possible Fix |
|---|---|
| CAP not appearing under Remote CAPs | Ensure discovery interface is correctly set. Disable firewall temporarily to test. |
| No SSID broadcasted | Double-check provisioning and configuration mappings. |
| Devices cannot connect to Wi-Fi | Check WPA settings and encryption compatibility. |
| High latency or instability | Consider separating 2.4GHz and 5GHz SSIDs, or adjust channel widths. |
| APs disconnecting | Upgrade firmware or ensure sufficient power via PoE. |
Summary: Streamlined Wireless Control for Growing Networks
CAPsMAN is a must-have tool when managing multiple MikroTik access points in any scalable network environment. Whether you’re setting up Wi-Fi for an office, co-working space, or school, CAPsMAN brings consistency, control, and ease of deployment.
Troubleshooting
1. Why is my CAP device not showing up in CAPsMAN?
Make sure CAP mode is enabled on the AP, and it’s on the same subnet as the CAPsMAN controller. Also, verify that discovery interface is set properly and firewall isn’t blocking UDP port 5246.
2. Why is no SSID being broadcasted after provisioning?
Check if a wireless configuration has been assigned in the provisioning rules. Also ensure the CAP has successfully received the config.
3. My clients can’t connect to the Wi-Fi after enabling CAPsMAN. Why?
Double-check your security settings (WPA2/WPA3 passphrase and encryption type). Also, ensure the correct Datapath and bridge interface are assigned.
4. How can I fix high latency or weak signal in CAPsMAN-controlled APs?
Use 5GHz band where possible. Adjust channel width and avoid frequency overlap. Upgrade firmware if signal issues persist.
5. CAPs disconnect randomly from the CAPsMAN controller. What should I check?
Inspect power supply (especially PoE), switch stability, and RouterOS version compatibility between CAP and CAPsMAN. Avoid frequent reboots on CAPs.
6. CAP is connected, but no clients can get IP addresses. Why?
Make sure the bridge interface linked in Datapath is properly connected to a DHCP server or relay. Check if the CAPs are added to the correct VLAN/bridge.
7. How do I manually force a CAP to reconnect to CAPsMAN?
Go to the CAP device > Wireless > CAP > Disable and Re-enable CAP mode. Or reboot the AP.
8. Can I use CAPsMAN over different subnets or VLANs?
Yes, but you’ll need to configure Layer 3 discovery, set the CAPsMAN IP address manually on the CAP, and ensure UDP ports are open.
9. What ports must be open for CAPsMAN to work?
Ensure UDP ports 5246 and 5247 are not blocked between the CAP and CAPsMAN.
10. My wireless settings are not updating across all CAPs. Why?
Make sure you’re provisioning the correct configuration and that changes are saved. Try reapplying the provisioning rule or restarting the CAP.
11. How can I debug CAPsMAN issues in RouterOS?
Use the /log section and also enable debug logging for “caps” and “wireless.” This helps trace connection, provisioning, and sync problems.
12. Does CAPsMAN support dual-band APs like wAP ac or Audience?
Yes. You can provision separate configurations for wlan1 (2.4GHz) and wlan2 (5GHz), or use unified settings depending on the model.
13. Can I provision different SSIDs for different CAPs in the same network?
Yes, you can match provisioning rules by MAC address or interface name and assign unique configurations per AP.
14. After reboot, CAP doesn’t reconnect automatically. Why?
Ensure that CAP is set to start in CAP mode and discovery settings are persistent. Also verify boot default configuration hasn’t been altered.
15. CAPsMAN interface disappears after firmware upgrade. What now?
Sometimes packages are disabled after upgrade. Re-enable CAPsMAN in Packages, reboot, and restore config if needed.
