This assumes that you already have a working network, configured with proper services dhcpd etc. As well as a integrated Mikrotik devices be that switch/router/vm/etc. This device will act as the CAPsMAN controller, and a new wifi capable Mikrotik device you want to control in CAPs Mode.
# bridgename: bridge1
# mgt vlan: 140
#
# Add a layer2 device with the correct vlan on the bridge.
# This is needed for L2 communication (I don't know if they are required for the actual client vlans, but most guides add them).
/interface vlan
add name=vlan140-mgmt vlan-id=140 interface=bridge1
#add name=vlan110-personal vlan-id=110 interface=bridge1
#add name=vlan115-guest vlan-id=115 interface=bridge1
/ip address
add address=10.10.10.1/24 interface=vlan140-mgmt
#add address=10.10.20.1/24 interface=vlan110-personal
#add address=10.10.30.1/24 interface=vlan115-guest
# Configure the actual wifi configuration for CAPsMAN to provision with
# Datapath where the traffic gets vlan tags
/interface wifi datapath
add name=datapath-personal vlan-id=110 vlan-mode=use-tag
add name=datapath-guest vlan-id=115 vlan-mode=use-tag
# Security profiles for authentication
/interface wifi security
add name=sec-personal authentication-types=wpa2-psk passphrase=strongpassword
add name=sec-guest authentication-types=wpa2-psk passphrase=helloworld123
add name=sec-printer authentication-types=wpa2-psk passphrase=specialcase
# Optimal frequency for 2 and 5 Ghz
/interface wifi channel
add band=5ghz-ax frequency=5180,5200,5220,5240,5745,5765,5785,5805,5825 name=5GHZ::NON-DFS width=20mhz
add band=2ghz-ax frequency=2412,2437,2462 name=2GHZ::AUTO width=20mhz
# Configuration of the actual APs SSIDs etc, putting it all together.
# I opted to split 2 and 5 ghz for my own network which is the first two lines.
# the next two create an SSID on both 2 and 5 leaving it up to the device.
/interface wifi configuration
add name=cfg-5GHZ mode=ap security=sec-personal datapath=datapath-personal channel=5GHZ::NON-DFS country=Denmark ssid="\E2\98\A0\EF\B8\8FSmex\E2\98\A0\EF\B8\8F"
add name=cfg-2GHZ mode=ap security=sec-personal datapath=datapath-personal channel=2GHZ::AUTO country=Denmark ssid=Smex_2G
add name=cfg-guest mode=ap security=sec-guest datapath=datapath-guest ssid="\F0\9F\92\A9BrunStue\F0\9F\92\A9"
add name=cfg-printer mode=ap security=sec-guest datapath=datapath-guest ssid=SmexLAME
# Setting up the actual provisioning my two smex SSIDS are the primary, and all other virtual APs are slave configurations
/interface wifi provisioning
add action=create-enabled master-configuration=cfg-5GHZ slave-configurations=cfg-guest,cfg-printer supported-bands=5ghz-ax
add action=create-enabled master-configuration=cfg-2GHZ slave-configurations=cfg-guest,cfg-printer supported-bands=2ghz-ax
# Enable the CAPsMAN service
/interface wifi capsman
set ca-certificate=auto certificate=auto interfaces=vlan140-mgmt package-path="" require-peer-certificate=no upgrade-policy=none/system clock set time-zone-name=Europe/Copenhagen
/system identity set name=Chateau
/system leds settings set all-leds-off=after-1min
/interface bridge add name=bridge1
/interface vlan add interface=bridge1 name=vlan140-mgmt vlan-id=140
/interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=ether1
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=140
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=110
add bridge=bridge1 tagged=bridge1,ether1 vlan-ids=115
/ip address add address=10.193.140.8/24 interface=vlan140-mgmt network=10.193.140.0
/ip dns set servers=10.193.120.5
/ip route add gateway=10.193.140.1
/ip service
set ftp disabled=yes
set telnet disabled=yes
# after it's properly configured, enabled CAPs MODE
/interface wifi cap set certificate=request discovery-interfaces=vlan140-mgmt enabled=yes/export file=cap-config/system reset-configuration no-defaults run-after-reset=cap-config.rscLast modified: Tue Nov 4 21:30:20 2025