diff --git a/docs/07-WIFI-CAPSMAN-CONFIG.md b/docs/07-WIFI-CAPSMAN-CONFIG.md
index 5096e30..cebb48d 100644
--- a/docs/07-WIFI-CAPSMAN-CONFIG.md
+++ b/docs/07-WIFI-CAPSMAN-CONFIG.md
@@ -1,6 +1,6 @@
 # WiFi and CAPsMAN Configuration
 
-**Last Updated:** 2026-03-12
+**Last Updated:** 2026-04-07
 **Purpose:** Document WiFi network settings, CAPsMAN configuration, and device compatibility requirements
 
 ---
@@ -108,8 +108,9 @@ If devices still can't connect, use WPA-only with TKIP-only:
 | caps-man-addresses | 192.168.10.1 |
 | discovery-interfaces | bridgeLocal |
 | slaves-datapath | capdp (bridge=bridgeLocal, vlan-id=40) |
+| Traffic processing | **On CAP only** (wifi-qcom-ac driver limitation) |
 | certificate | request |
-| RouterOS | 7.21.1 |
+| RouterOS | 7.21.3 |
 | SSH Port | 2222 |
 | SSH (via proxy) | See ProxyJump command below |
 
@@ -152,7 +153,7 @@ The CAP runs bridge VLAN filtering to properly tag/untag WiFi client traffic bef
 
 ## WiFi Access List
 
-**Status:** VLAN assignment via access list is **active**. Each entry has a `vlan-id` that assigns the device to the correct VLAN upon WiFi association. This works on both HAP (local) and CAP (remote, via bridge VLAN filtering).
+**Status:** VLAN assignment via access list is **active on HAP only**. Each entry has a `vlan-id` that assigns the device to the correct VLAN upon WiFi association. **CAP clients always get VLAN 40** — per-client VLAN does NOT work with "traffic processing on CAP" mode, and the cAP XL ac (wifi-qcom-ac/Qualcomm driver) cannot support manager/CAPsMAN forwarding. A CAP catch-all rule (no vlan-id) at position 0 prevents "could not assign vlan" errors.
 
 **30+ entries** configured (MAC-based accept rules with VLAN IDs + 1 default catch-all):
 
@@ -192,6 +193,10 @@ The CAP runs bridge VLAN filtering to properly tag/untag WiFi client traffic bef
 2. Check VLAN assignment - CAP clients need special rule
 3. Check channel width - use 20MHz for stability
 
+### CAP clients get "could not assign vlan"
+
+Per-client VLAN does not work on CAP — the cAP XL ac uses wifi-qcom-ac drivers (Qualcomm) which only support local forwarding. `datapath.traffic-processing=on-capsman` requires non-Qualcomm (MediaTek) drivers. The only fix is replacing the cAP XL ac with a MediaTek-based AP. Workaround: ensure a CAP catch-all rule exists in access-list with no vlan-id set.
+
 ### CAP not connecting to CAPsMAN
 
 1. Check certificate - remove old cert and re-request