Unable to use Hotspot feature

legotux · November 6, 2025, 5:59pm

Dear Teltonika community,

We’ve been evaluating the RUTX50 for integration with our mobile infrastructure and custom Hotspot service. The hardware and general capabilities are impressive (even if some mount points are a bit unusual), but we’ve run into a serious problem integrating it with our existing CoovaChilli-based captive portal.

Our platform relies on a remote captive portal and a remote RADIUS server. The same setup works flawlessly on OpenWRT and standard Linux environments running CoovaChilli.

On the RUTX50, CoovaChilli starts correctly and communicates with the RADIUS server. The captive portal receives the redirect from Chilli, and the RADIUS server even responds with an Access-Accept.
However, the guest device never gets authorized, and the process stops with the following behavior:

The callback from the captive portal to http://<uamip>:<uamport>/logon?... reaches the router, but fails with a connection reset by peer.
Chilli logs show:
```
Message-Authenticator is invalid!
RADIUS id XX was not found in queue!
radius_ind() failed
```
Even though the RADIUS server returns Access-Accept, CoovaChilli rejects it internally and does not authorize the session.

We’ve noticed that the RUTX50 firmware launches CoovaChilli in a custom network mode:

The configured Hotspot network (e.g. 192.168.10.0/24) is assigned to the bridge,
CoovaChilli creates a tun0 interface with a different internal subnet (e.g. 192.168.11.1/24),
And the UAM listener binds only to 192.168.11.1:3990.

By default, clients cannot communicate with this internal listener because of firewall isolation. After adding firewall rules to allow guest traffic to 192.168.11.1:3990, the captive portal redirect and RADIUS requests work — but the final authorization step still fails with the log messages above.

It appears that either the internal packet flow or session tracking between the guest interface and the CoovaChilli tunnel is not consistent, causing the RADIUS message authenticator and queue IDs to desynchronize.

Could Teltonika please confirm whether this is expected behavior of their customized CoovaChilli implementation, and whether there is a recommended configuration or workaround to:

expose a consistent uamip (or equivalent) that matches the guest network,
or ensure that RADIUS message authenticators are correctly validated during the /logon callback stage?

Any example of a working configuration using a remote captive portal and RADIUS server on the RUTX-series would be very helpful.

Thank you for your assistance.

Matas · November 11, 2025, 7:57am

Greetings,

For troubleshooting purposes, we will require more sensitive information from your end, such as the troubleshoot file, which may contain passwords, public IP addresses, serial numbers, and such. To avoid leaking this information, we have sent you a form to fill out, which you will receive in your e-mail inbox that you have registered your account with in the forums. In the Ticket ID field of the form, please enter the ID of this thread, which is 16282.

Thank you,
M.

legotux · November 17, 2025, 2:58pm

Sorry for the late response. I was waiting to hear from the seller’s support team. I’ve already started the support process on my side.
Thanks.

system · January 5, 2026, 5:59pm

This topic was automatically closed after 60 days. New replies are no longer allowed.