I'm trying to implement a captive portal on a Keenetic router in the guest network. My UAM and RADIUS servers are ready. I've entered the necessary parameters into the captive portal's "my profile" section as follows:
UAM_Server:
http://192.168.1.40:3990/login
UAM_Secret:
secret_2024
Radius Server:
192.168.1.40
Radius Secret:
radius_secret
RADIUS NAS ID:
keenetic
I'm trying to access it from an Android phone. When I connect to the Guest page, I'm redirected to the login page. There, I only authenticate by clicking the "accept" button. And I see "success" in the logs.
10.1.30.6 - - [21/Feb/2026 23:59:47] "GET /login?res=notyet&uamip=10.1.30.1&uamport=3990&challenge=e2fa752793a8de730eb4daebd27f5992&called=52-FF-20-F8-5D-78&mac=B2-D0-DC-7D-9C-B4&ip=10.1.30.6&nasid=keenetic&sessionid=177171836000000005&userurl=http://play.googleapis.com/generate_204&md=23DA19D9D824E0D449FBFA23DD88F63F HTTP/1.1" 200 -
10.1.30.6 - - [21/Feb/2026 23:59:47] "GET /favicon.ico HTTP/1.1" 404 -
10.1.30.6 - - [21/Feb/2026 23:59:48] "POST /accept HTTP/1.1" 302 -
10.1.30.6 - - [21/Feb/2026 23:59:48] "GET /login?res=success&uamip=10.1.30.1&uamport=3990&called=52-FF-20-F8-5D-78&uid=B2-D0-DC-7D-9C-B4&timeleft=300&mac=B2-D0-DC-7D-9C-B4&ip=10.1.30.6&reply=Welcome&nasid=keenetic&sessionid=177171836000000005&userurl=http://play.googleapis.com/generate_204&md=E50C1463B84B2838B5FF3801A094F6C3 HTTP/1.1" 200 -
Then, when I check the router's CLI, I see that the client is connected and packets are being passed through:
It's receiving the IP address 10.1.30.20.
However, the Android client still doesn't see itself as connected and can't access web pages. The "Sign in to the network" warning persists. When I ping 10.1.30.20 from the router:
PING 10.1.30.20 (10.1.30.20): 56 data bytes
64 bytes from 10.1.30.20: seq=0 ttl=64 time=79.626 ms
64 bytes from 10.1.30.20: seq=0 ttl=64 time=79.683 ms (DUP!)
64 bytes from 10.1.30.20: seq=1 ttl=64 time=29.208 ms
64 bytes from 10.1.30.20: seq=1 ttl=64 time=29.251 ms (DUP!)
64 bytes from 10.1.30.20: seq=2 ttl=64 time=51.577 ms
64 bytes from 10.1.30.20: seq=2 ttl=64 time=51.641 ms (DUP!)
If I close the captive portal and access the site normally as a guest, I get the same IP address (10.1.30.20) and the ping result is correct:
PING 10.1.30.20 (10.1.30.20): 56 data bytes
64 bytes from 10.1.30.20: seq=6 ttl=64 time=1135.330 ms
64 bytes from 10.1.30.20: seq=7 ttl=64 time=135.173 ms
64 bytes from 10.1.30.20: seq=8 ttl=64 time=10.261 ms
64 bytes from 10.1.30.20: seq=9 ttl=64 time=5.695 ms
64 bytes from 10.1.30.20: seq=10 ttl=64 time=3.116 ms
When I look at the interfaces for the captive portal and the normal guest via the router, I see a difference:
When there is no captive portal, the interface name appears as Guest and "link: up". When there is a captive portal, the interface name appears as Chilli0 and "link: down".
You can post now and register later.
If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.
Question
ilker Aktuna
Hello,
I'm trying to implement a captive portal on a Keenetic router in the guest network. My UAM and RADIUS servers are ready. I've entered the necessary parameters into the captive portal's "my profile" section as follows:
UAM_Server:
http://192.168.1.40:3990/login
UAM_Secret:
secret_2024
Radius Server:
192.168.1.40
Radius Secret:
radius_secret
RADIUS NAS ID:
keenetic
I'm trying to access it from an Android phone. When I connect to the Guest page, I'm redirected to the login page. There, I only authenticate by clicking the "accept" button. And I see "success" in the logs.
10.1.30.6 - - [21/Feb/2026 23:59:47] "GET /login?res=notyet&uamip=10.1.30.1&uamport=3990&challenge=e2fa752793a8de730eb4daebd27f5992&called=52-FF-20-F8-5D-78&mac=B2-D0-DC-7D-9C-B4&ip=10.1.30.6&nasid=keenetic&sessionid=177171836000000005&userurl=http://play.googleapis.com/generate_204&md=23DA19D9D824E0D449FBFA23DD88F63F HTTP/1.1" 200 -
10.1.30.6 - - [21/Feb/2026 23:59:47] "GET /favicon.ico HTTP/1.1" 404 -
10.1.30.6 - - [21/Feb/2026 23:59:48] "POST /accept HTTP/1.1" 302 -
10.1.30.6 - - [21/Feb/2026 23:59:48] "GET /login?res=success&uamip=10.1.30.1&uamport=3990&called=52-FF-20-F8-5D-78&uid=B2-D0-DC-7D-9C-B4&timeleft=300&mac=B2-D0-DC-7D-9C-B4&ip=10.1.30.6&reply=Welcome&nasid=keenetic&sessionid=177171836000000005&userurl=http://play.googleapis.com/generate_204&md=E50C1463B84B2838B5FF3801A094F6C3 HTTP/1.1" 200 -
Then, when I check the router's CLI, I see that the client is connected and packets are being passed through:
(config)> show interface Chilli0 chilli
host:
session-id: 177174301100000003
user: CC-F8-26-D5-00-96
ip: 10.1.30.20
mac: cc:f8:26:d5:00:96
start-time: 178
end-time: 300
idle-time: 0
idle-time-limit: 0
tx-bytes: 37575
tx-bytes-limit: 0
rx-bytes: 19874
rx-bytes-limit: 0
tx-speed: 0
tx-speed-limit: 0
rx-speed: 0
rx-speed-limit: 0
It's receiving the IP address 10.1.30.20.
However, the Android client still doesn't see itself as connected and can't access web pages. The "Sign in to the network" warning persists. When I ping 10.1.30.20 from the router:
PING 10.1.30.20 (10.1.30.20): 56 data bytes
64 bytes from 10.1.30.20: seq=0 ttl=64 time=79.626 ms
64 bytes from 10.1.30.20: seq=0 ttl=64 time=79.683 ms (DUP!)
64 bytes from 10.1.30.20: seq=1 ttl=64 time=29.208 ms
64 bytes from 10.1.30.20: seq=1 ttl=64 time=29.251 ms (DUP!)
64 bytes from 10.1.30.20: seq=2 ttl=64 time=51.577 ms
64 bytes from 10.1.30.20: seq=2 ttl=64 time=51.641 ms (DUP!)
If I close the captive portal and access the site normally as a guest, I get the same IP address (10.1.30.20) and the ping result is correct:
PING 10.1.30.20 (10.1.30.20): 56 data bytes
64 bytes from 10.1.30.20: seq=6 ttl=64 time=1135.330 ms
64 bytes from 10.1.30.20: seq=7 ttl=64 time=135.173 ms
64 bytes from 10.1.30.20: seq=8 ttl=64 time=10.261 ms
64 bytes from 10.1.30.20: seq=9 ttl=64 time=5.695 ms
64 bytes from 10.1.30.20: seq=10 ttl=64 time=3.116 ms
When I look at the interfaces for the captive portal and the normal guest via the router, I see a difference:
When there is no captive portal, the interface name appears as Guest and "link: up". When there is a captive portal, the interface name appears as Chilli0 and "link: down".
(config)> show interface Chilli0
id: Chilli0
index: 0
interface-name: Chilli0
type: Chilli
description: Guest network
traits: Ip
traits: Chilli
link: down
connected: yes
state: up
mtu: 1500
tx-queue-length: 1000
admin-only: no
address: 10.1.30.1
mask: 255.255.255.0
uptime: 35
global: no
security-level: protected
bridge:
interface, link = yes: GigabitEthernet0/Vlan3
interface, link = yes: WifiMaster0/AccessPoint1
interface, link = yes: WifiMaster1/AccessPoint1
uam-auth: 192.168.1.40:3990
max-auth: 1
summary:
layer:
conf: running
ipv4: running
ctrl: running
(config)> show interface Guest
id: Bridge1
index: 1
interface-name: Guest
type: Bridge
description: Guest network
traits: Mac
traits: Ethernet
traits: Ip
traits: Ip6
traits: Supplicant
traits: EthernetIp
traits: Bridge
link: up
connected: yes
state: up
mtu: 1500
tx-queue-length: 0
admin-only: no
address: 10.1.30.1
mask: 255.255.255.0
uptime: 421
global: no
security-level: protected
ipv6:
addresses:
address: fe80::50ff:20ff:fef8:5d78
prefix-length: 64
proto: KERNEL
valid-lifetime: infinite
mac: 52:ff:20:f8:5d:78
auth-type: none
bridge:
interface, link = yes: GigabitEthernet0/Vlan3
interface, link = yes: WifiMaster0/AccessPoint1
interface, link = yes: WifiMaster1/AccessPoint1
summary:
layer:
conf: running
link: running
ipv4: disabled
ipv6: disabled
ctrl: running
(config)>
Because of this difference, the client connecting through the captive portal cannot access the site. Where is the problem? How can I fix it?
4 answers to this question
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.