Zum Hauptinhalt springen
Deutsch

RADIUS-Konfigurationsassistent und 802.1X-Leitfaden

Konfigurieren Sie sichere, in Cloud-Identitätsanbieter integrierte WPA2- und WPA3-Enterprise-Drahtlosnetzwerke.

Konfigurieren Sie Ihr RADIUS-Setup

1. Select your technology stack

PEAP-MSCHAPv2 requires users to input their active email and directory password. Easy to set up, but susceptible to credential harvesting.

RADIUS Server Specifications

Configure these cloud authentication servers on your wireless access point controllers.

Primary Server185.101.99.1Host: radius1.purple.ai
Secondary Server185.101.99.2Host: radius2.purple.ai
PortsAuth: 1812 | Acct: 1813Standard UDP ports
Shared Secret KeypUrpLeReSeArCh8021x

Access point controller settings

  1. Log in to the Meraki Dashboard and navigate to Wireless > SSIDs.
  2. Rename SSID to your secure network name and set Association to WPA2-Enterprise with 802.1X or WPA3-Enterprise.
  3. Set IP assignment to Bridge mode to handle dynamic client VLANs.
  4. Under RADIUS servers, click "Add a server" and enter the Primary IP (185.101.99.1) and Secondary IP (185.101.99.2), Port 1812, and your Shared Secret.
  5. Enable RADIUS Accounting, pointing to the same server IPs with Port 1813.
  6. Set RADIUS CoA (Change of Authorization) to Enabled. This is required for session termination and security policies.

Identity directory mapping

  1. Open the Microsoft Entra admin center (Azure Portal).
  2. Navigate to App registrations and register a new enterprise app for Purple WiFi.
  3. Configure API permissions to allow User.Read.All and GroupMember.Read.All.
  4. Set up SCIM provisioning pointing to https://api.purple.ai/scim/v2 using your tenant token to sync user status.
  5. Create security groups (e.g. "WiFi-Users") and assign users to control who can authenticate to the network.

Client device onboarding profiles

Client devices need configuration parameters to trust the RADIUS server certificate silently without displaying security warnings.

Apple macOS & iOS Configuration Profile (.mobileconfig)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Enterprise WiFi Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.purple.wifi.profile</string>
      <key>PayloadType</key>
      <string>com.apple.wifi.managed</string>
      <key>PayloadUUID</key>
      <string>A5E81A22-38D4-4903-BB1A-A6C18644A152</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>SSID_STR</key>
      <string>Enterprise-Secure</string>
      <key>HIDDEN</key>
      <false/>
      <key>EncryptionType</key>
      <string>WPA2</string>
      <key>EAPClientConfiguration</key>
      <dict>
        <key>AcceptEAPTypes</key>
        <array>
          <integer>25</integer> <!-- 25 = PEAP, 13 = TLS -->
        </array>
        <key>TLSTrustedServerNames</key>
        <array>
          <string>radius.purple.ai</string>
        </array>
      </dict>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Enterprise WiFi Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.purple.wifi</string>
  <key>PayloadUUID</key>
  <string>F2B8D432-84E3-40B1-B590-F28B020B0421</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>
Windows clients (Group Policy)Create a Group Policy Object (GPO) under Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (802.11) Policies. Configure SSID properties to connect automatically to Enterprise-Secure using WPA2-Enterprise or WPA3-Enterprise, EAP-PEAP, specify trust for Root CA certificate, and lock down trusted server domains to radius.purple.ai.
Android 11+ clients (CA trust)Android 11 and later versions enforce CA certificate validation. When connecting manually to Enterprise-Secure, users cannot select "Do not validate". They must: Select Use system certificates, set Domain validation to radius.purple.ai, and configure EAP method to PEAP or TLS.

Konfigurationsassistent für Enterprise-Sicherheit

Die Bereitstellung der 802.1X-Enterprise-Authentifizierung erfordert die Abstimmung von Identitätsanbietern, RADIUS-Servern und Wireless Access Points. Dieser Assistent liefert die für eine sichere Einrichtung erforderlichen IP-Adressen, Ports und Client-OS-Profileinstellungen.

Unterstützte Konfigurationsparameter

  • Integrationen von Cloud-Identitätsanbietern mit Microsoft Entra ID und Okta.
  • RADIUS-Server-Konfigurationsdetails für Authentifizierung und Accounting.
  • Client-Profilparameter für sichere Zertifikate und Silent Onboarding.

Need a Cloud RADIUS?

Deploying 802.1X enterprise authentication doesn't require complex on-premises hardware. Purple's integrated Cloud RADIUS syncs directly with Entra ID, Okta, and Google Workspace.

Talk to a WiFi expert