View podcast transcript
PODCAST SCRIPT: Alta Labs Integration with Purple WiFi: Setup and Captive Portal Configuration
Purple WiFi Intelligence Platform - Technical Briefing Series
Duration: Approximately 10 minutes
Voice: UK English, senior consultant tone - confident, conversational, authoritative
---
[INTRO - 1 MINUTE]
Welcome to the Purple Technical Briefing Series. I'm your host, and today we are breaking down the integration between Alta Labs access points and the Purple WiFi intelligence platform.
If you are an IT manager, network architect, or venue operations director looking to deploy a robust, scalable guest WiFi solution, this briefing is for you. We are going to cover the specific setup for the Alta Labs AP6 and AP6 Pro, how to configure the external captive portal redirection, and the critical walled garden settings required to make social logins actually work in the real world. We will also dive into AltaPass - Alta Labs' implementation of Private Pre-Shared Keys, or PPSK - and how you can use it to segment multi-tenant environments without destroying your RF performance with SSID bloat.
Let's get into it.
---
[TECHNICAL DEEP-DIVE - 5 MINUTES]
The integration between Alta Labs and Purple relies on two fundamental networking concepts: HTTP redirection for the captive portal, and RADIUS for authentication and accounting.
When a guest walks into your venue - say, a retail store or a hotel lobby - and connects to your open or WPA3-OWE guest network, the Alta Labs AP acts as the gatekeeper. It intercepts the client's initial HTTP requests and redirects them to your branded Purple splash page.
To configure this in the Alta Labs Cloud Management platform, you navigate to your WiFi settings, select your guest SSID, and under the Advanced Settings, set the network type to Guest. This is crucial because it automatically applies client isolation, preventing devices from communicating laterally across the network. Next, under the Hotspot section, you select External and drop in the Purple redirect URL provided in your venue settings, along with your Authorisation Secret.
But here is where most deployments hit a snag: the walled garden.
The walled garden is the list of domains and IP addresses that a device is allowed to access before it has authenticated. If you want guests to log in using Google, Facebook, or Apple, their devices need to reach those OAuth servers while they are still in the pre-authenticated state.
You must explicitly whitelist the Purple infrastructure domains - like region1.purpleportal.net and cloudfront.net. Then, you need to add the OS captive portal probes: captive.apple.com for iOS, and connectivitycheck.gstatic.com for Android. If you block these, the phone doesn't know it's behind a captive portal, and the splash page never pops up.
Finally, you add the social login domains. For Google, that's accounts.google.com, oauth2.googleapis.com, and gstatic.com. For Facebook, it's facebook.com, graph.facebook.com, and the fbcdn.net domains. A static IP whitelist will not work here because these providers use dynamic content delivery networks. You must use domain names and ensure your controller performs dynamic DNS resolution.
Once the user completes the login on the Purple splash page, Purple's RADIUS server sends an Access-Accept message back to the Alta Labs AP. The AP then removes the walled garden restriction and grants the device full internet access. It's a clean, secure flow that captures first-party data while maintaining network integrity.
Now, let's talk about multi-tenant segmentation.
In environments like smart offices, student accommodation, or multi-dwelling units, you often need to provide secure, isolated networks for different groups. Historically, IT teams would broadcast a separate SSID for every tenant. That is a terrible practice. It causes massive management overhead and destroys your wireless performance due to beacon frame overhead.
Alta Labs solves this with AltaPass, their version of Private Pre-Shared Keys. With AltaPass, you broadcast one single SSID - let's call it BuildingWiFi. But, you generate unique passwords for different users or devices.
When Tenant A enters their specific password, the AP dynamically assigns them to VLAN 101 with a 100 Megabit bandwidth limit. When the management team enters their password on the same SSID, they are dropped onto VLAN 200 with unlimited bandwidth. You can even create a password for IoT devices, like smart thermostats, that assigns them to an isolated VLAN and bypasses the captive portal entirely.
One SSID. Unlimited passwords. Complete isolation. This is Identity-Based Networking at the edge, and it is a genuinely elegant solution to a problem that has plagued multi-tenant deployments for years.
Let me give you a concrete example of how this works in practice. Consider a 72-unit apartment complex - a real-world deployment type that Alta Labs has been used for extensively. Instead of broadcasting 72 separate SSIDs, the network administrator creates a single SSID and generates a unique password for each unit. Each password maps to a dedicated VLAN and subnet. Residents on the basic tier get 100 Megabits. Residents who have paid for the premium tier get 300 Megabits. The building management team gets unrestricted access. The building automation system - door locks, HVAC, lifts - gets its own isolated VLAN with deep packet inspection enabled. All from one SSID. The RF environment is cleaner, performance is higher, and management is dramatically simpler.
Now, let's move on to the 802.1X configuration for secure staff WiFi.
For your staff network, you should not be using a pre-shared key at all. You should be using WPA2 or WPA3 Enterprise with 802.1X authentication. In the Alta Labs platform, you configure this by selecting your staff SSID, setting the security mode to WPA2-Enterprise or WPA3-Enterprise, and pointing the AP to your RADIUS server.
If you are integrating with Purple's SecurePass product, Purple acts as the RADIUS intermediary, connecting to your identity provider - whether that is Microsoft Entra ID, Okta, or Google Workspace - and returning the appropriate VLAN assignment in the Access-Accept message. The Alta Labs AP reads the Tunnel-Private-Group-Id attribute from the RADIUS response and places the device on the correct VLAN automatically.
One important note on dynamic VLAN assignment with Alta Labs: when configuring RADIUS-assigned VLANs, set the default VLAN on the SSID to VLAN 1 or leave it untagged. There is a known behaviour where if the default VLAN is set to a specific value, the AP may override the RADIUS-assigned VLAN with the configured default. Setting the default to VLAN 1 ensures the RADIUS assignment takes precedence.
---
[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - 2 MINUTES]
When you are rolling this out, there are a few key recommendations I want to highlight.
First, always test your captive portal flow with a fresh device. Do not use your own phone if you have already connected to the network during testing. Your device remembers the MAC address authorisation or has cached DNS entries, which will mask walled garden failures. Grab a tablet that has never seen the network, connect it, and verify that the OS captive portal assistant launches automatically.
Second, watch out for over-whitelisting. I see engineers get frustrated with social login errors and just whitelist entire wildcard domains or massive IP blocks. This creates a security vulnerability where savvy users can bypass your captive portal entirely. Stick to the specific domains required for the OAuth flow.
Third, when deploying AltaPass PPSK with dynamic VLANs, ensure your entire switching infrastructure is configured correctly. The switch ports connecting to your Alta Labs APs must be configured as trunks, allowing all the tagged VLANs to pass through to the gateway. If the AP tags the traffic for VLAN 101, but the switch port is set to access mode on VLAN 1, the traffic drops, and the client gets no IP address.
Fourth, implement a quarterly review of your walled garden configuration. OAuth providers and content delivery networks change their domain structures. Apple updated its Sign In domains twice in 2023. A walled garden that was correct at deployment will drift out of alignment without active maintenance.
---
[RAPID-FIRE Q&A - 1 MINUTE]
Let's run through a couple of quick questions we hear from the field.
Question one: Can I use WPA3 with the Purple captive portal on Alta Labs hardware?
Yes. You should use WPA3-OWE, which stands for Opportunistic Wireless Encryption. This encrypts the data over the air, protecting guest privacy, while still functioning as an open network that triggers the captive portal redirect. It is the right choice for any new guest WiFi deployment in 2026.
Question two: What ports do I need to open on my firewall for the RADIUS traffic?
Purple's RADIUS servers communicate over UDP port 1812 for authentication and UDP port 1813 for accounting. Ensure your edge firewall allows outbound traffic on these ports from the Alta Labs APs to the Purple infrastructure.
Question three: Can I use AltaPass PPSK alongside the Purple captive portal on the same SSID?
Yes, and this is actually a very useful configuration. You can create an AltaPass password that bypasses the captive portal for known devices - like your point-of-sale terminals or digital signage - while standard connections to the same SSID still go through the Purple splash page. This gives you a single, clean SSID that handles both authenticated devices and guest users.
---
[SUMMARY AND NEXT STEPS - 1 MINUTE]
To wrap up: Integrating Alta Labs with Purple WiFi gives you a secure, scalable platform for capturing first-party data and delivering a branded guest experience.
Remember the three pillars of a successful deployment. First, configure the external hotspot redirect and RADIUS settings accurately in the Alta Labs Cloud Management platform. Second, meticulously define your walled garden domains to ensure OS probes and social logins function correctly. And third, leverage AltaPass PPSK to implement Identity-Based Networking, segmenting your traffic without polluting your airspace with unnecessary SSIDs.
Purple operates across 80,000 live venues and has processed 440 million logins in 2024. The platform is ISO 27001 certified, GDPR compliant, and built to scale from a single boutique hotel to a national retail estate. When you pair that with the performance and flexibility of Alta Labs hardware, you have a compelling enterprise WiFi stack.
If you follow this playbook, you will deliver a seamless, compliant WiFi experience that your marketing team and your security team will both be happy with.
Thank you for listening to the Purple Technical Briefing Series. Until next time, keep your networks secure and your data actionable.
