View podcast transcript
Welcome to the briefing. Today, we are dissecting the integration of Arista Cognitive Wi-Fi with the Purple platform. This is a senior consultant briefing, aimed squarely at enterprise network architects and cloud systems administrators who need to get this deployed correctly, the first time.
Let us set the scene. Arista Cognitive Wi-Fi, managed through the CloudVision Cognitive Unified Edge platform, is a cloud-managed wireless infrastructure that supports enterprise-grade guest and staff network deployments. Purple is a hardware-agnostic cloud overlay that provides the guest portal, identity capture, RADIUS authentication, and analytics layer. When you combine the two, you get a complete, compliant, and commercially valuable guest WiFi architecture. Let us get into the mechanics.
The first thing to understand is the Captive Portal onboarding flow. When a guest device associates with the open guest SSID on an Arista access point, the AP immediately places that device into a pre-authentication VLAN. In this state, the device has a DHCP-assigned IP address, but its DNS and HTTP traffic is heavily restricted. The device operating system, whether iOS, Android, or Windows, performs a Captive Portal detection probe. iOS sends an HTTP request to captive.apple.com. Android probes connectivitycheck.gstatic.com. The Arista AP intercepts this request and returns a 302 redirect, pointing the device to the Purple splash page URL.
Now, this is where most deployments go wrong. For that redirect to work, and for the splash page to actually render, you need to configure the Walled Garden correctly in Arista CV-CUE. The Walled Garden is an explicit allow-list. In the pre-authentication state, all traffic is dropped by default. You must whitelist every domain required to load the portal. At minimum, that means the core Purple domains: region1.purpleportal.net, venuewifi.com, and cloudfront.net. If you are offering social login via Google Workspace, you must add accounts.google.com and its associated CDN ranges. For Facebook, you need facebook.com, fbcdn.net, and akamaihd.net. Miss any one of these, and the guest sees a blank screen or a spinning login button. They walk away, and you lose the data capture opportunity.
Let me walk you through the RADIUS configuration in CV-CUE. Navigate to Configure, then Network Profiles, then RADIUS. Click Add RADIUS Server. Enter the Purple primary RADIUS server IP address, set the Authentication Port to 1812, the Accounting Port to 1813, and enter the shared secret provided by Purple. Repeat this for the secondary server. This redundancy is critical. If the primary server is unreachable, the secondary takes over without interrupting guest access.
Once the RADIUS profiles are saved, go to Configure, then WiFi, then SSID, and click Add New SSID. Name your SSID, set the type to Guest, and under the Security tab, set the security level to Open. This is correct for a captive portal deployment. Under the Captive Portal tab, enable the Captive Portal checkbox, select Third-Party Hosted from the Cloud Hosted drop-down, and check the With RADIUS Authentication box. Paste the Purple Splash Page URL into the Splash Page URL field. This is typically in the format https://region1.purpleportal.net/access/. Enter the shared secret. Then, in the Websites that users can access before login section, add your Walled Garden domains. Set the Called Station ID format to percent-m, which sends the MAC address in the format Purple expects. Set the Accounting Interval to 2 minutes. Clear the HTTPS Redirection checkbox. Save the SSID. It will propagate to your Arista APs within minutes.
Now let us talk about what happens after the guest submits their details on the Purple portal. Purple acts as the RADIUS server. It validates the identity, captures the consent, and sends a RADIUS Access-Accept message back to the Arista AP. But here is the critical piece: that Access-Accept message contains Change of Authorisation attributes, defined in RFC 3576. These attributes instruct the Arista AP to dynamically transition that specific client from the restricted pre-authentication state to the post-authentication VLAN with full internet access. Simultaneously, the AP sends a RADIUS Accounting-Start message to Purple on port 1813. This starts the session timer and feeds session duration data into the Purple analytics dashboard.
Let us move to the more advanced use case: Multi-Tenant WiFi using Arista Private Pre-Shared Keys, or PPSK. This is the architecture you want for coworking spaces, retail malls, residential buildings, or any environment where you have multiple distinct user groups that need strict network isolation.
The problem with traditional approaches is that broadcasting a separate SSID for each tenant creates massive RF overhead. Every SSID requires beacon frames. In a dense environment with 20 tenants, that is 20 SSIDs consuming airtime. PPSK solves this elegantly. You broadcast a single SSID. But in the Purple portal, each tenant is assigned a unique passphrase. When a user connects, the Arista AP authenticates that passphrase against the Purple RADIUS server. Purple looks up the passphrase, identifies the associated tenant, and returns an Access-Accept message. But critically, it appends three RADIUS attributes: Tunnel-Type, set to VLAN; Tunnel-Medium-Type, set to 802; and Tunnel-Private-Group-ID, set to the tenant's specific VLAN ID. The Arista AP reads these attributes and dynamically steers the client to the correct VLAN. Tenant A, using their passphrase, lands on VLAN 100. Tenant B lands on VLAN 200. They are completely isolated at Layer 2. They cannot see each other's devices, printers, or servers.
This is Identity-Based Networking in practice. The identity of the passphrase determines the network segment. It is centrally managed through Purple, so when a tenant leaves, you revoke their passphrase in the Purple portal, and access is immediately terminated. No changes required on the Arista infrastructure.
Now, let us cover Secure Staff WiFi using IEEE 802.1X. For your staff SSID, you should not be using a shared passphrase. You should be using 802.1X with EAP, Extensible Authentication Protocol. In CV-CUE, create a new Corporate SSID. Under the Security tab, select WPA2-Enterprise or WPA3-Enterprise. Select your RADIUS profile, which should point to your corporate identity provider, such as Microsoft Entra ID or Okta. When a staff member connects, their device presents credentials to the Arista AP, which forwards them to the RADIUS server via EAP. The identity provider validates the credentials and returns an Access-Accept. For certificate-based authentication using EAP-TLS, the device presents a client certificate rather than a username and password, eliminating credential theft as an attack vector entirely.
Let me address the Arista Cloud WIPS integration. Arista's Wireless Intrusion Prevention System operates in the background, scanning for rogue access points and unauthorised clients. In CV-CUE, navigate to Configure, then WIPS, then Automatic Intrusion Prevention. You can configure the prevention level from Degrade through to Block. For enterprise deployments, we recommend the Disrupt level as a starting point, which disrupts unauthorised communication without completely blocking it, reducing false positive risk. You should also configure VLAN monitoring under Configure, then Device, then Access Point, selecting the Security tab. Enable SSID VLAN Monitoring so that APs actively monitor their assigned VLANs for rogue activity.
Now, a few implementation pitfalls to avoid. First, DHCP pool exhaustion. In high-footfall environments like retail stores or stadiums, devices connect briefly and walk away. If your idle timeout is set too high, those sessions remain active, holding IP addresses. Set the idle timeout in CV-CUE to 10 minutes for retail, and as low as 5 minutes for event venues. This aggressively reclaims IPs and prevents the pool from exhausting.
Second, MAC address randomisation. Since iOS 14 and Android 10, devices randomise their MAC address per SSID by default. This breaks any architecture that relies on MAC addresses to identify returning guests. The correct response is to shift your identity model to authenticated credentials, the email address or social login captured through the Purple portal. For seamless reconnection without a portal, the long-term migration path is to Passpoint, also known as Hotspot 2.0, which uses certificate-based authentication and eliminates the Captive Portal entirely.
Third, HTTPS redirection. When configuring the captive portal in CV-CUE, ensure the HTTPS Redirection checkbox is cleared. Purple handles the HTTPS session independently. Enabling HTTPS redirection on the Arista side can cause certificate mismatch errors that prevent the portal from loading.
Let us do a rapid-fire question and answer on common scenarios.
Question: A guest's portal page shows a blank screen. Where do you look first? Answer: The Walled Garden. A missing domain is almost always the cause. Check that all Purple domains and the relevant Identity Provider CDN domains are whitelisted in CV-CUE.
Question: PPSK users are all landing on the default VLAN. What is wrong? Answer: The Purple RADIUS server is not returning the Tunnel-Private-Group-ID attribute. Check the RADIUS response in the CV-CUE troubleshooting logs and verify the VLAN mapping in the Purple portal.
Question: The RADIUS accounting data in Purple is showing sessions of zero seconds. What is the issue? Answer: The Accounting Port is likely misconfigured or blocked. Verify that port 1813 is open on the firewall between the Arista APs and the Purple RADIUS servers, and that the accounting interval is set to 2 minutes in the SSID settings.
To summarise the key takeaways from this briefing. One: the Walled Garden is an explicit allow-list. Maintain it as a recurring operational task, not a one-time setup. Two: RADIUS Change of Authorization is the mechanism that grants access. Without it, the portal completes but the guest remains blocked. Three: Arista PPSK with Purple RADIUS enables dynamic VLAN steering for multi-tenant isolation on a single SSID, eliminating beacon overhead. Four: always enable Client Isolation on Guest SSIDs to prevent lateral movement. Five: MAC address randomisation requires a shift to identity-based authentication for accurate analytics. Six: proper integration satisfies GDPR consent requirements and captures first-party data that directly drives marketing ROI.
Your next steps: retrieve the Purple RADIUS server IP addresses and shared secrets from the Purple portal hardware configuration page. Configure the RADIUS profiles in CV-CUE. Build your Walled Garden domain list. Deploy your Guest SSID. Test the full authentication flow from a mobile device before rolling out to production. And if you are deploying multi-tenant environments, map your tenant VLAN IDs in Purple before configuring the PPSK passphrases.
That concludes this technical briefing. Thank you for listening.
