Arista Cognitive Wi-Fi Integration with Purple WiFi

Executive summary

Deploying an Arista captive portal for guest access is not merely a connectivity task. It is a critical intersection of network security, regulatory compliance, and data strategy. For IT leaders managing distributed venues, the integration of Arista CloudVision Cognitive Unified Edge (CV-CUE) with Purple transforms unmanaged guest traffic into a secure, segmented, and measurable asset.

This reference provides a definitive blueprint for configuring Arista Cognitive Wi-Fi with Purple. We detail the exact mechanisms required to deploy third-party hosted splash pages, construct precise Walled Garden access control lists, and implement RADIUS authentication. We also cover advanced Multi-Tenant WiFi isolation using Arista Private Pre-Shared Keys (PPSK) and dynamic VLAN steering - the architecture that eliminates SSID sprawl in coworking spaces, retail malls, and residential buildings.

Purple operates across 80,000+ live venues and has processed 440 million logins in 2024 (Purple internal data). The platform is ISO 27001 certified, GDPR and CCPA compliant, and carries Cyber Essentials and B Corp certification. This guide reflects production-tested configurations validated across hospitality, retail, and public-sector deployments.

Technical deep-dive

The Arista captive portal onboarding architecture

The guest onboarding flow dictates how devices interact with the Arista access point (AP) before and after authentication. When a device associates with the open guest SSID, the Arista AP assigns it to a pre-authentication VLAN. In this state, the AP restricts DNS and HTTP traffic to a defined allow-list. The device operating system detects the captive portal and attempts to reach a known endpoint - iOS sends an HTTP request to captive.apple.com, Android to connectivitycheck.gstatic.com, and Windows to www.msftconnecttest.com. The Arista AP intercepts this request and issues an HTTP 302 redirect to the Purple splash page URL.

{{asset:captive_portal_flow.png}}

To ensure this flow executes without error, the Arista CV-CUE controller must be configured to point to Purple as a third-party hosted portal. This requires defining the Purple RADIUS servers (Authentication Port 1812, Accounting Port 1813) within the CV-CUE Network Profiles. Once the guest submits their credentials or accepts the terms on the Purple portal, Purple acts as the RADIUS server and sends an Access-Accept message back to the Arista AP. This message includes RADIUS Change of Authorization (CoA) attributes defined in RFC 3576, instructing the AP to transition the client MAC address from the restricted pre-authentication state to full internet access on the post-authentication VLAN.

Walled Garden ACL design in CV-CUE

The Walled Garden is a whitelist of domains and IP addresses that unauthenticated devices must reach to load the splash page and complete authentication. In Arista CV-CUE, you configure this under the Captive Portal settings as "Websites that users can access before login".

The Walled Garden is an explicit allow-list. You must include the core Purple domains to render the portal. If you offer social login, you must also whitelist the Identity Provider (IdP) domains. Failure to maintain this list results in guests being unable to load the authentication provider's login screen, leading to immediate abandonment.

Minimum required Walled Garden entries for Purple:

• region1.purpleportal.net
• venuewifi.com
• cloudfront.net
• openweathermap.org
• stripe.com (if payment-gated access is enabled)

Additional entries for social login:

• Facebook: facebook.com, fbcdn.net, akamaihd.net, connect.facebook.net
• Google Workspace: accounts.google.com, googleapis.com
• Twitter/X: twitter.com, twimg.com
• LinkedIn: linkedin.com, licdn.net

Arista PPSK configuration for multi-tenant isolation

For environments such as coworking spaces, residential buildings, or retail malls, standard 802.1X is often too complex for unmanaged devices, yet open networks lack necessary security. Arista Private Pre-Shared Keys (PPSK) solves this by allowing multiple unique passphrases on a single SSID, each mapped to a distinct network policy.

When integrated with Purple RADIUS, Arista PPSK enables dynamic VLAN steering. A resident or retail tenant connects to the unified SSID using their specific PPSK. The Arista AP authenticates the key against the Purple RADIUS server. Purple returns the standard Access-Accept, but appends three RADIUS attributes that drive VLAN assignment:

The Arista AP dynamically assigns the device to that VLAN. This provides strict Layer 2 isolation between tenants without broadcasting dozens of separate SSIDs, optimising RF utilisation while maintaining absolute security boundaries.

Secure Staff WiFi with IEEE 802.1X

For staff networks, shared passphrases are a security liability. IEEE 802.1X (defined in IEEE Std 802.1X-2020) provides port-based network access control using per-user credentials. In CV-CUE, you configure a Corporate SSID with WPA2-Enterprise or WPA3-Enterprise security. The AP acts as the authenticator, forwarding credentials to the RADIUS server via EAP (Extensible Authentication Protocol). Purple supports EAP-PEAP for username/password authentication and EAP-TLS for certificate-based authentication.

For EAP-TLS deployments, you integrate with Microsoft Entra ID, Okta, or Google Workspace as the certificate authority. When a staff member's device presents a valid client certificate, the RADIUS server validates it against the directory and returns an Access-Accept. This eliminates credential theft as an attack vector entirely.

Arista Cloud WIPS integration

Arista's Wireless Intrusion Prevention System (WIPS) operates continuously in the background, scanning for rogue access points, misconfigured APs, and unauthorized clients. In CV-CUE, navigate to Configure > WIPS > Automatic Intrusion Prevention to configure the prevention level. Arista offers four levels: Degrade, Interrupt, Disrupt, and Block. For enterprise deployments, start at Disrupt, which disrupts unauthorized communication without completely blocking it, reducing false positive risk during initial deployment.

Enable SSID VLAN Monitoring under Configure > Device > Access Point > Security tab to ensure APs actively monitor their assigned VLANs for rogue activity. Arista AP-3xx series models support monitoring up to 42 VLANs simultaneously (Arista WIPS documentation, 2025).

Implementation guide

Phase 1: Network segmentation and RADIUS setup

1. Log in to Arista CV-CUE and navigate to Configure > Network Profiles > RADIUS.
2. Click Add RADIUS Server.
3. Enter the Primary Purple RADIUS server details: IP Address, Authentication Port (1812), Accounting Port (1813), and the Shared Secret from the Purple portal hardware configuration page.
4. Repeat for the Secondary Purple RADIUS server to ensure high availability.
5. Verify that UDP ports 1812 and 1813 are open between the Arista APs and the Purple RADIUS servers on your firewall.

Phase 2: Guest SSID and captive portal configuration

1. Navigate to Configure > WiFi > SSID and click Add New SSID.
2. Define the SSID Name (e.g., Guest_WiFi) and set the SSID Type to Guest.
3. Under the Security tab, set the security level to Open.
4. Under the Network tab, configure the pre-authentication VLAN (e.g., VLAN 10) with a dedicated DHCP scope.
5. Under the Captive Portal tab, enable the Captive Portal checkbox.
6. Select Third-Party Hosted from the Cloud Hosted drop-down.
7. Check With RADIUS Authentication and select the Purple RADIUS profile.
8. Enter the Purple Splash Page URL (e.g., https://region1.purpleportal.net/access/) and the Redirect URL (e.g., https://region1.purpleportal.net/access/?res=success).
9. Set the Called Station ID format to %m (MAC address format required by Purple).
10. Set the Accounting Interval to 2 minutes.
11. Clear the HTTPS Redirection checkbox.

Phase 3: Walled Garden deployment

1. Within the Captive Portal tab, locate the Websites that users can access before login section.
2. Add all required Purple domains and Identity Provider domains as listed above.
3. Save the SSID configuration and apply it to the target Arista AP groups.

Phase 4: PPSK multi-tenant setup

1. In the Purple portal, navigate to the venue hardware configuration and retrieve the PPSK RADIUS settings.
2. In CV-CUE, create a new SSID with WPA2-Personal security and enable PPSK mode.
3. Configure the SSID to authenticate against the Purple RADIUS profile.
4. In the Purple portal, create a PPSK passphrase for each tenant and map it to the corresponding VLAN ID.
5. Verify that the switch ports connecting to Arista APs are configured to trunk the required tenant VLANs.

Phase 5: Secure Staff WiFi (802.1X)

1. Create a new Corporate SSID in CV-CUE.
2. Under the Security tab, select WPA2-Enterprise or WPA3-Enterprise.
3. Select the RADIUS profile pointing to your corporate identity provider (Microsoft Entra ID, Okta, or Google Workspace).
4. Configure EAP type: PEAP for username/password, EAP-TLS for certificate-based authentication.
5. Assign the Staff SSID to a dedicated VLAN (e.g., VLAN 20) isolated from the Guest VLAN.

Best practices

Automate Walled Garden updates. Identity providers frequently change their CDN domains. Schedule a quarterly review of your Arista CV-CUE Walled Garden configuration against Purple's updated domain lists. A single missing CDN entry will break social login for all guests.

Optimise session timers by venue type. Configure idle timeouts in Arista CV-CUE to match your venue's traffic profile. Retail environments benefit from a 10-minute idle timeout to reclaim IP addresses from devices that have left the store. Hotel deployments should use longer timeouts (4-8 hours) to avoid re-triggering the portal during a guest's stay.

Enforce Client Isolation. Always enable Client Isolation on the Guest SSID within Arista CV-CUE. This prevents guest devices from communicating with each other, mitigating lateral movement risks and satisfying PCI DSS network segmentation requirements.

Enable RADIUS Accounting. Ensure RADIUS Accounting is enabled with a 2-minute interval. This provides Purple with accurate session duration and data transfer metrics, feeding into the WiFi Analytics dashboard and enabling accurate visitor dwell time analysis.

Segment by SSID type, not by AP. Apply Guest, Staff, and Multi-Tenant SSIDs to the same AP groups. Arista CV-CUE handles VLAN tagging per SSID, so you do not need separate APs for each user type. This simplifies your hardware deployment while maintaining strict logical separation.

For a broader view of enterprise WiFi security architecture, see our Enterprise WiFi Security: A Complete Guide for 2026 .

Case studies

Case study 1: 350-room hotel chain

A mid-scale hotel chain with 12 properties deployed Arista Wi-Fi 6E APs across all sites, managed through a single CV-CUE instance. The requirement was to provide branded Guest WiFi with email capture for marketing, isolated from the property management system (PMS) network, while also supporting 802.1X for staff devices.

The team configured three SSIDs per property: a Guest SSID (VLAN 10) pointing to Purple, a Staff SSID (VLAN 20) using 802.1X against Microsoft Entra ID, and an IoT SSID (VLAN 30) for building management devices. The Purple portal captured guest email addresses and consent at check-in. Within 90 days, the chain had collected verified first-party data from 68% of guests (Purple internal data), enabling targeted re-engagement campaigns. The PMS network remained completely isolated, satisfying PCI DSS requirements for cardholder data environment segmentation.

Case study 2: Multi-tenant coworking space

A coworking operator managing eight locations needed to provide isolated WiFi to 35 member companies per site without broadcasting 35 SSIDs. The RF environment was already congested, and SSID sprawl was degrading performance for all members.

The solution was a single SSID per site using Arista PPSK with Purple RADIUS. Each member company received a unique PPSK passphrase. Purple mapped each passphrase to a dedicated VLAN (VLAN 100 through VLAN 3500). When a member connected, the Arista AP dynamically steered them to their VLAN based on the Tunnel-Private-Group-ID returned by Purple RADIUS. The result was a reduction from 35 SSIDs to one per site, a measurable improvement in airtime efficiency, and complete Layer 2 isolation between member companies. When a member's contract ended, the operator revoked their passphrase in the Purple portal, terminating access within seconds.

Troubleshooting and risk mitigation

Issue: Splash page fails to load on Apple devices. iOS uses a specific mechanism to detect captive portals. If the splash page fails to load automatically, verify that the Arista Walled Garden includes all Purple CDN domains. If the Walled Garden is overly restrictive, the iOS device cannot load the portal assets and aborts the connection.

Issue: MAC address randomization breaks returning guest recognition. iOS 14+ and Android 10+ devices randomize their MAC address per SSID. This prevents Purple from recognizing a returning guest based solely on their MAC address. Rely on authenticated identity (email or social login) for long-term tracking. For seamless, secure reconnection without a captive portal, migrate to Passpoint/Hotspot 2.0 architectures.

Issue: Dynamic VLAN steering fails with PPSK. If tenants are assigned the default VLAN instead of their specific VLAN, verify the RADIUS response using the Arista CV-CUE troubleshooting tools. Ensure Purple is returning the correct Tunnel-Private-Group-ID, Tunnel-Type, and Tunnel-Medium-Type attributes, and that the specified VLAN exists on the switch port connected to the Arista AP.

Issue: DHCP pool exhaustion on the Guest VLAN. Reduce the idle timeout to 5-10 minutes in high-footfall environments. Increase the DHCP scope size if the venue regularly exceeds 80% pool utilisation. Consider using a /22 or larger subnet for high-density venues such as stadiums or conference centres.

Issue: RADIUS accounting data shows zero-second sessions. Verify that UDP port 1813 is open on the firewall between the Arista APs and the Purple RADIUS servers. Confirm the Accounting Interval is set to 2 minutes in the CV-CUE SSID settings.

For related guidance on wireless display and protocol best practices in enterprise environments, see What Is Wireless Display: Protocols and Best Practices 2026 .

ROI and business impact

Deploying Arista Cognitive Wi-Fi with Purple transforms a network cost center into a measurable business asset. By enforcing a compliant captive portal, you mitigate the risk of GDPR fines, which can reach 4% of global annual turnover. More importantly, the Guest WiFi portal captures verified, first-party data. Purple has collected 29 billion data points across its network (Purple internal data), demonstrating the scale of what a properly deployed guest WiFi architecture can generate.

For Retail venues, this data feeds directly into CRM systems, enabling targeted marketing campaigns based on visit frequency and dwell time. For Hospitality operators, it enables personalised re-engagement with returning guests. For Transport hubs, it provides accurate passenger flow data that informs operational decisions. For Healthcare facilities, it ensures patients and visitors receive appropriate network access while clinical systems remain completely isolated.

The Purple platform operates at 99.999% uptime (Purple internal data), ensuring that guest access is never interrupted by platform availability issues. Combined with Arista's cloud-managed infrastructure, you get an end-to-end architecture that scales from a single venue to 80,000+ locations without architectural changes.

For additional integration context, see our guide on NETGEAR Insight and Enterprise Access Points Integration with Purple WiFi . For venue operators evaluating survey tools to complement their WiFi analytics, see Design of a Survey: A Practical Guide for Venues .