Aruba ClearPass vs. Purple WiFi: Comparing Features and Co-deployment

Speak in British English with a confident, authoritative, and conversational tone. You are a senior network consultant briefing a client. Measured pace, clear diction, professional but not stiff. Occasional natural pauses for emphasis: Welcome to this Purple technical briefing. I'm your host, and today we're covering a question that comes up in almost every enterprise wireless project we work on: when you already have Aruba ClearPass deployed, where does Purple WiFi fit in, and how do the two systems work together? [medium pause] This is not a theoretical discussion. If you're an IT manager, a network architect, or a security engineer at a hotel group, a retail chain, or a stadium operator, this is a decision you may need to make this quarter. So let's get into it. [medium pause] Introduction and context. [short pause] First, let's be clear about what each platform is actually designed to do. Aruba ClearPass Policy Manager is a Network Access Control platform. Its job is to authenticate devices and users, assess endpoint posture, and enforce access policy across your entire network. It handles 802.1X, which is the IEEE standard for port-based network access control, using EAP methods like EAP-TLS with certificates and PEAP with username and password. It integrates with Microsoft Entra ID, Okta, and other identity providers. It profiles devices, checks whether they're compliant with your security policy, and assigns them to the right network role. For corporate devices, ClearPass is excellent. It was built for exactly this use case. [medium pause] Purple WiFi is a different animal entirely. Purple is a cloud-based guest WiFi intelligence platform. Its job is to authenticate visitors through a branded captive portal, capture first-party data with GDPR-compliant consent flows, and feed that data into your marketing and analytics stack. Purple operates across 80,000 venues worldwide and has processed 440 million logins in 2024 alone. It integrates with over 400 connectors including CRMs and marketing automation platforms. For guest networks, Purple is the specialist. [medium pause] The problem most organisations face is that they try to use one platform to do both jobs. They either ask ClearPass to run their guest portal, which it can do but not elegantly, or they deploy Purple without thinking about how it sits alongside their existing NAC investment. The right answer is a co-deployment architecture where each platform does what it does best. [medium pause] Technical deep-dive. [short pause] Let me walk you through the architecture. In a co-deployment, your Aruba Mobility Controller or Aruba Instant access points broadcast multiple SSIDs. Typically three: one for corporate devices, one for guests, and one for IoT. For more on this SSID design pattern, Purple has published a detailed guide called Three SSIDs to rule them all, which I'd recommend reading alongside this briefing. [medium pause] The corporate SSID uses 802.1X with EAP-TLS. Devices authenticate using certificates provisioned through ClearPass Onboard, which is ClearPass's built-in certificate enrolment and device provisioning module. ClearPass checks device posture, verifies the certificate, queries Active Directory or Microsoft Entra ID, and assigns the device to the appropriate VLAN. VLAN 10 for corporate, typically. This entire flow stays within ClearPass. Purple is not involved. [medium pause] The guest SSID is where the integration happens. When a visitor connects to the guest SSID, the Aruba controller intercepts their HTTP traffic and redirects their browser to Purple's captive portal. The visitor authenticates through Purple, perhaps using social login via Google, a custom email form, or OpenRoaming, where Purple acts as a free identity provider under the Connect licence. Once Purple validates the visitor, it sends a RADIUS Access-Accept message back to the controller, which grants internet access. [medium pause] Now, the key architectural decision is whether you insert ClearPass as a RADIUS proxy between the controller and Purple, or whether the controller talks to Purple's RADIUS servers directly. For most enterprise deployments, the proxy model is the right choice. Here's why. [medium pause] With ClearPass as a RADIUS proxy, every authentication event on your network, both corporate and guest, flows through ClearPass. You get a single audit trail. Your security operations team sees everything in one place. ClearPass can append its own policy attributes before returning the response to the controller, enabling dynamic VLAN assignment based on role. And you retain the ability to enforce additional policies on guest sessions, such as bandwidth limits or time-based access restrictions. Speak in British English with a confident, authoritative, and conversational tone. You are a senior network consultant briefing a client. Measured pace, clear diction, professional but not stiff: The proxy configuration in ClearPass is straightforward. You create a RADIUS Routing Policy that matches the guest SSID by NAS identifier or called station ID. Requests matching that policy are forwarded to Purple's cloud RADIUS servers. Purple responds, ClearPass appends the Aruba-User-Role vendor-specific attribute, and the controller places the guest in VLAN 20 with internet-only access. [medium pause] For IoT devices, the third SSID uses MAC authentication bypass. ClearPass profiles the device using its OUI, the first six characters of the MAC address that identify the manufacturer, and assigns it to ROLE_IOT, which maps to VLAN 30. This VLAN has no internet access, only local connectivity. Your smart TVs, thermostats, and door locks are completely isolated from both corporate and guest traffic. [medium pause] Let's talk about compliance, because this is where the architecture earns its keep. Under PCI DSS, any network segment that touches cardholder data must be isolated from guest networks. The VLAN segmentation in this architecture satisfies that requirement. Under GDPR, Purple's captive portal handles consent collection with conscious-choice opt-ins, meaning visitors actively choose to share their data rather than having it collected by default. Purple is ISO 27001 certified, GDPR compliant, and holds Cyber Essentials certification. ClearPass provides the audit trail that your security team needs for compliance reporting. [medium pause] Implementation recommendations and pitfalls. [short pause] Let me give you the five things that most commonly go wrong in this deployment, and how to avoid them. [medium pause] Number one: the walled garden. Before a visitor authenticates, the Aruba controller only allows traffic to a pre-defined list of destinations. If Purple's portal domains, its CDN endpoints, and the social login provider domains are not in that list, the portal will not load. You need to include star dot purple dot ai, star dot cloudfront dot net, and the OAuth domains for whichever social login providers you're enabling. Google, Facebook, Apple, and Microsoft Entra ID all have their own sets of domains. Treat the walled garden as a living configuration, because social login providers change their CDN domains periodically. [medium pause] Number two: RADIUS timeouts. The default RADIUS timeout on most Aruba controllers is three seconds. In a proxy architecture, the request travels from the access point to the controller, to ClearPass, across the internet to Purple's cloud RADIUS, and back. On a congested network, that round trip can exceed three seconds. Set your timeout to at least ten seconds and configure retry logic with at least two retries. [medium pause] Number three: shared secret mismatches. The shared secret between the Aruba controller and ClearPass must match exactly. The shared secret between ClearPass and Purple's RADIUS servers must also match exactly. A single character difference causes silent authentication failures with no meaningful error message to the visitor. Always verify these character by character. [medium pause] Number four: role name case sensitivity. The Aruba-User-Role attribute returned by ClearPass must exactly match the role name defined on the Aruba controller, including capitalisation. If ClearPass returns guest-authenticated but the controller has Guest-Authenticated defined, the visitor falls back to the default logon role with no internet access. [medium pause] Number five: RADIUS accounting. Many deployments configure authentication proxying correctly but forget to proxy accounting as well. Purple uses RADIUS accounting data to track session duration, data usage, and to populate its analytics dashboards. If accounting is not flowing to Purple, your footfall analytics and dwell time reports will be incomplete. [medium pause] Rapid-fire questions. [short pause] Can I run this on Aruba Instant rather than a full Mobility Controller? Yes. Aruba Instant supports external RADIUS servers and captive portal redirect. The configuration differs slightly but the principles are identical. [medium pause] Does Purple support Change of Authorisation? Yes. CoA allows the controller to dynamically update a visitor's session without requiring them to reconnect. This is useful for time-limited access or tier upgrades. [medium pause] Does this work with WPA3? Yes. WPA3-SAE for personal networks and WPA3-Enterprise for 802.1X are both supported. For guest networks using captive portals, WPA3-SAE or an open SSID with Opportunistic Wireless Encryption are the typical choices. [medium pause] Can I use a single SSID for both employees and guests? You can, but it adds complexity. ClearPass handles both 802.1X and MAC authentication on the same SSID, using service rules to differentiate traffic types and route accordingly. For most venues, separate SSIDs are the cleaner choice. [medium pause] Summary and next steps. [short pause] ClearPass and Purple are complementary, not competing. ClearPass is your policy engine for corporate devices: 802.1X, endpoint posture, certificate management, and unified audit trail. Purple is your guest intelligence platform: branded captive portal, GDPR-compliant data capture, footfall analytics, and marketing automation. [medium pause] The co-deployment architecture uses ClearPass as a RADIUS proxy. All authentication requests flow through ClearPass. Guest requests are routed to Purple's cloud RADIUS. Corporate requests are handled locally by ClearPass. The Aruba controller enforces the resulting policies through dynamic VLAN assignment. [medium pause] The three configuration elements you must get right are: the walled garden, RADIUS timeouts, and role name consistency. Get those right, and you have a compliant, commercially valuable guest WiFi deployment that does not compromise your corporate security posture. [medium pause] For your next steps: pull your Purple venue RADIUS credentials from the Purple dashboard, review the walled garden reference list in the accompanying written guide, and test the full authentication flow with a dedicated test device before rolling out to production. If you're deploying across multiple sites, Purple's multi-site management console lets you manage captive portal configurations, branding, and analytics across your entire estate from a single interface. [medium pause] Thank you for listening. Visit purple dot ai to speak with a solutions architect about your specific deployment.