Cisco ISE vs. Purple WiFi: How They Compare and Work Together

This guide explains how Cisco ISE and Purple WiFi serve distinct but complementary roles in enterprise networks. It details how to use Cisco ISE for secure 802.1X corporate access while leveraging Purple for GDPR-compliant guest WiFi, marketing analytics, and CRM integration.

📖 6 min read📝 1,259 words🔧 2 worked examples❓ 3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript

You are a senior network security consultant briefing a client in British English with a confident, authoritative, and conversational tone. Speak clearly and at a measured pace, as if presenting to a boardroom of IT directors and network architects. This is a professional technical briefing, not a lecture. Speak in British English with a standard received pronunciation accent:

Welcome to the Purple technical briefing series. Today we're covering a question that comes up constantly in enterprise network design: Cisco ISE versus Purple WiFi. How do they compare, and more importantly, how do they work together? I'm going to give you the straight answer in about ten minutes.

[medium pause]

Let's start with context. If you're running a hotel, a retail estate, a stadium, or a public-sector building, you almost certainly have two distinct populations connecting to your network. You have staff and corporate devices, and you have guests, visitors, fans, or shoppers. These two populations have completely different authentication requirements, different data rights, and different business objectives. The mistake most organisations make is trying to solve both problems with a single tool. That's where the confusion between Cisco ISE and Purple comes from.

[medium pause]

Section one: what Cisco ISE actually does.

Cisco Identity Services Engine, or ISE, is Cisco's enterprise Network Access Control platform. Its job is to authenticate and authorise corporate devices and staff users. It does this primarily through IEEE 802.1X, which is the port-based network access control standard. When a corporate laptop connects to your network, ISE checks its certificate via EAP-TLS, or its credentials via PEAP, validates it against Active Directory or Microsoft Entra ID, assesses its security posture, and then assigns it to the correct VLAN with the correct policy. If the device fails posture assessment, ISE can quarantine it automatically using RADIUS Change of Authorisation, or CoA.

ISE also handles BYOD onboarding, where personal devices are enrolled with a certificate so they can authenticate securely without a shared password. And it integrates with Cisco's pxGrid framework, which allows other security tools like firewalls and SIEM platforms to consume real-time identity context.

The three ISE licence tiers are Essentials, Advantage, and Premier. Essentials covers 802.1X and basic guest access. Advantage adds BYOD, posture assessment, and third-party MDM integration. Premier adds passive identity services and advanced threat integration.

[medium pause]

So ISE is a serious, enterprise-grade security platform. But here is the critical point: its guest portal is functional, not commercial. ISE can redirect an unauthenticated device to a web page, collect a username and password or a sponsor approval, and grant internet access. What it cannot do is capture GDPR-compliant marketing consent, run branded splash pages with social login, feed visitor data into Salesforce or HubSpot, generate footfall heatmaps, or segment visitors by demographics for a marketing campaign. That is not what ISE was designed for, and trying to stretch it into that role creates complexity without delivering the commercial outcome.

You are a senior network security consultant continuing a technical briefing in British English with a confident, authoritative, and conversational tone. Speak clearly and at a measured pace. Speak in British English with a standard received pronunciation accent:

Section two: what Purple does.

Purple is a cloud overlay platform. We sit on top of your existing WiFi infrastructure, whether that's Cisco Meraki, Cisco Catalyst, HPE Aruba, Ruckus, Juniper Mist, or any of the other major vendors. We do not replace your hardware. We do not replace ISE. We handle the guest experience layer.

When a visitor connects to your guest SSID, Purple intercepts that connection and presents a branded captive portal. That portal can offer social login via Facebook, Google, or LinkedIn, a custom data capture form, a click-to-connect option, or Passpoint for automatic secure reconnection on return visits. Every login captures first-party data with explicit GDPR consent. That data flows directly into your CRM, your email marketing platform, or your loyalty programme.

Purple operates across 80,000 live venues and has processed 440 million logins in 2024 alone. We hold ISO 27001 certification, comply with GDPR and CCPA, and maintain 99.999% uptime. Named customers include McDonald's, Harrods, Premier Inn, AGS Airports, and Manchester Airports Group.

[medium pause]

Section three: how they coexist in a modern network topology.

The architecture is straightforward once you understand the separation of concerns. You run two or three SSIDs on the same access points. The corporate SSID uses WPA3-Enterprise with 802.1X, and ISE is the RADIUS server. Every staff device authenticates with a certificate or credential. ISE assigns the device to the correct VLAN, applies the correct policy, and logs the session. Purple has no role here. This is ISE's domain entirely.

The guest SSID is open or uses WPA3-Personal with a pre-shared key for initial association. Traffic is redirected to Purple's cloud portal. Purple handles authentication, consent capture, and analytics. The access point enforces a walled garden until Purple signals authorisation, then opens internet access. ISE has no role here. This is Purple's domain.

For more complex deployments, you can add a third SSID for IoT devices, using identity pre-shared keys, or iPSK, where each device gets a unique passphrase mapped to a specific VLAN. ISE can manage this for corporate IoT, or Purple's SecurePass feature handles it for venue IoT like point-of-sale terminals and digital signage.

If you want tighter integration between the two platforms, Cisco's pxGrid allows Purple to publish guest session context into the ISE ecosystem, so your security operations team can see guest activity alongside corporate activity in a unified view.

[medium pause]

Section four: implementation recommendations and common pitfalls.

Let me give you the three most common mistakes I see in deployments.

First: using ISE's built-in guest portal for commercial guest WiFi. ISE's guest portal is designed for contractors and temporary staff, not for marketing-driven guest access. It has no CRM integration, no consent management, and no analytics. If you're in hospitality, retail, or events, you need Purple on the guest SSID. ISE handles corporate. Purple handles guests. Keep them separate.

Second: not segmenting VLANs correctly. Guest traffic must be isolated from corporate traffic at layer two. Purple operates in a separate VLAN routed directly to the internet, with no access to internal resources. ISE enforces VLAN assignment for corporate devices. If you conflate these, you create a security exposure and a compliance problem.

Third: neglecting the walled garden configuration. When Purple is the captive portal, the access point must allow DNS and HTTP traffic to Purple's cloud endpoints before authentication. If your walled garden is too restrictive, the portal will not load. If it is too permissive, users can bypass authentication. Purple's support documentation provides the exact IP ranges and domains to whitelist for each hardware vendor.

[medium pause]

Section five: rapid-fire questions.

Does Purple replace Cisco ISE? No. They solve different problems for different users on different SSIDs.

Can I run Purple on Cisco Meraki without ISE? Yes. Purple integrates natively with Cisco Meraki via the Meraki API. ISE is not required for guest WiFi.

Can I run both on the same access points? Yes. Multiple SSIDs on the same hardware is standard practice.

Does Purple support 802.1X? Purple's SecurePass feature supports WPA3-Enterprise with 802.1X for guest devices that have the Purple app installed, enabling automatic, certificate-based reconnection without a captive portal.

What about PCI DSS compliance? Guest WiFi must be isolated from payment card systems. Purple's VLAN architecture satisfies this requirement. ISE enforces the same isolation for corporate devices.

[medium pause]

Summary and next steps.

The decision framework is simple. If the device belongs to your organisation or your staff, ISE owns the authentication. If the device belongs to a guest, visitor, shopper, or fan, Purple owns the experience. The two platforms share the same physical infrastructure but operate in completely separate logical layers.

For your next step, map your current SSID architecture. Identify which SSIDs are corporate and which are guest. Confirm that guest traffic is VLAN-isolated. Then assess whether your current guest portal is delivering the marketing consent, analytics, and CRM integration your commercial teams need. If it is not, that is the gap Purple fills.

You can find the full written guide, architecture diagrams, and worked examples at purple.ai. Thank you for your time.

Executive Summary

Enterprise network architecture demands a clear separation of concerns between corporate security and commercial guest engagement. When evaluating Cisco ISE vs Purple WiFi, the mistake many IT leaders make is viewing them as competing platforms. They are not. Cisco Identity Services Engine (ISE) is an industry-standard Network Access Control (NAC) and 802.1X policy engine for securing workforce and corporate devices. Purple is a cloud-based overlay platform built to handle guest Captive Portals, visitor marketing consent, and operational analytics.

Attempting to force Cisco ISE to serve as a cisco ise guest portal alternative for commercial marketing introduces unnecessary complexity and fails to deliver actionable data. Conversely, deploying Purple WiFi alongside Cisco ISE allows each platform to do what it does best. Purple integrates natively with Cisco infrastructure to offload complex guest experience logic while leaving core enterprise security policies with Cisco ISE. This guide breaks down how they coexist in a modern enterprise network topology, providing practical deployment strategies for retail , hospitality , and large public venues.

Technical Deep-Dive

The Role of Cisco ISE: Corporate Network Access Control

Cisco ISE is the gold standard for enterprise NAC. Its primary function is to authenticate and authorise known devices and users connecting to the corporate network, relying heavily on the port-based network access control standard IEEE 802.1X.

When a corporate laptop connects to a switch port or a corporate SSID, ISE acts as a RADIUS server. It validates device certificates via EAP-TLS or user credentials via PEAP against Active Directory or Microsoft Entra ID. ISE then assesses the device's security posture. If compliant, ISE assigns the correct VLAN and applies the appropriate Security Group Tag (SGT). If the device fails the posture assessment, ISE can quarantine it using RADIUS Change of Authorisation (CoA). For a deeper look at client configuration, review our guide on What is an 802.1X Supplicant? Client Types & Device Configuration . ISE also manages Bring Your Own Device (BYOD) onboarding, where personal devices are enrolled with certificates for secure and password-free access. Additionally, it integrates with Cisco's pxGrid framework, allowing firewalls and SIEM platforms to utilise real-time identity context. ISE is licensed in three tiers: Essentials, Advantage, and Premier, which scale from basic 802.1X to advanced threat integration.

Purple's Role: Guest Experience and Analytics

While ISE excels at securing corporate assets, its built-in guest portal is more utilitarian than commercial. It can provide basic internet access for contractors, but it cannot capture GDPR-compliant marketing consent, run branded splash pages with social login, or push visitor data into CRM platforms like Salesforce. Purple fills precisely this gap.

Purple is a hardware-agnostic cloud overlay. It operates on top of your existing WiFi infrastructure, including Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme and Fortinet. Purple essentially owns the guest experience layer. When a visitor connects to your guest SSID, Purple presents a branded Captive Portal. This portal offers social login via Facebook, Google, or LinkedIn, custom data capture forms, and seamless options like Passpoint.

Every login captures first-party data with clear, active-choice opt-ins. Purple processes this data through its analytics engine, creating footfall heatmaps and visitor demographics, and then pushes it directly to your marketing stack. Purple operates across 80,000+ live venues and processed 440 million logins in 2024. We hold ISO 27001 certification and comply with GDPR and CCPA, ensuring enterprise-grade stability with 99.999% uptime. For a deeper dive into the commercial benefits, see our WiFi Analytics platform overview.

Architectural Coexistence

When you separate the SSIDs, the architecture becomes remarkably simple. You run two or three SSIDs on the same access points. For a detailed breakdown of this design, read Three SSIDs to rule them all: guest, Passpoint, and IoT WiFi .

The corporate SSID uses WPA3-Enterprise with 802.1X, and ISE is the RADIUS server. ISE assigns the device to the correct VLAN and enforces policy. Purple plays no part here.

The guest SSID uses an open network for initial association or WPA3-Personal with a pre-shared key. Traffic is redirected to Purple's cloud portal. Purple manages authentication, consent capture and analytics. The access point enforces a walled garden until Purple signals authorisation, then enables internet access. ISE has no role here.

For venue IoT devices, such as point-of-sale terminals, Purple's SecurePass feature can manage Identity Pre-Shared Keys (iPSK), or ISE can manage corporate IoT.

Implementation Guide

Deploying Purple alongside Cisco ISE requires careful configuration of your wireless LAN controllers or cloud dashboards.

Step 1: SSID Segmentation

Create separate SSIDs for corporate and guest traffic. Configure the corporate SSID for WPA3-Enterprise and point RADIUS authentication to your Cisco ISE nodes. Configure the guest SSID for open access with MAC filtering or WPA3-Personal.

Step 2: VLAN Isolation

Ensure guest traffic is isolated from corporate traffic at Layer 2. The guest SSID must be mapped to a dedicated VLAN that bypasses internal routing tables and routes directly to the internet firewall. ISE enforces VLAN assignment for the corporate SSID based on policies.

Step 3: Walled Garden Configuration

For the guest SSID, configure Captive Portal redirection to point towards Purple's cloud infrastructure. You must configure a walled garden (pre-authorisation ACL) on your access points to allow DNS and HTTP/HTTPS traffic to Purple's required IP ranges and domains. If the walled garden is too restrictive, the Captive Portal will fail to load.

Step 4: RADIUS Integration for Guest WiFi

Configure your wireless controller to use Purple's RADIUS servers for the guest SSID. This allows Purple to authorise the user and track session duration and bandwidth usage.

Best Practices

Never mix guest and corporate traffic on the same SSID. This creates significant security and compliance risks. Always use dedicated SSIDs mapped to isolated VLANs.
Use Purple for commercial guest access. Do not use ISE's built-in guest portal if you require marketing analytics, CRM integration or branded social login.
Enforce tiered bandwidth. Offer a free, baseline service on the guest SSID, and offer a premium, paid option for higher speeds using Purple's Connect, Capture or Engage plans.
Leverage Passpoint. Use Passpoint (Hotspot 2.0) through Purple to allow returning guests to connect automatically and securely without seeing the Captive Portal repeatedly.

Troubleshooting & Risk Mitigation

Captive Portal fails to load: This is almost always a walled garden issue. Verify that all required Purple domains and IP addresses are allowed in your Cisco hardware's pre-authentication ACL.
Guest devices are accessing internal resources: This indicates a failure in VLAN isolation. Verify that the guest VLAN cannot route to corporate subnets at the firewall or core switch layer.
RADIUS Timeouts: If the wireless controller cannot reach Purple's RADIUS servers, guest authentication will fail. Ensure your firewall permits outbound UDP ports 1812 and 1813 to Purple's infrastructure.

ROI and Business Impact

The business impact of separating network access control Cisco ISE from guest experience management is highly significant. By offloading guest WiFi responsibilities to Purple, IT teams can reduce the operational burden of managing temporary accounts and troubleshooting portal issues.

More importantly, Purple turns the guest network into a revenue-generating asset. By collecting first-party data and integrating it with CRM platforms, venues can run highly targeted marketing campaigns. For example, Harrods used a simple question on their splash page to drive sign-ups for their loyalty programme, directly contributing to a 3x ROI from that cohort alone. AGS Airports saw an 842% return on investment by implementing tiered bandwidth. Combining Cisco ISE for security and Purple for engagement delivers both peace of mind and measurable commercial value.

Key Definitions

Network Access Control (NAC)

A security architecture that restricts network availability to compliant and authenticated endpoint devices. Cisco ISE is a NAC platform.

IT teams use NAC to prevent unauthorised devices from accessing corporate data.

IEEE 802.1X

An IEEE standard for port-based network access control, providing an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Used by Cisco ISE to secure corporate SSIDs using certificates or credentials rather than shared passwords.

Captive Portal

A web page that the user of a public-access network is obliged to view and interact with before access is granted.

Purple provides highly customisable captive portals to capture marketing consent and first-party data.

VLAN (Virtual Local Area Network)

A logical subnetwork that groups a collection of devices from different physical LANs.

Crucial for separating guest traffic (managed by Purple) from corporate traffic (managed by ISE).

Walled Garden

A restricted environment that controls a user's access to web content and services before they have fully authenticated.

Must be configured correctly on Cisco hardware to allow devices to reach Purple's servers to load the captive portal.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorisation, and Accounting management.

Both ISE and Purple use RADIUS, but for different purposes: ISE for 802.1X corporate access, Purple for guest session accounting.

Passpoint (Hotspot 2.0)

A standard that enables mobile devices to automatically discover and connect to Wi-Fi networks securely without user intervention.

Purple supports Passpoint to provide a frictionless, cellular-like roaming experience for returning guests.

pxGrid

Platform Exchange Grid. A Cisco framework that enables multivendor, cross-platform network system collaboration.

Allows Purple to share guest session context with the Cisco ISE ecosystem for unified security visibility.

Worked Examples

A 200-room hotel needs to provide secure WiFi for back-of-house staff (housekeeping, management) and a branded, data-capturing WiFi experience for hotel guests. They currently use Cisco Catalyst access points.

Deploy two SSIDs. 'Hotel_Corp' uses WPA3-Enterprise. Cisco ISE acts as the RADIUS server, authenticating staff devices via EAP-TLS certificates and assigning them to the management VLAN. 'Hotel_Guest' uses an open SSID redirected to Purple. Purple presents a branded captive portal offering social login or PMS integration. The guest traffic is placed on an isolated VLAN routed directly to the internet.

Examiner's Commentary: This approach perfectly separates concerns. ISE secures the corporate assets, while Purple handles the commercial requirement of capturing guest data for the hotel's marketing team. VLAN isolation ensures PCI DSS compliance.

A large retail chain wants to track shopper footfall and dwell time across 50 stores using their existing Cisco Meraki infrastructure, without compromising their internal point-of-sale (POS) network security.

The POS terminals connect to a hidden SSID secured by WPA3-Enterprise and Cisco ISE. A public 'Free_Store_WiFi' SSID is broadcast for shoppers. The Meraki dashboard is configured to integrate with Purple via API. Purple captures anonymised presence data from probing devices to generate heatmaps, and captures explicit first-party data when shoppers log in to the captive portal.

Examiner's Commentary: Using Purple's cloud overlay with Meraki requires no new hardware. The retail chain gains deep analytics and marketing data, while ISE ensures the POS network remains locked down and compliant.

Practice Questions

Q1. Your marketing director wants to capture email addresses and demographics from visitors using the guest WiFi in your retail stores. The network engineering team suggests enabling the guest portal feature built into your existing Cisco ISE deployment. Is this the correct approach?

Hint: Consider the commercial capabilities of the ISE guest portal versus a dedicated overlay platform.

View model answer

No. The Cisco ISE guest portal is designed for functional access (e.g., contractors), not commercial marketing. It lacks native CRM integrations, GDPR consent management workflows, and detailed visitor analytics. The correct approach is to implement Purple on the guest SSID to handle the data capture and analytics, while leaving ISE to manage the corporate network.

Q2. A guest connects to the Purple-managed SSID but their browser displays a timeout error instead of the captive portal splash page. Corporate users on the ISE-managed SSID are unaffected. What is the most likely cause?

Hint: Think about what must happen before authentication is complete on a captive portal network.

View model answer

The most likely cause is an incorrectly configured walled garden (pre-authentication ACL) on the wireless access point or controller. The device is being blocked from reaching Purple's cloud infrastructure to load the portal. You must ensure the specific Purple domains and IP ranges are whitelisted.

Q3. You are designing a network for a new corporate headquarters. You need to support staff laptops, staff personal phones (BYOD), and visiting clients. How should you architect the SSIDs and authentication?

Hint: Separate the populations based on device ownership and required access levels.

View model answer

Deploy two SSIDs. The corporate SSID uses WPA3-Enterprise. Cisco ISE handles 802.1X authentication for staff laptops and manages certificate enrolment for staff BYOD devices, assigning them to internal VLANs. The guest SSID is open and redirected to Purple. Purple handles captive portal authentication for visiting clients, placing them on an isolated internet-only VLAN.

Continue reading in this series

Server RADIUS: a comprehensive guide for businesses

This guide provides IT managers, network architects, and CTOs with a definitive technical reference on server RADIUS authentication for enterprise WiFi. It covers the AAA framework, 802.1X architecture, EAP method selection, cloud versus on-premises deployment trade-offs, and dynamic VLAN assignment. Venue operators across hospitality, retail, events, and the public sector will find actionable implementation guidance, real-world case studies, and the decision frameworks needed to migrate from insecure pre-shared keys to a secure, identity-driven network access control architecture.

Server RADIUS: a comprehensive guide for businesses

Aruba ClearPass vs. Purple WiFi: Comparing Features and Co-deployment

A comprehensive technical guide detailing the co-deployment architecture of Aruba ClearPass and Purple WiFi. It covers RADIUS proxy configuration, dynamic VLAN assignment, and best practices for delivering secure, analytics-driven guest networks alongside enterprise NAC.