View podcast transcript
PODCAST SCRIPT: EnGenius Cloud Access Points Integration with Purple WiFi
Purple WiFi Intelligence Platform - Technical Briefing Series
Duration: Approximately 10 minutes
Voice: UK English, senior consultant tone - confident, conversational, authoritative
[INTRO - 1 MINUTE]
Welcome to the Purple Technical Briefing Series. Today we are covering something that comes up regularly on enterprise deployments: integrating EnGenius Cloud access points with Purple's guest WiFi platform.
If you are running an EnGenius estate, whether that is ECW series access points in a hotel, a retail chain, or a multi-tenant office building, and you want to add a branded captive portal, collect first-party visitor data, and enforce proper network segmentation, this briefing is for you.
In the next ten minutes, I want to walk you through the four core configuration areas: guest captive portal redirection, walled garden setup, secure staff WiFi using 802.1X, and multi-tenant isolation using EnGenius MyPSK with dynamic VLAN assignment. By the end, you will have a clear picture of exactly what to configure, in what order, and where the common pitfalls are.
Let's get into it.
[TECHNICAL DEEP-DIVE - 5 MINUTES]
Let's start with the guest captive portal, the most common starting point for any venue operator.
EnGenius Cloud supports external splash pages natively. That means instead of hosting a basic login page on the access point itself, you redirect unauthenticated guests to Purple's cloud-hosted portal. This is where the branding, the data capture, the consent management, and the analytics all live.
Here is the configuration sequence in EnGenius Cloud. Log in to your EnGenius Cloud dashboard and navigate to Configure, then SSID. Select your guest SSID. Under the Wireless tab, set the security type to Open or WPA2 PSK, depending on your preference. Open is standard for most guest WiFi deployments. Then switch to the Captive Portal tab. Enable the captive portal and set the Authentication Type to Custom RADIUS. This is the key setting. It tells the access point to forward authentication requests to an external RADIUS server, which in this case is Purple's cloud RADIUS endpoint.
Now enter Purple's RADIUS details. The primary RADIUS server IP is provided in your Purple dashboard under Hardware Configuration. The authentication port is UDP 1812. The accounting port is UDP 1813. Enter the shared secret. Purple generates this for you, and it should be at least 22 characters mixing upper and lower case, numbers, and symbols. Set the NAS identifier to match your venue name or a unique identifier you have defined in Purple.
Next, switch to the Splash Page tab. Select External Splash Page URL and enter the Purple portal URL. This is the URL Purple provides for your specific venue. When a guest connects to the SSID and opens a browser, the access point intercepts the request and redirects them to this URL, passing parameters including the client MAC address, the AP MAC address, and the original URL the guest was trying to reach.
Now the walled garden. This is the list of domains and IP addresses that guests can reach before they authenticate. Without it, the Purple portal itself cannot load, because the guest's browser cannot reach Purple's servers. In EnGenius Cloud, the walled garden is under Captive Portal, then Advanced Settings, then Walled Garden. You need to add the Purple portal domain, Purple's CDN endpoints, and the operating system captive portal probe endpoints. For Apple devices, that is captive.apple.com. For Android, connectivitycheck.gstatic.com. For Windows, msftconnecttest.com. Miss any of these and guests on those platforms will not see the portal at all.
If you are offering social login through Google or Facebook, you also need to allowlist the OAuth endpoints for those providers. Google requires accounts.google.com, oauth2.googleapis.com, and apis.google.com at minimum. Facebook requires www.facebook.com, graph.facebook.com, and connect.facebook.net. Purple's support documentation provides an up-to-date walled garden list for each authentication method. Use that as your reference, because these domains do change.
Now let's move to secure staff WiFi using 802.1X.
This is a separate SSID. The security type here is WPA2 Enterprise or WPA3 Enterprise. In EnGenius Cloud, under the SSID Wireless tab, select WPA2 Enterprise and then choose Custom RADIUS. Enter the same RADIUS server details. Purple's RADIUS endpoint, port 1812, and the shared secret. The difference from the guest set-up is that there is no captive portal here. Staff devices authenticate silently using the IEEE 802.1X protocol. The device presents a certificate or username and password to the RADIUS server, which validates it and returns an Access-Accept message along with VLAN assignment attributes.
The RADIUS attributes that drive dynamic VLAN assignment are Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, and Tunnel-Private-Group-ID set to the VLAN number. So if your staff VLAN is VLAN 20, the RADIUS server returns Tunnel-Private-Group-ID with a value of 20. The EnGenius access point reads this attribute and places the authenticated device on VLAN 20 automatically. This means you can have a single SSID serving multiple staff roles, finance, operations, IT, contractors, each landing on a different VLAN based on their directory group membership, all without any manual VLAN configuration per device.
For the EAP method, PEAP-MSCHAPv2 is the most common choice for environments using Active Directory or Microsoft Entra ID. It requires a server-side certificate on the RADIUS server and username-password credentials on the client. EAP-TLS is more secure. It uses certificates on both sides. But it requires a PKI infrastructure and MDM deployment to push certificates to devices. For most venue operators, PEAP-MSCHAPv2 with strict certificate validation enforced via Group Policy or MDM is the practical choice.
Now for the most technically interesting part: EnGenius MyPSK and multi-tenant isolation.
MyPSK, also called PPSK or Private Pre-Shared Key, solves a specific problem in multi-tenant environments. In a build-to-rent development, a serviced office, or a student accommodation block, you want each tenant or resident to have their own unique WiFi password. But you do not want to create a separate SSID for each tenant. That creates radio frequency congestion and management overhead.
MyPSK lets you create up to 500 unique pre-shared keys per SSID. Each key is bound to a specific VLAN. When a resident connects using their unique key, the access point places them on their designated VLAN automatically. Tenant A's traffic never touches Tenant B's network segment. The encryption is also per-user. Each key generates a unique Pairwise Master Key, so one tenant cannot decrypt another tenant's over-the-air traffic even though they share the same SSID.
In EnGenius Cloud, you configure MyPSK under the SSID security settings. Select WPA2 PSK or WPA3 Personal, then enable MyPSK. You can then create PSKs individually or auto-generate batches of up to 50 at a time. For each PSK, you assign a VLAN ID and optionally set an expiry date. When a lease ends or a student graduates, you simply expire or delete their PSK. Access is revoked immediately without affecting any other tenant.
For Purple integration in a MyPSK environment, the guest-facing tenants can still be directed through a captive portal on their VLAN. Staff and operational tenants bypass the portal entirely. The VLAN segmentation ensures Purple's analytics data is correctly attributed per network segment.
[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - 2 MINUTES]
Let me give you the implementation sequence I recommend for a clean first deployment.
Start with your VLAN architecture before you touch the WiFi configuration. Define VLAN 10 for guests, VLAN 20 for staff, VLAN 30 for tenants, or whatever numbering fits your existing scheme. Configure these VLANs on your ECS switches first, with the appropriate trunk and access port assignments. The access points need to receive tagged traffic on the uplink port for each VLAN you plan to use.
Then configure the SSIDs in EnGenius Cloud in this order: guest SSID first, because it is the most straightforward. Validate the captive portal redirect to Purple before moving on. Then configure the staff SSID with 802.1X. Test with a known device before rolling out to the full estate. Then configure MyPSK if you need multi-tenant isolation.
The pitfalls. First, the walled garden. This is the number one cause of failed captive portal deployments. If guests cannot reach the portal, check the walled garden first. Second, RADIUS shared secret mismatch. The shared secret must be identical on both the EnGenius Cloud configuration and the Purple RADIUS server configuration. A single character difference causes every authentication to fail silently. Third, VLAN trunk configuration on the switch. If the ECS switch port connecting to the access point is not configured as a trunk carrying all the required VLANs, dynamic VLAN assignment will fail. Fourth, certificate validation on 802.1X clients. If staff devices are not configured to validate the RADIUS server certificate, they are vulnerable to credential theft via rogue access points. Enforce this via Group Policy for Windows and MDM profiles for everything else.
[RAPID-FIRE Q&A - 1 MINUTE]
A few questions I hear regularly on EnGenius and Purple deployments.
Can I use EnGenius Cloud RADIUS instead of Purple's RADIUS? Yes, for internal authentication. But for guest WiFi with Purple's analytics and portal, you need to point to Purple's RADIUS endpoint. The two can coexist on different SSIDs.
Does MyPSK work with WPA3? Yes. EnGenius supports WPA3 and WPA2/WPA3 mixed mode with MyPSK, so WPA3-capable devices get SAE authentication while older devices fall back to WPA2 PSK, all using the same per-user key.
Does Purple support RADIUS accounting for session data? Yes. Enable the accounting server in EnGenius Cloud's RADIUS configuration, pointing to Purple's accounting endpoint on UDP 1813. This feeds session duration and data volume into Purple's analytics.
[SUMMARY AND NEXT STEPS - 1 MINUTE]
To summarise. EnGenius Cloud access points integrate cleanly with Purple's guest WiFi platform through four configuration layers. Guest captive portal redirection uses Custom RADIUS and an external splash page URL pointing to Purple. Walled garden whitelisting ensures the portal loads before authentication. Staff WiFi uses WPA2 Enterprise with 802.1X and dynamic VLAN assignment via RADIUS attributes. And multi-tenant isolation uses EnGenius MyPSK to assign unique per-user keys bound to specific VLANs, with optional expiry dates for time-limited access.
Purple operates across 80,000 venues and has processed 440 million logins in 2024 alone. The platform is ISO 27001 certified, GDPR compliant, and hardware-agnostic, which is exactly why it works cleanly with EnGenius alongside Cisco Meraki, HPE Aruba, Ruckus, and the rest of the enterprise hardware ecosystem.
If you are ready to deploy, start with the walled garden configuration guide in Purple's support documentation, then work through the SSID setup in EnGenius Cloud. The full step-by-step guide is available at purple.ai. Thank you for listening.
