Skip to main content
English (UK)
Pricing

HTTPS Captive Portals in 2026: Why HSTS and Browser Hardening Are Breaking the Old Patterns

This guide details how HSTS and browser HTTPS-first policies are breaking legacy HTTP-intercept captive portals in 2026. It provides actionable technical guidance for network architects to implement modern alternatives, including the CAPPORT API and Passpoint (Hotspot 2.0), ensuring secure and reliable guest WiFi access.

📖 6 min read📝 1,495 words🔧 2 examples3 questions📚 8 key terms

🎧 Listen to this Guide

View Transcript
PODCAST SCRIPT: HTTPS Captive Portals in 2026 — Why HSTS and Browser Hardening Are Breaking the Old Patterns Runtime target: ~10 minutes | Voice: UK English, senior consultant tone --- [INTRO — ~60 seconds] Welcome back. I'm going to cut straight to it today, because if you're running guest WiFi at scale — hotels, retail estates, stadiums, conference centres — you've probably already hit this problem, or you're about to. The classic captive portal pattern — the one where your network intercepts an HTTP request and redirects the user to a splash page — is breaking. Not gradually. It's breaking hard, and the browser vendors are the ones doing it. In the next ten minutes, I want to walk you through exactly what's changed, why it's changed, and what your realistic options are in 2026. This isn't theoretical. This is the conversation I'm having with network architects and IT directors every week right now. Let's get into it. --- [TECHNICAL DEEP-DIVE — ~5 minutes] So let's start with the mechanism. The legacy captive portal pattern works like this: a device connects to your open or PSK-protected WiFi network. It tries to load a web page. Your network controller intercepts that HTTP request — port 80 traffic — and issues a 302 redirect to your portal page. The user sees your splash screen, accepts terms, maybe logs in, and then you open the walled garden. Simple. It's worked for twenty-plus years. The problem is that pattern depends entirely on the device making an unencrypted HTTP request that you can intercept. And browsers are systematically eliminating those requests. Here's the timeline of what's happened. HSTS — HTTP Strict Transport Security — has been around since RFC 6797 in 2012. The mechanism is straightforward: a site sends a Strict-Transport-Security header, and the browser remembers it. For the duration of the max-age period, the browser will refuse to load that site over plain HTTP. It upgrades the connection to HTTPS automatically. If HTTPS isn't available, the connection fails — hard. No bypass, no redirect, just a certificate error. Now, HSTS on its own is manageable. The browser only enforces it after the first visit. But then came the HSTS preload list. Chrome maintains a hardcoded list of domains that are HTTPS-only, baked directly into the browser binary. Firefox, Safari, and Edge all consume the same list. As of 2026, that list covers well over 100,000 domains, including essentially every major consumer destination — Google, Facebook, Twitter, banking sites, government portals, the lot. What that means in practice is this: when your guest device connects to your network and tries to load gmail.com, or bbc.co.uk, or any preloaded domain, the browser doesn't even attempt an HTTP request. It goes straight to HTTPS. Your network controller never sees a plain HTTP request to intercept. The redirect never happens. The user just gets a certificate error, because your portal's self-signed certificate is not trusted for gmail.com. They see NET::ERR_CERT_AUTHORITY_INVALID and they're stuck. And it's getting worse. In October 2025, Google announced that Chrome 154 — shipping October 2026 — will enable "Always Use Secure Connections" by default for all users on public sites. Chrome 147, which shipped in April 2026, already enabled this for the one-billion-plus users who have Enhanced Safe Browsing turned on. Firefox has been moving in the same direction. Safari has had HTTPS-first behaviour on iOS for some time. The net effect: by the end of 2026, the majority of your guests' browsers will attempt HTTPS for every navigation, regardless of whether the domain is on the preload list. The HTTP intercept pattern is not just unreliable — it's dead. Now, there's a secondary problem that compounds this. Even when the OS-level Captive Network Assistant — the CNA — fires up its mini-browser to handle the portal, that mini-browser has its own HSTS enforcement. On iOS, the CNA uses a sandboxed WebKit instance. On Android, it uses a Chrome Custom Tab. Both enforce HSTS. Both will fail to load your portal if you're trying to serve it via a hostname that has an HSTS policy. The correct technical response here is to serve your portal from a dedicated hostname that has never had an HSTS header and is not on the preload list — something like portal.yourvenue.com — with a valid, CA-signed TLS certificate. That's table stakes now. But even that doesn't fully solve the detection problem, because the device still needs to discover that it's behind a captive portal in the first place. That's where RFC 8910 and RFC 8908 come in. RFC 8910 defines a DHCP option — option 114 — and an IPv6 Router Advertisement option that tells the client device the URL of the captive portal API endpoint. RFC 8908 defines that API: a simple JSON endpoint that the OS queries to determine whether internet access is restricted, and if so, where the portal is. Modern operating systems — iOS 14 and later, Android 11 and later, Windows 11 — all support this. When you implement CAPPORT correctly, the device knows it's behind a portal before it ever tries to load a web page. The OS fires up the CNA with the correct portal URL directly. No HTTP intercept required. That's the first modern alternative: DNS and DHCP signalling via CAPPORT, with a properly-signed portal served from a dedicated hostname. The second alternative is Passpoint, based on IEEE 802.11u and the Wi-Fi Alliance's Hotspot 2.0 specification. Passpoint takes a fundamentally different approach. Instead of intercepting traffic, the access point advertises its identity and authentication requirements via ANQP — Access Network Query Protocol — before the device even associates. The device checks whether it has valid credentials for this network. If it does, it authenticates via 802.1X and WPA2 or WPA3 Enterprise, and gets full network access immediately. No portal, no redirect, no browser involvement at all. Passpoint is the right answer for a specific set of deployments: multi-site operators, enterprise environments, healthcare, transport hubs, anywhere you have repeat users who benefit from zero-touch connectivity. Purple's SecurePass product line is built around this model, and for the right deployment profile it eliminates the captive portal problem entirely. The third option, which sits between the two, is OWE — Opportunistic Wireless Encryption. OWE is defined in RFC 8110 and provides per-client encryption on open networks without requiring credentials. It doesn't replace the portal, but it removes the open-network security exposure that makes regulators nervous, particularly under GDPR and PCI DSS. --- [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — ~2 minutes] Right, so what should you actually do? Let me give you the practical framework. If you're running a captive portal today and it's working, your immediate priority is to implement CAPPORT. That means configuring DHCP option 114 on your controller to point to your portal API endpoint, implementing the RFC 8908 JSON API on your portal server, and ensuring your portal is served from a dedicated hostname with a valid CA-signed certificate. This will restore reliable portal detection on modern devices and eliminate the certificate error problem. Do not — I repeat, do not — attempt to serve your portal from a hostname that appears on the HSTS preload list. And do not use a self-signed certificate. Both of these are instant failure modes. The second thing to address is your walled garden configuration. Your DHCP server, your DNS resolver, and your portal hostname all need to be accessible before authentication. That includes the OS detection probe URLs: captive.apple.com for Apple devices, connectivitycheck.gstatic.com for Android, and msftconnecttest.com for Windows. If any of these are blocked pre-auth, the CNA won't fire and your users will be stuck. For new deployments, particularly in hospitality and multi-site retail, I'd strongly recommend evaluating a hybrid architecture: a Passpoint SSID for repeat visitors and a CAPPORT-compliant portal SSID for first-time guests, with the portal offering Passpoint profile installation as part of the onboarding flow. This gives you the marketing touchpoint for new visitors while delivering zero-friction connectivity for returning ones. The pitfall I see most often is operators who've invested in portal customisation and data collection treating Passpoint as a threat to their marketing stack. It isn't. Purple's platform, for example, supports progressive onboarding where the initial portal interaction captures consent and profile data, and then provisions a Passpoint credential for future visits. You get the first-party data on the first visit and the seamless experience on every subsequent one. --- [RAPID-FIRE Q&A — ~1 minute] Quick-fire questions I get asked constantly: "Can I just use a self-signed cert for my portal?" No. Modern browsers and CNA implementations will reject it. You need a CA-signed certificate. "Does CAPPORT work on all devices?" iOS 14+, Android 11+, Windows 11 — yes. Older devices fall back to legacy detection behaviour. Plan for both. "Is Passpoint GDPR-compliant?" Yes, when implemented correctly. The credential provisioning step is where you capture consent. Purple handles this as part of the SecurePass onboarding flow. "What about PCI DSS scope?" If your guest network carries any cardholder data, you need network segmentation regardless of portal type. Passpoint's WPA3-Enterprise encryption significantly reduces your attack surface and simplifies scope arguments with QSAs. --- [SUMMARY & NEXT STEPS — ~1 minute] To wrap up: the HTTP intercept pattern is broken by HSTS preloading and Chrome's move to HTTPS-first by default. The fix for existing deployments is CAPPORT — RFC 8910 plus RFC 8908 — with a properly-signed portal on a dedicated hostname. For new deployments or major refreshes, evaluate Passpoint, particularly if you have repeat-visitor traffic or compliance requirements that benefit from WPA3-Enterprise encryption. The browser vendors have made their position clear. The question isn't whether to adapt — it's how fast. If you want to dig into the specifics for your deployment, the Purple team can walk you through a CAPPORT readiness assessment and a Passpoint feasibility analysis. Links in the show notes. Thanks for listening. See you next time. --- END OF SCRIPT

header_image.png

Executive Summary

The legacy captive portal pattern—intercepting HTTP traffic and issuing a 302 redirect—is dead. Driven by HTTP Strict Transport Security (HSTS) and aggressive browser hardening, the traditional 'intercept and redirect' mechanism is failing at scale across Hospitality , Retail , and enterprise environments. As of 2026, with Chrome enforcing HTTPS-first behaviour by default and the HSTS preload list exceeding 100,000 domains, network controllers can no longer rely on unencrypted HTTP requests to trigger portal detection.

For IT managers and network architects, this represents a critical architectural shift. Maintaining seamless Guest WiFi access now requires modernising your onboarding flow. This guide details the technical mechanisms breaking legacy portals and outlines the vendor-neutral implementation path forward: deploying the CAPPORT API (RFC 8908/8910) for immediate stability, and migrating to Passpoint (Hotspot 2.0) and OpenRoaming for secure, zero-touch connectivity.

Technical Deep-Dive: Why HSTS Breaks the Intercept Pattern

The traditional captive portal relies on a fundamental assumption: the client device will make an unencrypted HTTP request on port 80 that the network access server (NAS) or controller can intercept and redirect to the portal's splash page.

This assumption is no longer valid.

The HSTS Preload Problem

HTTP Strict Transport Security (HSTS), defined in RFC 6797, allows a web server to declare that web browsers should only interact with it using secure HTTPS connections. When a user attempts to access an HSTS-protected domain via HTTP, the browser internally upgrades the request to HTTPS before any network traffic is sent.

Because the request is encrypted, the network controller cannot inspect the host header or issue an HTTP 302 redirect. Instead, the controller intercepts the HTTPS traffic and presents its own portal certificate. Since this certificate does not match the requested domain (e.g., google.com), the browser throws a fatal NET::ERR_CERT_AUTHORITY_INVALID error. The user is blocked, and the portal never loads.

The HSTS Preload list exacerbates this issue. Browsers hardcode a list of domains that must always be accessed via HTTPS, even on the first visit. In 2026, this list includes virtually all major consumer destinations. When a guest connects to your network and types a common URL, the browser forces HTTPS, triggering the certificate error and breaking the captive portal flow.

Browser Hardening: HTTPS-First Mode

Beyond HSTS, browser vendors have systematically hardened their default behaviours. In late 2025, Google announced that Chrome 154 (released in October 2026) would enable "Always Use Secure Connections" by default for all users on public sites. Safari and Firefox have implemented similar HTTPS-first modes.

This means that even for domains not on the HSTS preload list, the browser will attempt an HTTPS connection first. The HTTP intercept pattern is effectively obsolete.

legacy_vs_modern_comparison.png

Modern Alternatives: CAPPORT and Passpoint

To restore functionality and improve the user experience, network architects must transition to modern captive portal detection mechanisms and authentication frameworks.

1. The CAPPORT API (RFC 8908 and RFC 8910)

The Internet Engineering Task Force (IETF) addressed the captive portal detection problem with the CAPPORT architecture. Instead of relying on intercepted web traffic, CAPPORT provides an explicit signalling mechanism.

  • RFC 8910 (Captive-Portal Identification): The network uses DHCP (Option 114) or IPv6 Router Advertisements to provide the client device with the URI of the captive portal API.
  • RFC 8908 (Captive Portal API): The client queries the provided URI (a JSON endpoint) to determine if it is captive and to obtain the URL of the user-facing portal page.

When implemented, the client OS (iOS, Android, Windows) natively detects the portal before the user opens a browser. The OS launches its Captive Network Assistant (CNA) and loads the portal URL directly over a secure HTTPS connection. This eliminates the need for HTTP interception and avoids certificate errors.

2. Passpoint (Hotspot 2.0) and OpenRoaming

For environments with repeat visitors or high security requirements, Passpoint (based on IEEE 802.11u) is the definitive replacement for the captive portal.

Passpoint operates at the MAC layer. Before associating with the Access Point (AP), the client device uses the Access Network Query Protocol (ANQP) to discover the network's capabilities and roaming consortiums. If the device holds a matching credential (e.g., a profile installed during a previous visit or via an identity provider), it automatically authenticates using 802.1X and WPA2/WPA3-Enterprise.

This approach provides cellular-like, zero-touch connectivity. It encrypts traffic over the air, mitigating the risks of open networks and evil twin attacks. OpenRoaming, built on Passpoint, extends this by federating identity providers, allowing users to roam seamlessly across different venues. Notably, Purple acts as a free identity provider for services like OpenRoaming under the Connect license, facilitating broad adoption without per-user licensing fees.

passpoint_migration_decision.png

Implementation Guide

Deploying a resilient guest access architecture requires a phased approach, moving from immediate remediation to strategic transformation.

Phase 1: Stabilise Existing Portals with CAPPORT

If you must maintain a traditional Captive Portal for data capture or WiFi Analytics , you must implement CAPPORT to bypass HSTS breakage.

  1. Configure DHCP Option 114: Update your DHCP server or network controller to broadcast Option 114, pointing to your portal's API endpoint (e.g., https://portal.yourvenue.com/capport).
  2. Implement the RFC 8908 API: Ensure your portal server responds to the API request with valid JSON indicating the captive state and the user-facing URL.
  3. Use a Dedicated, Valid Hostname: The portal must be served over HTTPS using a valid, CA-signed certificate. Never use a self-signed certificate or a hostname that is on the HSTS preload list.
  4. Allowlist OS Probes: Ensure that the OS-level Captive Portal detection probes (e.g., captive.apple.com, connectivitycheck.gstatic.com) are permitted through the walled garden pre-authentication.

Phase 2: Deploy Passpoint for Secure, Seamless Access

Transitioning to Passpoint significantly enhances security and user experience, particularly in Healthcare and Transport deployments.

  1. Verify Infrastructure Support: Ensure your APs and controllers support Hotspot 2.0/Passpoint and 802.1X authentication.
  2. Configure ANQP Profiles: Define the venue name, roaming consortium OIs, and NAI realms in your network controller.
  3. Establish a RADIUS/AAA Backend: Implement a RADIUS server capable of handling EAP authentication (e.g., EAP-TLS, EAP-TTLS).
  4. Implement Profile Provisioning: Use an Online Sign-Up (OSU) server or integrate with a platform like Purple SecurePass to provision Passpoint profiles to user devices.

Phase 3: The Hybrid Progressive Onboarding Model

For venues that require both seamless access and initial data capture (e.g., retail environments looking to drive loyalty), a hybrid approach is optimal.

  1. First Visit: The user connects to an open SSID and is directed to a CAPPORT-enabled Captive Portal. The portal captures necessary data (e.g., email, terms acceptance) and provisions a Passpoint profile to the device.
  2. Subsequent Visits: The user's device automatically detects the Passpoint network via ANQP and authenticates seamlessly using 802.1X. The Captive Portal is bypassed entirely.

Best Practices

  • Avoid 'Frictionless' Marketing Speak: Focus on the technical reality. Passpoint requires initial provisioning friction to achieve long-term seamlessness.
  • Segment Guest Traffic: Regardless of the authentication method, guest traffic must be logically separated from corporate networks using VLANs and firewalls, aligning with Internet of Things Architecture: A Complete Guide .
  • Monitor Certificate Expiry: A lapsed TLS certificate on your portal or RADIUS server will cause catastrophic authentication failures. Implement automated renewal and monitoring.
  • Comply with Data Privacy Regulations: Ensure your data capture and retention policies align with local laws. For specific regional guidance, refer to resources like the Brazil LGPD and Guest WiFi: A Compliance Guide .

Troubleshooting & Risk Mitigation

  • Symptom: iOS devices show a blank CNA screen.
    • Cause: The portal page contains resources (images, scripts) hosted on external domains that are blocked by the walled garden.
    • Fix: Host all essential portal assets locally or add the required external domains to the pre-auth allowlist.
  • Symptom: Android devices display a certificate warning instead of the portal.
    • Cause: The controller is intercepting HTTPS traffic to a preloaded HSTS domain, or the portal's TLS certificate is invalid/self-signed.
    • Fix: Implement CAPPORT and ensure the portal uses a CA-signed certificate on a dedicated hostname.
  • Symptom: Passpoint profile installation fails on Windows 11.
    • Cause: The provisioning server's certificate chain is incomplete or untrusted by the OS.
    • Fix: Verify that the full certificate chain (including intermediate CAs) is served during the TLS handshake.

ROI & Business Impact

Transitioning from legacy HTTP intercept portals to modern CAPPORT and Passpoint architectures delivers measurable business value:

  • Reduced Support Tickets: Eliminating HSTS-related certificate errors directly reduces IT helpdesk volume regarding guest connectivity issues.
  • Increased Connection Rates: Reliable OS-level portal detection ensures more guests successfully complete the onboarding flow, expanding your reachable audience for marketing initiatives.
  • Enhanced Security Posture: Moving to Passpoint and WPA3-Enterprise mitigates the risks associated with open networks, protecting against eavesdropping and evil twin attacks, which is critical for compliance in sectors like finance and healthcare.
  • Improved User Experience: Zero-touch roaming via Passpoint drives higher user satisfaction and repeat engagement, supporting broader digital initiatives like Indoor Positioning System: UWB, BLE, & WiFi Guide and Your Guide to Enterprise In Car Wi Fi Solutions .

Key Terms & Definitions

HSTS (HTTP Strict Transport Security)

A web security policy mechanism that forces web browsers to interact with domains only via secure HTTPS connections, preventing protocol downgrade attacks and HTTP interception.

When IT teams see an increase in certificate errors on guest networks, HSTS enforcement on popular domains is typically the root cause, breaking legacy redirect mechanisms.

HSTS Preload List

A hardcoded list built into modern web browsers containing domains that must always be accessed via HTTPS, even on the very first visit.

If a user attempts to navigate to a preloaded domain (like google.com) while behind a legacy captive portal, the browser will refuse the HTTP connection, preventing the portal redirect.

CAPPORT (Captive Portal Architecture)

An IETF standard (RFC 8908 and 8910) that uses DHCP or IPv6 Router Advertisements to explicitly signal the presence and URL of a captive portal to a client device.

Implementing CAPPORT is the primary remediation strategy for network architects to fix broken portal detection on modern iOS, Android, and Windows devices.

Passpoint (Hotspot 2.0)

A Wi-Fi Alliance specification based on IEEE 802.11u that enables devices to automatically discover and securely authenticate to Wi-Fi networks without user intervention.

Used in enterprise and multi-site deployments to replace captive portals entirely, providing cellular-like roaming and WPA3-Enterprise security.

ANQP (Access Network Query Protocol)

A layer 2 protocol used by client devices to query Access Points for network information (like roaming partners and supported authentication types) before associating.

ANQP is the discovery mechanism that allows a Passpoint-enabled device to determine if it has the correct credentials to join a specific network silently.

CNA (Captive Network Assistant)

The OS-level pseudo-browser that automatically opens when a device detects it is behind a captive portal, allowing the user to authenticate before gaining full internet access.

IT teams must ensure their walled garden allows access to the OS-specific probe URLs (e.g., captive.apple.com) so the CNA triggers correctly.

OpenRoaming

A global Wi-Fi roaming federation that allows users to connect automatically and securely across different venues using a single set of credentials provided by an identity provider.

Venues adopt OpenRoaming to provide seamless access for guests, leveraging identity providers like Purple to manage authentication without complex bilateral agreements.

Walled Garden

A restricted network environment where unauthenticated users can only access a specific set of pre-approved IP addresses or domains necessary for the login process.

Misconfigured walled gardens that block OS detection probes or external portal assets are a leading cause of blank screens and failed guest onboarding.

Case Studies

A 400-room enterprise hotel is experiencing a 30% drop in successful guest WiFi connections. Users report seeing 'Your connection is not private' (NET::ERR_CERT_AUTHORITY_INVALID) errors on their smartphones when trying to access the network. The hotel currently uses a legacy open SSID that intercepts port 80 traffic to redirect to a branded splash page.

The IT team must immediately implement the CAPPORT API (RFC 8908/8910). First, configure the network controller's DHCP server to broadcast Option 114, providing the URI of the captive portal API. Second, deploy the RFC 8908 JSON endpoint on the portal server. Third, ensure the portal is hosted on a dedicated subdomain (e.g., wifi.hoteldomain.com) with a valid, CA-signed TLS certificate. Finally, verify that OS detection URLs (like captive.apple.com) are allowed pre-authentication.

Implementation Notes: This approach directly addresses the HSTS breakage by utilizing out-of-band signalling (DHCP) to inform the OS of the portal's location, rather than relying on intercepting encrypted web traffic. It restores the native Captive Network Assistant (CNA) experience without triggering browser certificate warnings.

A large retail chain with 500 locations wants to implement seamless WiFi roaming for their loyalty app users, eliminating the need for customers to interact with a captive portal on every visit, while still maintaining high security standards (WPA3).

The architect should deploy a Passpoint (Hotspot 2.0) architecture. The initial onboarding can occur via the retailer's loyalty app, which provisions a Passpoint profile (credential) to the user's device. The APs across all 500 locations must be configured to broadcast the appropriate ANQP roaming consortium OIs. A centralized RADIUS infrastructure will handle the 802.1X EAP authentication when the device automatically associates with the network.

Implementation Notes: Passpoint is the correct solution for multi-site roaming and high security. By moving authentication to the MAC layer (802.1X) and utilizing WPA3-Enterprise, the network avoids the vulnerabilities of open SSIDs and the UX friction of repeated captive portal logins.

Scenario Analysis

Q1. Your organisation is deploying a new guest WiFi network across 50 regional offices. Security policy mandates that all wireless traffic must be encrypted over the air, but the marketing team insists on capturing user email addresses upon first connection. Which architecture should you propose?

💡 Hint:Consider how to balance the requirement for initial data capture with the mandate for over-the-air encryption.

Show Recommended Approach

Propose a hybrid progressive onboarding architecture. First-time users connect to an open SSID and are directed to a CAPPORT-enabled captive portal to provide their email address. Upon submission, the portal provisions a Passpoint profile to the device. The device then automatically transitions to a secure, WPA3-Enterprise encrypted Passpoint SSID for all subsequent traffic and future visits. This satisfies marketing's data capture requirement while enforcing security policy for the vast majority of network usage.

Q2. A client complains that their newly designed, highly customized captive portal page is displaying a blank white screen on all modern iOS devices, although it works perfectly on older Android phones. The portal relies heavily on external web fonts and a third-party analytics script.

💡 Hint:Think about how the iOS Captive Network Assistant (CNA) interacts with external resources before the device is fully authenticated.

Show Recommended Approach

The issue is a misconfigured walled garden. The iOS CNA is attempting to render the portal page, but the external domains hosting the web fonts and analytics scripts are blocked by the network controller pre-authentication. Because these resources cannot load, the CNA stalls and displays a blank screen. The solution is to either host all required assets locally on the portal server or add the specific external domains (FQDNs) to the controller's pre-authentication allowlist.

Q3. During a network audit, you discover that the legacy captive portal is intercepting traffic and serving a self-signed certificate. You are tasked with upgrading the system to use the CAPPORT API. What specific certificate requirements must be met for the new portal server?

💡 Hint:Consider how modern browsers and OS CNAs handle certificate validation during the captive portal detection phase.

Show Recommended Approach

The new portal server must be accessed via a dedicated Fully Qualified Domain Name (FQDN) that is NOT on the HSTS preload list. Furthermore, it must use a valid TLS certificate issued by a publicly trusted Certificate Authority (CA). Self-signed certificates will be rejected by the OS CNA and modern browsers, preventing the portal from loading and halting the onboarding process.

About us
Careers
B Corp Report
Plans
Guest WiFi Features
Guest WiFi Pricing
Professional Services
Book a Demo
Passwordless WiFi
RADIUS-as-a-Service
WPA-Enterprise
Captive Portal Software
Multi-Tenant WiFi
Staff WiFi
Solutions
WiFi for Marketing Teams
WiFi for IT & Network Teams
WiFi for Small Business
WiFi Marketing & Analytics
Passwordless Onboarding
Industries
WiFi for Hospitality
WiFi for Hotels
WiFi for Retail
WiFi for Healthcare
WiFi for Higher Education
WiFi for Stadiums
WiFi for Restaurants
WiFi for Corporate Offices
Browse all industries
Policies
Legal
Privacy policy
Terms of use
My data
Cookie policy
Standard SLA
Resources
WiFi blog
WiFi guides
WiFi glossary
Case studies
All resources
ROI Calculator
Pricing Calculator
Access Point Calculator
Guest WiFi Feature Checklist
WiFi Tools
Purple Support
Whatsapp
© 2026 Purple. All Rights Reserved.
Manage Cookie Preferences