Skip to main content
English (UK)

SonicWall TZ and SonicWave Integration with Purple WiFi

This technical reference details the integration of SonicWall TZ firewalls and SonicWave APs with the Purple WiFi platform. It provides actionable configuration steps for captive portal redirection, walled garden exceptions, 802.1X authentication, and dynamic VLAN steering using Private Pre-Shared Keys (PPSK).

📖 6 min read📝 1,263 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
SONICWALL TZ AND SONICWAVE INTEGRATION WITH PURPLE WIFI Purple WiFi Intelligence Platform - Technical Briefing Series Duration: Approximately 10 minutes Voice: UK English, senior consultant tone - confident, conversational, authoritative --- SEGMENT 1: INTRODUCTION AND CONTEXT (approximately 1 minute) Welcome to the Purple Technical Briefing Series. Today we are covering one of the more technically involved integrations in the enterprise WiFi space: SonicWall TZ firewalls and SonicWave access points, deployed alongside Purple for guest authentication, staff access control, and multi-tenant network isolation. If you are an IT security engineer or an MSP managing venues - hotels, retail chains, conference centres, or mixed-use developments - this briefing is for you. We are going to move quickly through the architecture, the configuration steps, and the places where deployments go wrong. SonicWall is a strong choice in the SMB and mid-market space. The TZ series firewalls are widely deployed, and SonicWave APs integrate natively through SonicOS and the Wireless Network Manager. When you add Purple on top, you get a cloud-managed guest WiFi layer with branded splash pages, RADIUS-based authentication, and first-party data capture - all without replacing your existing SonicWall infrastructure. Let us get into the architecture. --- SEGMENT 2: TECHNICAL DEEP-DIVE (approximately 5 minutes) There are four distinct use cases to cover here, and each one has a different configuration path. Guest WiFi with captive portal redirection. Walled Garden exceptions. Secure Staff WiFi using 802.1X. And multi-tenant isolation using SonicWall Private Pre-Shared Keys - PPSK - with dynamic VLAN steering. Let us start with Guest WiFi and the SonicWall captive portal. SonicOS uses a mechanism called Lightweight Hotspot Messaging - LHM - to handle external captive portal redirects. When a guest connects to your guest SSID and opens a browser, the SonicWall intercepts that HTTP request and redirects it to Purple's splash page URL. The guest authenticates on Purple's platform - via social login, email, or a click-through - and Purple sends an LHM authorisation back to the SonicWall on TCP port 4043. The SonicWall then opens internet access for that device's MAC address. The configuration in SonicOS 7.x works like this. First, navigate to Object, then Match Objects, then Zones. Edit the zone assigned to your guest WiFi - typically a WLAN or custom zone. Under Guest Services, enable both "Enable Guest Services" and "External Guest Authentication." Then go to Configure, Guest Services, General. Set the Client Redirect Protocol to HTTP. Enter Purple's portal hostname as the web server address - that is portal.purple.ai. Set the redirect path to your venue's specific splash page URL, which Purple provides in the venue dashboard. The port is 4043. On the Auth Pages tab, set the login URL to Purple's external portal URL. Set the logout URL if you want to handle session termination. On the Advanced tab, enable "Allow unauthenticated users to access HTTPS sites" only if you need to support HTTPS-first devices - but be aware this weakens the redirect enforcement. Once saved, SonicOS automatically creates a NAT policy and a WAN-to-WAN access rule permitting TCP 4043. Do not delete these auto-generated rules. They are what allows the LHM handshake to complete. Now, Walled Garden configuration. Before a guest authenticates, their device needs to reach certain domains to make the splash page work. Purple's platform depends on its own CDN and API endpoints. The OS captive portal detection probes - captive.apple.com for iOS devices, connectivitycheck.gstatic.com for Android, and msftconnecttest.com for Windows - must all be whitelisted. If you are offering social login, add accounts.google.com, oauth2.googleapis.com, apis.google.com, and gstatic.com for Google. Add www.facebook.com, graph.facebook.com, connect.facebook.net, and the fbcdn.net CDN domain if you are offering Facebook login. In SonicOS, add these as FQDN address objects under Object, Match Objects, Addresses. Then create access rules in the guest zone that permit unauthenticated devices to reach these FQDNs. Use dynamic DNS resolution - SonicOS resolves FQDN objects at regular intervals - rather than static IP entries, which will drift as CDN IP ranges change. Moving on to Secure Staff WiFi with 802.1X. This is where SonicWave APs and Purple's RADIUS server work together. The SonicWave AP acts as the authenticator in the 802.1X exchange. The supplicant is the staff device. Purple's RADIUS server is the authentication server. The EAP method you choose depends on your identity provider. If you are using Microsoft Entra ID or Okta, PEAP-MSCHAPv2 is the most common choice because it works with username and password credentials. If you have deployed device certificates - which is the recommended approach for managed devices - use EAP-TLS. In the Wireless Network Manager, navigate to Policies, Policy Hierarchy, select your AP policy, and click the 802.1X tab. Enter Purple's RADIUS server IP address - available in your Purple venue dashboard under the RADIUS settings section. The shared secret is generated by Purple and must match exactly on both sides. Set the authentication port to 1812 and the accounting port to 1813. For EAP settings, select the method that matches your identity provider configuration. On the Purple side, create a RADIUS policy for staff authentication. Map the staff SSID to a specific VLAN - for example, VLAN 200 for staff. Purple's RADIUS server returns the VLAN assignment using three standard attributes: Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, and Tunnel-Private-Group-ID set to the VLAN ID as a string - so "200" for VLAN 200. The SonicWall firewall and SonicWave AP honour these attributes and place the authenticated staff device into the correct VLAN automatically. Now, the most architecturally interesting use case: PPSK and multi-tenant isolation. Private Pre-Shared Keys allow you to run a single SSID and assign each tenant, resident, or user group a unique passphrase. When a device connects using a specific PPSK, the SonicWave AP sends that key to Purple's RADIUS server for validation. Purple looks up the key, identifies the associated tenant or user group, and returns the appropriate VLAN assignment via the Tunnel-Private-Group-ID attribute. The SonicWall then steers that device into the correct VLAN - completely isolated from other tenants on the same SSID. This is Identity-Based Networking in practice. You are not managing SSIDs per tenant. You are managing identities per tenant. In a mixed-use development with ten retail units, one SSID broadcasts across the entire building. Each tenant gets their own PPSK. Each PPSK maps to a dedicated VLAN and subnet. Tenant A's devices never see Tenant B's traffic, even though they are sharing the same physical access points. The PPSK configuration in SonicOS requires RADIUS-based PPSK mode on the SSID. In the Wireless Network Manager, edit the SSID, set the security mode to WPA2-Enterprise with PPSK, and point the RADIUS server at Purple. Purple authorises the PPSK-to-VLAN mapping table centrally. When you add a new tenant, you create a new PPSK in Purple, assign it a VLAN, and the change propagates to all SonicWave APs in that venue without touching the firewall configuration. --- SEGMENT 3: IMPLEMENTATION RECOMMENDATIONS AND PITFALLS (approximately 2 minutes) Let me give you the three things that most commonly go wrong in SonicWall and Purple deployments. First: the LHM port. TCP 4043 must be open from the WAN to the SonicWall's WAN interface. If your ISP or upstream firewall blocks this port, the LHM authorisation handshake never completes, and guests get stuck on the splash page after authenticating. They see a successful login on Purple's side, but the SonicWall never receives the authorisation signal. Test this with a telnet or curl check to port 4043 from an external IP before go-live. Second: FQDN object resolution timing. SonicOS resolves FQDN address objects at boot and then at a configurable interval. If you add a new walled garden domain and the resolution has not refreshed yet, unauthenticated devices cannot reach it. Force a manual refresh after adding new FQDN objects, or set the DNS refresh interval to 60 seconds in high-traffic deployments. Third: VLAN sub-interface configuration. Dynamic VLAN assignment via RADIUS only works if the target VLANs exist as sub-interfaces on the SonicWall before the first device authenticates. If a RADIUS response returns Tunnel-Private-Group-ID 110 but VLAN 110 does not exist as a sub-interface on the SonicWall, the device either gets dropped or falls back to the default VLAN. Build and test all VLAN sub-interfaces before enabling RADIUS VLAN assignment. For MSPs managing multiple venues, Purple's cloud dashboard lets you manage RADIUS policies, PPSK tables, and splash page configurations centrally. You can push configuration changes to all venues from a single interface. That is the operational advantage of a cloud overlay approach - the SonicWall hardware stays in place, and Purple handles the identity and policy layer above it. --- SEGMENT 4: RAPID-FIRE Q&A (approximately 1 minute) A few questions that come up regularly. "Can I use SonicWave APs in standalone mode with Purple?" Yes, but you lose some functionality. In standalone mode, SonicWave APs manage their own RADIUS configuration locally. You can still point them at Purple's RADIUS server for 802.1X. But for PPSK with dynamic VLAN assignment, you need the SonicWall TZ as the RADIUS proxy or the Wireless Network Manager managing the AP policy centrally. "Does Purple support WPA3 on SonicWave?" WPA3 support on SonicWave depends on the firmware version and AP model. SonicWave 600 series APs support WPA3. For captive portal use cases, WPA3 with Opportunistic Wireless Encryption is compatible with Purple's LHM redirect flow, but test on your specific firmware version before deploying at scale. "How does Purple handle GDPR for guest data collected via the splash page?" Purple is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified. Consent is captured at the splash page with configurable opt-in checkboxes. Purple stores first-party data in line with your data retention policy. Guests can access and delete their data via Purple's self-service portal. "What RADIUS attributes does Purple return for dynamic VLAN assignment?" Three attributes: Tunnel-Type with value VLAN, Tunnel-Medium-Type with value 802, and Tunnel-Private-Group-ID with the VLAN ID as a string. These are the standard RFC 2868 attributes supported by SonicOS and SonicWave. --- SEGMENT 5: SUMMARY AND NEXT STEPS (approximately 1 minute) To summarise. SonicWall TZ firewalls and SonicWave APs integrate with Purple via two primary mechanisms: LHM for guest captive portal redirection, and RADIUS for 802.1X staff authentication and PPSK-based multi-tenant isolation. The key configuration steps are: enable External Guest Authentication on the guest zone, configure the Purple portal URL on port 4043, build your walled garden FQDN objects, configure RADIUS on the SonicWave AP policy in Wireless Network Manager, and create your VLAN sub-interfaces on the SonicWall before enabling dynamic VLAN assignment. For multi-tenant deployments, PPSK with RADIUS-based VLAN steering is the architecture to use. One SSID, one set of APs, complete tenant isolation via identity-based VLAN assignment. If you are planning a deployment or reviewing an existing one, Purple's technical team can provide venue-specific RADIUS configuration files and walled garden domain lists. The Purple platform supports 80,000 live venues and has processed 440 million logins in 2024 - the integration patterns we have covered today are proven at scale. Thanks for listening. The full written guide with step-by-step configuration tables and Mermaid architecture diagrams is available on the Purple website. --- END OF SCRIPT

header_image.png

执行摘要

将 SonicWall 网络基础设施与 Purple 的云覆盖层集成,可提供企业级访问控制以及先进的第一方数据捕获。本指南涵盖了四个不同用例的技术实现:具有 Captive Portal 重定向的访客 WiFi、Walled Garden 例外情况、使用 802.1X 的安全员工 WiFi,以及使用具有动态 VLAN 引导的 SonicWall 私有预共享密钥 (PPSK) 的多租户隔离。

我们每年在超过 80,000 个活跃场所处理 4.4 亿次登录。下面详述的架构已在酒店、零售和公共部门环境中得到大规模验证。它允许您保留现有的 SonicWall 硬件,同时将身份管理、Splash 页面托管和 RADIUS 身份验证卸载到 Purple 云。

技术深挖

该集成依赖于两种主要机制:用于 Captive Portal 重定向的轻量级热点消息传递 (LHM),以及用于 802.1X 和 PPSK 身份验证的 RADIUS。

通过 LHM 进行 Captive Portal 重定向

SonicOS 使用 LHM 处理外部 captive portal 重定向。当未通过身份验证的访客设备尝试访问互联网时,SonicWall TZ 防火墙会拦截 HTTP 请求,并将客户端重定向到 Purple 托管的 splash 页面。访客完成身份验证流程(例如,社交登录、表单填写)。然后,Purple 通过 TCP 端口 4043 向 SonicWall 发送回 LHM 授权数据包。收到此数据包后,SonicWall 将更新其内部访问控制列表,允许该设备的 MAC 地址访问互联网。

architecture_overview.png

Walled Garden 架构

在身份验证之前,访客设备将保留在受限区域中。Walled Garden 是允许设备访问以渲染 splash 页面并完成登录过程的特定完全限定域名 (FQDN) 集合。这包括 Purple 的 CDN (cdn.purple.ai)、身份验证 API (api.purple.ai) 以及 Google Workspace、Microsoft Entra ID 和 Meta 等第三方身份提供商所需的域名。

SonicOS 使用 FQDN 地址对象实现 walled garden。防火墙对这些对象执行动态 DNS 解析,并自动更新允许的 IP 范围。这至关重要,因为身份提供商和 CDN 使用动态 IP 分配;静态 IP 白名单将不可避免地失效。

安全员工 WiFi 和 802.1X

对于员工网络,SonicWave AP 充当 802.1X 认证器,将请求代理至 Purple 的 RADIUS 服务器。我们建议对使用证书的托管设备使用 EAP-TLS,或针对 Microsoft Entra ID 等目录使用 PEAP-MSCHAPv2 进行用户名/密码认证。认证成功后,Purple 会返回标准的 RADIUS 属性(Tunnel-Type、Tunnel-Medium-Type 和 Tunnel-Private-Group-ID),以将设备动态分配给正确的员工 VLAN。

使用 PPSK 的多租户隔离

基于身份的网络(Identity-Based Networks)消除了对复杂多 SSID 部署的需求。使用 SonicWall PPSK,单个 SSID(例如“Multi-Tenant-WiFi”)可在整个场馆内广播。每个租户都会收到一个唯一的密码。当设备使用特定的 PPSK 进行关联时,SonicWave AP 会向 Purple 的 RADIUS 服务器验证该密钥。Purple 识别该租户并返回关联的 VLAN ID。然后,SonicWall 将流量引导至隔离的租户 VLAN 中。

ppsk_vlan_diagram.png

实施指南

1. 配置 SonicWall Captive Portal (LHM)

要在运行 SonicOS 7.x 的 SonicWall TZ 系列上配置外部 Captive Portal:

  1. 导航至 Object > Match Objects > Zones。编辑分配给您的访客网络的区域(例如 WLAN)。
  2. Guest Services 选项卡下,启用 Enable Guest ServicesExternal Guest Authentication
  3. 导航至 Configure > Guest Services > General
  4. Client Redirect Protocol 设置为 HTTP
  5. Web Server 地址设置为 portal.purple.ai
  6. Port 设置为 4043
  7. Auth Pages 选项卡下,将 Login URL 设置为 Purple 场馆控制面板中提供的特定展示页面 URL。
  8. 保存配置。SonicOS 将自动生成 NAT 策略和 WAN 到 WAN 的访问规则以允许 TCP 端口 4043。请勿修改这些自动生成的规则。

2. 构建 Walled Garden

为所需的域名创建 FQDN 地址对象,并将它们添加到地址组中。将此组应用于访客区域中的允许规则。

所需的 Purple 域名:

  • *.purple.ai
  • *.purpleportal.net

操作系统 Captive Portal 探测:

  • captive.apple.com (iOS/macOS)
  • connectivitycheck.gstatic.com (Android)
  • msftconnecttest.com (Windows)

常见的社交登录域名 (Google):

  • accounts.google.com
  • oauth2.googleapis.com
  • apis.google.com
  • *.gstatic.com

3. 为 SonicWave AP 配置 RADIUS

要通过 Wireless Network Manager 将 SonicWave AP 与 Purple RADIUS 集成:

  1. 导航至 Policies > Policy Hierarchy 并选择您的 AP 策略。
  2. 选择 802.1X 选项卡。
  3. 输入 Purple RADIUS 服务器 IP 地址(可在您的 Purple 控制面板中找到)。
  4. 输入由 Purple 生成的共享密钥。
  5. Authentication Port 设置为 1812,将 Accounting Port 设置为 1813
  6. 根据您的身份提供商选择合适的 EAP 方法。

4. 配置动态 VLAN 引导

在启用动态分配之前,确保目标 VLAN 作为子接口存在于 SonicWall TZ 防火墙上。

在 Purple 控制面板中,将用户组或 PPSK 映射到目标 VLAN ID。Purple 在成功验证后将返回以下属性:

  • Tunnel-Type = VLAN (13)
  • Tunnel-Medium-Type = 802 (6)
  • Tunnel-Private-Group-ID = [VLAN ID](例如,"110")

最佳实践

  • 测试 LHM 端口可见性:必须能够从互联网访问 SonicWall WAN 接口的 TCP 端口 4043。在上线前使用外部端口扫描器对此进行测试。如果 ISP 阻止了此端口,授权数据包将丢失,访客将一直受阻于展示页面。
  • 预先配置 VLAN 子接口:如果在验证事件发生之前未在 SonicWall 上配置目标 VLAN 子接口,动态 VLAN 引导将静默失败。设备将退回到默认的未标记 VLAN。
  • 强制基于 Web 的 OAuth:确保您的展示页面配置强制执行基于 Web 的 OAuth 流程。深层链接到原生社交媒体应用(例如 Facebook iOS 应用)通常会中断 Captive Portal 流程,因为原生应用流量会被 Walled Garden 阻止。
  • 优化 DNS 刷新间隔:SonicOS 会定期解析 FQDN 对象。在体育场或交通枢纽等高周转环境中,请将 Walled Garden 对象的 DNS 刷新间隔设置为 60 秒,以确保准确跟踪 CDN IP 更改。

故障排除与风险缓解

现象:访客完成了展示页面登录,但无法访问互联网。 原因:TCP 4043 上的 LHM 授权数据包未到达 SonicWall。 解决方法:验证自动生成的 WAN 到 WAN 访问规则是否存在。检查上游 ISP 路由器是否有端口阻止。确保 SonicWall WAN IP 在 Purple 控制面板中正确注册。

现象:展示页面加载失败,或社交登录按钮返回 CORS 错误。 原因:Walled Garden 配置不完整。 解决方法:在未验证状态下连接测试设备。使用浏览器开发者工具(Network 选项卡)识别被阻止的 HTTPS 请求。在 SonicOS 中将失败的域名添加为 FQDN 地址对象。

现象:员工设备通过 802.1X 进行身份验证,但从默认 VLAN 而不是分配的 VLAN 获取 IP 地址。 原因:SonicWall 上不存在目标 VLAN 子接口,或者 RADIUS 属性格式错误。 解决方法:验证 VLAN 子接口是否处于活动状态。检查 Purple RADIUS 日志以确认 Tunnel-Private-Group-ID 是否作为与 VLAN ID 匹配的字符串值发送。

ROI 与业务影响

将 SonicWall 基础设施与 Purple 一起部署,可将标准的网络成本中心转变为可衡量的业务资产。

对于拥有200个网点的零售连锁店,从通用的预共享密钥过渡到品牌化的 Captive Portal,通常会在六个月内使已知客户画像增加40%。这些第一方数据可直接集成至CRM系统,从而推动精准营销活动并增加回头客流量。

在联合办公空间或学生公寓等多租户环境中,支持动态VLAN引导的PPSK消除了为每个租户管理专用硬件的运营开销。您只需部署一个物理网络,并根据身份进行逻辑划分。这在降低高达60%硬件资本支出的同时,还能保持严格符合ISO 27001标准的网络隔离。

Key Definitions

Lightweight Hotspot Messaging (LHM)

A protocol used by SonicWall to communicate with external captive portals. It handles the redirect and authorisation handshake.

Required for integrating SonicOS with cloud-managed guest WiFi platforms like Purple.

Walled Garden

A specific set of domains or IP addresses that unauthenticated devices are permitted to access.

Critical for allowing guest devices to load the splash page, access CDNs, and complete social login OAuth flows before gaining full internet access.

Private Pre-Shared Key (PPSK)

A security method where multiple unique passphrases are valid on a single SSID, with each passphrase tied to a specific user or policy.

Used in multi-tenant environments to isolate traffic without broadcasting multiple SSIDs.

Captive Network Assistant (CNA)

The built-in OS mechanism (on iOS, Android, Windows) that detects a captive portal and automatically opens a limited browser window for authentication.

If the OS probe domains (e.g., captive.apple.com) are not in the walled garden, the CNA will not trigger, and guests will think the WiFi is broken.

Dynamic VLAN Steering

The process of assigning a device to a specific VLAN based on its identity or credentials, rather than the SSID it connected to.

Managed by Purple RADIUS returning the Tunnel-Private-Group-ID attribute to the SonicWall.

FQDN Address Object

A firewall object based on a Fully Qualified Domain Name rather than a static IP address.

SonicOS resolves these objects dynamically, making them essential for robust walled garden configurations.

Identity-Based Network

A network architecture where access policies and segmentation are applied based on the authenticated user or device, rather than physical ports or SSIDs.

Achieved by combining Purple RADIUS with SonicWall PPSK and 802.1X.

Tunnel-Private-Group-ID

The standard RFC 2868 RADIUS attribute used to specify the VLAN ID for a connecting device.

Must be returned by Purple as a string value (e.g., '100') to instruct the SonicWall to steer the device.

Worked Examples

A 150-room hotel (Premier Inn) needs to provide free Guest WiFi via a splash page and a secure Staff WiFi network for housekeeping devices. They have a SonicWall TZ570 and 40 SonicWave APs. How should they segment this traffic?

Deploy two SSIDs. SSID 1: 'Guest-WiFi' mapped to VLAN 100. Configure the SonicWall WLAN zone for External Guest Authentication pointing to portal.purple.ai on TCP 4043. Configure the walled garden FQDNs for Purple and social logins. SSID 2: 'Staff-WiFi' mapped to VLAN 200 using 802.1X. Point the SonicWave AP policy to Purple's RADIUS server. Configure Purple to authenticate housekeeping devices via MAC address bypass (MAB) or PEAP-MSCHAPv2, returning Tunnel-Private-Group-ID '200'.

Examiner's Commentary: This approach strictly isolates untrusted guest traffic from operational systems. Using Purple for both the captive portal and RADIUS authentication centralises identity management. MAB is appropriate for headless devices (like cleaning carts), while 802.1X secures staff phones.

A co-working space manages 15 different companies sharing one open-plan office. They want to provide secure, isolated networks for each company without broadcasting 15 different SSIDs from their SonicWave APs.

Deploy a single SSID named 'Workspace-Secure' using WPA2-Enterprise with PPSK. Create 15 VLAN sub-interfaces on the SonicWall TZ firewall (e.g., VLANs 101-115). In the Purple dashboard, generate a unique PPSK for each company and map it to their specific VLAN ID. When a user connects using their company's PPSK, Purple RADIUS returns the corresponding Tunnel-Private-Group-ID, and the SonicWall steers the device into the isolated VLAN.

Examiner's Commentary: This Identity-Based Network design scales cleanly. Broadcasting 15 SSIDs would cause severe management frame overhead and degrade WiFi performance. PPSK provides the security of unique credentials and the isolation of dedicated VLANs without the RF penalty of multiple SSIDs.

Practice Questions

Q1. You have configured the SonicWall guest zone for External Guest Authentication and set the web server to portal.purple.ai. Guests are redirected to the splash page and can log in successfully, but they never gain internet access. What is the most likely cause?

Hint: Think about how Purple tells the SonicWall that the authentication was successful.

View model answer

The LHM authorisation packet is being blocked. TCP port 4043 must be open on the SonicWall WAN interface to receive the success signal from Purple. Check upstream firewalls or ISP configurations for port blocking.

Q2. A venue wants to offer Facebook login on their splash page. You add www.facebook.com to the walled garden FQDN address group. Guests report that the Facebook login page loads, but the styling is broken and the login button does not work.

Hint: Modern web applications load assets from multiple domains.

View model answer

The walled garden is incomplete. You must also whitelist the domains that serve Facebook's CSS, JavaScript, and API calls, specifically graph.facebook.com, connect.facebook.net, and the CDN domain (e.g., *.fbcdn.net).

Q3. You are deploying PPSK for a multi-tenant office. You configure the SSID for WPA2-Enterprise with PPSK and point the RADIUS server to Purple. You create a PPSK in Purple mapped to VLAN 50. When a user connects with that PPSK, they receive an IP address from VLAN 10 instead. Why?

Hint: The SonicWall needs to know where to send the traffic before the RADIUS request completes.

View model answer

VLAN 50 has not been created as a sub-interface on the SonicWall TZ firewall. Dynamic VLAN steering requires the target VLAN to exist on the firewall beforehand; if it does not, the device falls back to the default untagged VLAN (in this case, VLAN 10).

Continue reading in this series

Cisco WLC and Catalyst Integration with Purple WiFi: Step-by-Step Guest Access Guide

This authoritative guide details the step-by-step integration of Cisco Catalyst 9800 WLCs with Purple WiFi. It covers External Web Authentication for guest captive portals, 802.1X EAP-TLS for secure staff access, and Cisco iPSK for multi-tenant dynamic VLAN segmentation.

Read the guide →

Cisco WLC and Catalyst Integration with Purple WiFi: Step-by-Step Guest Access Guide

This authoritative guide details the step-by-step integration of Cisco Catalyst 9800 WLCs with Purple WiFi. It covers External Web Authentication for guest captive portals, 802.1X EAP-TLS for secure staff access, and Cisco iPSK for multi-tenant dynamic VLAN segmentation.

Read the guide →

CommScope Ruckus Integration with Purple WiFi: Setup and Configuration Guide

This technical reference guide provides an authoritative configuration playbook for integrating CommScope Ruckus architectures with Purple WiFi. It details step-by-step deployments for Guest WiFi captive portals, Secure Staff WiFi via 802.1X, and Multi-Tenant network isolation using Ruckus Dynamic PSK.

Read the guide →