Juniper Mist and guest WiFi: captive portal setup with Purple

Welcome to the Purple Technical Briefing, where we explore the integrations that power world-class guest WiFi experiences. Today we're diving into a crucial integration for any enterprise-grade deployment: Juniper Mist and Purple WiFi. Introduction and Context. If you're an IT leader managing a large venue — think hotels, retail chains, stadiums, or conference centres — you know that guest WiFi is no longer just a nice-to-have. It's a critical piece of infrastructure. You need reliability, you need security, and most importantly, you need to derive real business value from it. That's where the combination of Juniper Mist's AI-driven network and Purple's analytics and engagement platform truly shines. Juniper Mist is one of the most sophisticated cloud-managed wireless platforms available today. Built on a microservices architecture, it uses machine learning to continuously optimise radio resource management, predict and resolve network issues before users notice them, and provide granular service level insights through its Wi-Fi Assurance framework. It's the kind of infrastructure that enterprise IT teams trust at scale. Purple, on the other hand, is an enterprise guest WiFi intelligence platform. It provides the guest-facing experience — the captive portal, the login journey, the data capture — and then transforms that data into actionable business intelligence. Think foot traffic analytics, dwell time reports, repeat visitor tracking, CRM integration, and GDPR-compliant marketing automation. Put these two platforms together, and you have a powerful combination: Mist provides the robust, intelligent wireless backbone, while Purple layers on the guest experience, the data insights, and the compliance tools. In this briefing, we'll cover how this integration works architecturally, how to set it up step by step, and why it represents a compelling return on investment for venue operators. Technical Deep-Dive. So, let's get technical. How does this integration actually function? It's elegant, really. At its core, it uses Mist's 'Forward to external portal' feature within the WLAN configuration. When a guest connects to your WiFi network, the Mist access point detects that the device has not been previously authorised. It then redirects the guest's browser to a captive portal URL — a URL that is hosted by Purple. This redirect is not just a simple page load. Mist appends several key parameters to the redirect URL. These include the WLAN identifier, the MAC address of the access point the guest is connected to, the MAC address of the guest's device itself, and the original URL the guest was trying to reach. These parameters are essential because they allow Purple's platform to know exactly which network the guest is on and to correctly authorise that specific device once authentication is complete. The captive portal itself is fully customisable. You can brand it with your venue's logo and colours, configure it to support over twenty-five languages with automatic device detection, and choose from a range of authentication methods — a simple email form, social media login via Facebook or Google, a pre-shared access code, or even a paid access purchase. Purple handles all of this within its platform. The magic of the authorisation flow happens via the Mist REST API. Once a guest authenticates on the Purple portal, the Purple platform makes a secure API call back to the Mist Cloud. This call, directed at the Mist portal authorisation endpoint, tells Mist: 'This device is authorised. Grant it internet access.' Mist then opens the network for that specific device. The entire process is secured using an API Secret — a unique cryptographic key that you configure in both the Mist dashboard and the Purple venue settings. This ensures that only your Purple instance can authorise devices on your Mist network. Now, let's talk about repeat visitors, because this is where the integration becomes genuinely sophisticated. Forcing guests to log in every single time they visit is a poor experience, and frankly, it's unnecessary friction that can damage your brand perception. That's where PurpleConnex — our Passpoint solution — comes in. Passpoint, also known as Hotspot 2.0, is an IEEE 802.11u standard that enables mobile devices to automatically discover and connect to WiFi networks. After a guest's first visit and authentication through the captive portal, we can provision a Passpoint profile to their device. On every subsequent visit, their device automatically and securely connects to the PurpleConnex SSID without any user interaction whatsoever. No portal, no login prompt — just seamless, instant connectivity. This is achieved using RadSec, which stands for RADIUS over TLS. Instead of the traditional, unencrypted RADIUS protocol, RadSec tunnels all authentication traffic over a TLS connection, providing enterprise-grade security. The Mist Cloud communicates with Purple's RadSec servers — rad1-secure.purple.ai and rad2-secure.purple.ai on port 2083 — to authenticate returning guests. You'll also need to upload Purple's RadSec certificate to your Mist organisation settings, which is a straightforward process. The PurpleConnex WLAN is configured as a WPA2 Enterprise network with 802.1X authentication, which is the gold standard for wireless security. For venues that have enabled 6 GHz radio bands on their Mist access points, WPA3-Enterprise is required, providing even stronger encryption through the 192-bit security mode. It's worth noting one important architectural consideration: Juniper Mist does not support RADIUS authentication and accounting for the captive portal flow itself. This means that real-time user count reports and certain network session metrics within the Mist dashboard will not reflect captive portal sessions. However, Purple's own analytics platform provides comprehensive reporting on guest sessions, so in practice, this limitation has minimal impact on the overall intelligence you can derive from the deployment. Implementation Recommendations and Pitfalls. Now for implementation. The basic setup is straightforward, but there are several configuration details that can trip up even experienced network engineers. Let me walk you through the key steps and the common pitfalls. The first step is to create your Guest WLAN in the Mist dashboard. Navigate to Network, then WLANs, and add a new WLAN. Set the security type to Open Access — this is correct and intentional, as the security for the guest network is handled at the application layer by the captive portal and GDPR-compliant data capture. Set the Guest Portal option to 'Forward to an external portal' and enter the Portal URL provided by Purple. The most common pitfall we see at this stage is an incomplete walled garden configuration. The walled garden is the list of hostnames that unauthenticated users are permitted to access before they complete the login process. You must add all of Purple's required domains to this list, as well as any social media login providers you intend to support. If the walled garden is incomplete, the captive portal will fail to load for guests, and they will be stuck at a browser error page. Purple provides a comprehensive list of required domains in their support documentation, and I strongly recommend reviewing it carefully before going live. After saving the WLAN, go back into the configuration and locate the API Secret. This is a unique cryptographic key that Mist generates automatically. Copy it and paste it into the Purple venue settings under the 'Mist API secret' field. This is the link that allows Purple to authorise devices on your Mist network. For the PurpleConnex Passpoint configuration, create a second WLAN with WPA2 Enterprise security and Passpoint enabled. Configure the Operators field with 'OpenRoaming-Settlement-Free', and set the NAI Realm to securewifi.purple.ai with EAP-TTLS as the authentication method. Add the two RadSec server addresses provided by Purple, and set the NAS Identifier to MIST followed by the device MAC address variable. Finally, upload the RadSec certificate to your Mist organisation settings. For multi-site deployments — and this is critical advice for any organisation managing more than a handful of venues — use Mist's Organisation Templates. Configure your guest and secure WLANs once in a template and apply it to all your sites. This ensures absolute consistency across your estate and dramatically reduces administrative overhead. A retail chain with fifty stores, for example, can push a configuration change to all sites simultaneously, rather than making manual changes site by site. One final implementation recommendation: always test the integration in a staging environment before rolling out to production. Use Mist's test authorisation endpoint — /authorize-test — to verify that the captive portal flow is working correctly without affecting live users. And always test on multiple device types — iOS, Android, Windows, and macOS — as captive portal behaviour can vary significantly between operating systems and browser versions. Rapid-Fire Questions and Answers. Let's tackle some rapid-fire questions we often hear from network architects during deployment planning. First question: Does this integration impact network performance? No. The authentication handshake is lightweight and happens only once per session. Once a guest is authorised, their traffic flows directly from the Mist access point to the internet. Purple is not in the data path at all, so there is no performance overhead for normal browsing traffic. Second question: How secure is the guest data collected by Purple? Very secure. Purple is ISO 27001 certified, and the platform is architected for compliance with GDPR, CCPA, and other major data privacy regulations. All data is encrypted in transit using TLS and encrypted at rest. Purple's consent management tools ensure that guests provide informed, explicit consent before any personal data is collected, which is a fundamental requirement under GDPR Article 7. Third question: Can I offer tiered bandwidth to monetise the WiFi? Absolutely. Purple's platform supports tiered bandwidth configurations. You can offer a free basic tier with a lower speed limit and a paid premium tier with higher speeds. This is particularly relevant for airports, conference centres, and stadiums, where premium connectivity is a genuine value-add that guests are willing to pay for. One Purple customer — an airport operator — achieved an eight hundred and forty-two percent return on investment by implementing tiered bandwidth through Purple's platform. Fourth question: What happens if the Purple platform is temporarily unavailable? This is an important resilience consideration. By default, Mist will not grant internet access to unauthenticated guests if the external portal is unreachable. You can optionally enable the 'bypass guest portal in case of exception' setting in Mist, which will grant open access if the portal is unavailable. However, this should be carefully considered, as it removes the data capture and compliance layer. For most enterprise deployments, we recommend leaving this disabled and ensuring that Purple's platform — which operates on a highly available cloud infrastructure — is monitored as part of your service management process. Summary and Next Steps. To summarise this briefing: integrating Juniper Mist with Purple transforms your guest WiFi from a simple utility into a powerful tool for business intelligence and customer engagement. You get Mist's AI-powered network reliability, with its machine learning-driven radio resource management and proactive fault detection, combined with Purple's deep visitor analytics, marketing automation, and GDPR-compliant data capture. The integration is API-driven and flexible, supporting both simple captive portal deployments and sophisticated, secure Passpoint implementations for a truly seamless repeat visitor experience. The key takeaways are these. First: always configure a complete walled garden — it's the most common cause of integration failures. Second: plan for two SSIDs from day one — an open guest network for first-time visitors and a secure Passpoint network for repeat guests. Third: use Mist's Organisation Templates for any multi-site deployment to ensure consistency and operational efficiency. And fourth: leverage Purple's analytics platform to derive actionable business intelligence from your guest WiFi data — this is where the real return on investment is realised. Your next step? If you're already a Purple customer, review the Juniper Mist integration guide in our support portal at support.purple.ai. If you're new to Purple, head to purple.ai and book a demo with one of our solutions architects. We can walk you through a live environment, discuss your specific venue requirements, and model the expected return on investment for your deployment. Thank you for joining this Purple Technical Briefing. We'll see you next time.