View podcast transcript
MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide - Podcast Script
[INTRO - approximately 1 minute]
Welcome. If you're managing WiFi infrastructure at a hotel, a retail chain, a stadium, or a conference centre, and you're running MikroTik RouterOS, this episode is for you.
I'm going to walk you through exactly how to integrate MikroTik's Hotspot Gateway with Purple's guest WiFi platform - covering three distinct use cases: guest WiFi with a captive portal and walled garden, secure staff WiFi using 802.1X, and multi-tenant network segregation using MikroTik's Private Pre-Shared Key feature.
This isn't a theoretical overview. By the end of this, you'll have the specific CLI commands, RADIUS attributes, and configuration logic you need to deploy or audit these setups yourself.
Let's get into it.
[TECHNICAL DEEP-DIVE - approximately 5 minutes]
Part one: Guest WiFi and the MikroTik captive portal.
MikroTik's Hotspot Gateway is the engine behind guest WiFi redirection on RouterOS. When a visitor connects to your guest SSID, the Hotspot Gateway intercepts their HTTP traffic and redirects them to a splash page - that's your captive portal. Purple hosts that splash page. Your MikroTik router acts as the Hotspot Gateway and RADIUS client. Purple's platform acts as the RADIUS server.
Here's how you set it up. First, run the Hotspot Setup wizard from the IP menu in Winbox or via the CLI. You'll assign it to your guest-facing interface - typically a VLAN interface or a bridge port. Set your local address pool, configure your DNS servers, and give the hotspot a DNS name. That DNS name is what guests see in their browser before they authenticate.
Once the wizard completes, you need to point the hotspot profile at Purple's RADIUS server. In the CLI, that looks like this:
/radius add service=hotspot address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET authentication-port=1812 accounting-port=1813
Then enable RADIUS on the hotspot profile:
/ip hotspot profile set default use-radius=yes
Purple will provide you with the RADIUS IP address, the shared secret, and the splash page URL when you set up your venue in the Purple dashboard.
Now, the walled garden. This is critical. Before a guest authenticates, their device needs to be able to reach Purple's splash page and any OAuth providers you're using - Google, Facebook, and so on. Without walled garden entries, the redirect loop breaks and guests can't log in.
In RouterOS, you add walled garden entries under IP, Hotspot, Walled Garden. You need to add Purple's splash page domain, any social login domains, and any CDN hosts that serve the login page assets. Purple's documentation lists the exact domains for your region. Add them as IP entries or hostname entries - hostname entries are more resilient when IP addresses change.
The key RADIUS attributes Purple returns on a successful authentication include the session timeout, which controls how long a guest stays connected before being prompted again, and optionally a bandwidth rate limit using the Mikrotik-Rate-Limit vendor-specific attribute. This lets you enforce fair-use policies per guest session directly from the Purple dashboard without touching the router config.
Part two: Secure Staff WiFi with 802.1X.
This is where you move away from shared passwords entirely. IEEE 802.1X is the standard for port-based network access control. On a MikroTik wireless interface, you enable WPA2-Enterprise or WPA3-Enterprise authentication, which means the access point becomes an authenticator - it passes EAP credentials from the staff device to a RADIUS server, which validates them and returns an Access-Accept or Access-Reject.
Purple's Staff WiFi product integrates with Microsoft Entra ID, Okta, and Google Workspace as identity providers. When a staff member's device connects, it presents a certificate or username and password via PEAP-MSCHAPv2. Purple's RADIUS server validates that credential against your identity provider in real time.
On the MikroTik side, you configure the wireless security profile with authentication-types set to wpa2-eap, and you point the RADIUS client at Purple's server with service=wireless. In CAPsMAN - that's MikroTik's centralised access point management system - you set this at the security configuration level so it applies across all your managed access points consistently.
The RADIUS server can return the Mikrotik-Wireless-VLANID attribute to place authenticated staff on a specific VLAN. This is how you enforce network segmentation - finance staff land on VLAN 10, operations on VLAN 20, and so on - all from a single SSID, all driven by identity.
For automatic revocation - when a staff member leaves - Purple's integration with your identity provider means that when you disable the account in Entra ID or Okta, the next re-authentication attempt fails and the device is disconnected. No manual router config changes required.
Part three: Multi-Tenant WiFi with Private Pre-Shared Keys.
This is the most architecturally interesting of the three. Private PSK - sometimes called PPSK or iPSK - lets you run a single SSID where each tenant, resident, or device group connects with a unique passphrase, and each passphrase maps to a different VLAN.
On MikroTik, this works through MAC-based RADIUS authentication on the wireless interface. When a device connects, the access point sends the device's MAC address to the RADIUS server as the username. The RADIUS server - either MikroTik's own User Manager in RouterOS 7, or FreeRADIUS - looks up that MAC address and returns two vendor-specific attributes: Mikrotik-Wireless-Psk, which is the per-device passphrase, and Mikrotik-Wireless-VLANID, which places the device on the correct VLAN.
The wireless security profile needs radius-mac-authentication set to yes, and the RADIUS client needs service=wireless.
In practice, for a build-to-rent property with 200 apartments, you'd pre-register each resident's device MAC addresses in Purple's platform when they move in. Purple maps each MAC to a unique PSK and a VLAN corresponding to that apartment's network segment. The resident connects using their apartment passphrase. Their devices land on an isolated VLAN. Their neighbour's devices are on a completely separate VLAN. Neither can see the other's traffic.
For devices that don't support 802.1X - smart TVs, games consoles, IoT devices - this approach is the practical alternative. The device just needs to support WPA2-PSK, which everything does.
[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - approximately 2 minutes]
Let me give you the four things that most commonly go wrong in these deployments.
First: walled garden gaps. If Purple's splash page fails to load, check your walled garden entries. The most common culprit is a missing CDN domain or a social login redirect that isn't whitelisted. Use the MikroTik torch tool or packet sniffer to watch what DNS queries are being blocked before authentication.
Second: RADIUS timeout mismatches. MikroTik's default RADIUS timeout is 1,100 milliseconds. If Purple's RADIUS server is geographically distant or the network path has latency, you'll see intermittent authentication failures. Increase the timeout to 3,000 milliseconds and configure a backup RADIUS server for resilience.
Third: VLAN filtering not enabled on the bridge. Dynamic VLAN assignment via RADIUS only works if bridge VLAN filtering is enabled. This is a RouterOS requirement. If you're seeing all clients land on the default VLAN regardless of what RADIUS returns, check that vlan-filtering=yes is set on your bridge interface.
Fourth: CAPsMAN version mismatch. If you're running a mix of CAPsMAN version 2 and version 3 managed access points, VLAN tagging behaviour can differ. Standardise on RouterOS 7 with CAPsMAN version 3 across your AP estate before deploying dynamic VLAN features.
One architectural recommendation: run your guest, staff, and management traffic on separate VLANs from day one, even if you're not using all three Purple use cases immediately. Retrofitting VLAN segmentation onto a flat network is significantly more disruptive than building it in from the start.
[RAPID-FIRE Q AND A - approximately 1 minute]
Can I use MikroTik's built-in User Manager instead of an external RADIUS server?
Yes, for smaller deployments. User Manager in RouterOS 7 supports PEAP-MSCHAPv2 for wireless 802.1X and can return the Mikrotik-Wireless-VLANID attribute. For production deployments with Purple, you'll use Purple's hosted RADIUS infrastructure, which handles the identity provider integration and session management for you.
Does Purple support MikroTik CAPsMAN?
Yes. Purple is hardware-agnostic. The integration works at the RADIUS and hotspot redirect level, so it's compatible with standalone MikroTik access points and CAPsMAN-managed deployments equally.
What RouterOS version do I need?
RouterOS 7.x is recommended for all three use cases covered in this guide. Dynamic VLAN assignment via wireless RADIUS and the updated User Manager are RouterOS 7 features. RouterOS 6.x supports hotspot and basic RADIUS authentication but lacks some of the wireless VLAN capabilities.
[SUMMARY AND NEXT STEPS - approximately 1 minute]
To summarise: MikroTik RouterOS gives you three distinct integration points with Purple. The Hotspot Gateway handles guest WiFi redirection and captive portal authentication. The wireless 802.1X configuration with RADIUS handles secure staff WiFi with identity-based access. And MAC-based RADIUS authentication with Private PSK handles multi-tenant network segregation for residential and mixed-use properties.
The common thread across all three is RADIUS. Get your RADIUS client configuration right - correct IP, correct shared secret, correct service type, correct timeout - and the rest follows.
Your next steps: log into your Purple dashboard, navigate to the venue configuration, and grab your RADIUS credentials. Then follow the CLI commands in the written guide to configure your hotspot profile, your wireless security profile, and your walled garden entries. Test with a single access point before rolling out to your full estate.
If you're deploying this at scale - multiple sites, hundreds of access points - Purple's Professional Services team can support the rollout. Purple runs across 80,000 live venues globally, with 99.999% uptime, and is certified to ISO 27001, GDPR, and Cyber Essentials.
Thanks for listening. The full written guide with all CLI commands, RADIUS attribute tables, and worked examples is linked in the show notes.
