Skip to main content
English (UK)

Sophos Firewall and Access Points Integration with Purple WiFi

This guide details the technical integration of Sophos Firewall (XG/XGS) and Sophos AP6/APX access points with Purple WiFi. It covers external captive portal redirection, RADIUS authentication and accounting configuration, Walled Garden setup, 802.1X for Staff WiFi, and dynamic VLAN assignment using Sophos PPSK for secure Multi-Tenant network segregation across hospitality, retail, and public-sector venues.

📖 9 min read📝 2,208 words🔧 2 worked examples4 practice questions📚 9 key definitions

Listen to this guide

View podcast transcript
Welcome to the Purple Architecture Briefing. Today we are diving into a critical integration for enterprise networks: deploying Purple WiFi alongside Sophos infrastructure, specifically Sophos AP6 and APX access points and Sophos XG and XGS firewalls. If you are an IT manager, a network architect, or a CTO managing a venue, whether that is a retail chain, a stadium, or a hospital, this session is designed to give you the actionable blueprint for making these two powerful platforms work together seamlessly. Let us set the context. Sophos is renowned for its robust security posture. Sophos Firewall appliances provide deep packet inspection and synchronised security. However, when it comes to Guest WiFi, you do not just want security. You want business value. You want to capture demographic data, understand visitor behaviour, and drive marketing return on investment. That is where Purple comes in. By integrating Purple as an external captive portal, you offload the heavy lifting of guest identity management, GDPR consent, and social logins to Purple's cloud RADIUS, while letting the Sophos Firewall do what it does best: secure the perimeter. So, how does this actually work under the hood? Let us get into the technical deep-dive. The architecture relies on standard RADIUS protocols and HTTP redirection. When a venue user associates with your open Guest WiFi SSID broadcasted by the Sophos AP, the Sophos Firewall intercepts that initial web request. Instead of serving a basic, locally stored portal page, the firewall redirects the client to Purple's cloud-hosted splash page. Now, here is the critical concept: the Walled Garden. During this pre-authentication phase, the user does not have internet access. But they need to load the portal graphics, and they might need to reach Facebook or Google to log in. The Walled Garden is a strict allowlist configured on the Sophos Firewall that permits traffic to these specific domains. Once the user authenticates, Purple's platform sends a RADIUS Access-Accept message back to the Sophos Firewall. The firewall then flips the switch, changing the session state to authenticated, and drops the user into your post-authentication firewall policy. Let us talk about the RADIUS configuration in more detail, because this is where precision matters. Purple provides you with two sets of RADIUS credentials: one for authentication on port 1812, and one for accounting on port 1813. Both must be configured. The accounting server is not optional. It is the mechanism by which the Sophos Firewall reports session data back to Purple, including duration, bandwidth consumed, and session termination events. Without accurate accounting data, your Purple analytics dashboard will show incomplete or inaccurate visitor metrics. Set your accounting interim interval to 120 seconds. This provides a good balance between real-time visibility and network overhead. Now let us talk about a scenario that comes up constantly in enterprise deployments: Multi-Tenant WiFi. Think of a coworking space, a build-to-rent residential block, or a student accommodation building. You have multiple distinct groups of users who all need WiFi access, but they must be completely isolated from each other at the network level. Broadcasting a separate SSID for every tenant is not viable. It creates radio frequency congestion and is an operational nightmare to manage. The answer is Sophos Private Pre-Shared Keys, or PPSK, combined with dynamic VLAN assignment. Here is how it works. You configure a single SSID on your Sophos AP6 access points. You then issue a unique passphrase to each tenant or user group. When a device connects and presents its unique key, the Sophos AP authenticates that key via RADIUS. The RADIUS server returns a specific VLAN ID attribute in the Access-Accept message. The AP dynamically tags the user's traffic with that VLAN ID, placing them onto their dedicated network segment. Identity-Based Networking in action. One SSID, multiple isolated networks, zero radio frequency overhead from additional broadcasts. This architecture also has a significant compliance benefit. Under PCI DSS requirements, Guest WiFi networks must be completely isolated from any network segment that handles cardholder data. By placing the guest SSID on a dedicated VLAN and enforcing strict firewall policies on the Sophos Firewall to block all RFC 1918 private IP space destinations, you satisfy this requirement cleanly. Purple, which operates across 80,000 live venues and has processed 440 million logins in 2024, is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified, so the compliance story extends to the identity layer as well. Now let us move on to implementation recommendations. When you are setting this up, you have a crucial decision to make regarding IP assignment: NAT mode versus Bridge mode. If you are deploying a small retail branch with perhaps fifty to a hundred concurrent guest connections, NAT mode is perfectly adequate. The Sophos AP hands out DHCP addresses to guests from a dedicated internal subnet and translates them as traffic exits. It is simple and requires minimal additional infrastructure. But if you are deploying a high-density environment, say a five-hundred-room hotel, a conference centre with multiple concurrent events, or a stadium, you must use Bridge mode. In Bridge mode, the Sophos AP drops the guest traffic directly onto a dedicated VLAN, allowing your core enterprise DHCP servers to handle the load. This prevents the access point or firewall from becoming a DHCP bottleneck during peak connection events. Bridge mode also ensures the Purple platform sees the true client IP address, which is vital for accurate analytics and troubleshooting. Let us talk about the step-by-step configuration sequence, because order matters here. Start in the Purple portal. Retrieve your RADIUS server credentials: the server IP addresses, shared secrets, the captive portal URL, and the redirect URL. These are the four critical pieces of information you need before touching the Sophos configuration. Then, move to Sophos Central or your local firewall management interface. Define your RADIUS servers first, authentication on 1812, accounting on 1813. Then configure your Walled Garden under Hotspot Settings. Next, create your guest SSID, set encryption to Open, enable the Captive Portal, and input the Purple portal URL. And finally, define your post-authentication firewall rules. For the Walled Garden specifically, you must allow the following domains as a minimum: the Purple portal domain, typically region1.purpleportal.net; venuewifi.com; and any social login domains your guests will use, such as facebook.com, accounts.google.com, and their associated CDN domains. If you are using Microsoft Entra ID or Okta for identity federation, those domains must also be included. What about pitfalls? Where do deployments usually go wrong? The number one issue, without question, is an incomplete Walled Garden. If a guest connects and gets a blank screen or a connection timeout, it almost always means the Sophos Firewall is blocking access to Purple's CSS files, JavaScript assets, or the social login APIs before authentication. You must ensure every required domain is explicitly allowed in that pre-authentication policy. Purple provides a comprehensive list of required domains. Use it in full. Also, do not forget DNS. Unauthenticated clients must be allowed to resolve DNS queries, or the redirect simply will not work. The device needs to resolve the Purple portal hostname before it can even attempt to load the page. The second most common pitfall is certificate errors. Ensure your Sophos Firewall is presenting a valid, publicly trusted SSL certificate for the redirection interface. If you use the default self-signed certificate, modern iPhones and Android devices will throw significant security warnings, and your guests will abandon the connection entirely. This is a particularly acute problem in hospitality environments where guest experience is paramount. The third pitfall is RADIUS timeout errors. If the portal loads but authentication consistently fails, verify that the shared secrets match exactly between your Sophos configuration and the Purple portal. Even a single character difference will cause all authentication attempts to fail silently. Also verify that no intermediate firewall is blocking UDP ports 1812 and 1813 between your Sophos infrastructure and Purple's cloud RADIUS servers. Let us wrap up with a rapid-fire question and answer session based on the most common questions we hear from clients. Question one: does using Purple bypass my Sophos Firewall security policies? Absolutely not. Purple handles the authentication and identity capture. Once authenticated, all guest traffic flows through your Sophos Firewall's post-authentication policy. This is precisely where you apply web filtering, block peer-to-peer traffic, and shape bandwidth. Think of it this way: pre-authentication is permissive to allow login; post-authentication is punitive to protect the network. Question two: do I need to deploy local RADIUS servers? No. Purple provides RADIUS-as-a-Service. You configure the Sophos APs to point directly to Purple's cloud RADIUS IP addresses. There is no need to deploy and maintain FreeRADIUS or Windows NPS for the guest network. Question three: can I use Purple with both Sophos AP6 and the older APX series? Yes. The integration approach is consistent across both hardware generations. Note, however, that Sophos has announced an end-of-life date for the APX Series of 31 December 2027. If you are planning a new deployment, invest in the AP6 Series, which supports Wi-Fi 6 and Wi-Fi 6E. Question four: what about GDPR compliance? Purple captures explicit consent at the portal level, presenting your terms and conditions and data processing notices before authentication. This consent data is stored within the Purple platform and is auditable. The Sophos Firewall's role is purely network enforcement. To summarise the key takeaways from today's briefing. First: segregate your Staff and Guest SSIDs absolutely. Staff on 802.1X with WPA2-Enterprise. Guests on Purple with an external captive portal. Second: meticulously configure your Walled Garden. It is the most common failure point and the most important pre-authentication configuration element. Third: use Bridge mode for any high-density deployment to avoid DHCP bottlenecks and to ensure accurate client IP visibility. Fourth: configure both RADIUS authentication and accounting servers. Accounting is not optional if you want meaningful analytics. Fifth: leverage Sophos PPSK for Multi-Tenant environments to enable Identity-Based Networking with dynamic VLAN assignment. One SSID, multiple isolated networks. Sixth: apply Sophos security policies strictly post-authentication. Web filtering, application control, and bandwidth shaping should all be applied in the post-authentication firewall policy. By executing this integration correctly, you transform Guest WiFi from a cost centre into a compliant, secure, and revenue-generating asset. The combination of Sophos security depth and Purple's marketing intelligence is genuinely powerful for any venue operator who wants to take their guest experience and data strategy seriously. Thanks for listening to the Purple Architecture Briefing. If you would like to discuss your specific deployment requirements, visit purple.ai to speak with the solutions team.

header_image.png

Executive Summary

If you run Sophos infrastructure and need to deploy compliant Guest WiFi that captures first-party data, this guide provides your exact setup steps. Purple integrates with Sophos Firewall (XG and XGS series) and Sophos AP6/APX wireless access points as an external Captive Portal, offloading guest identity management, GDPR consent collection, and social login handling to Purple’s cloud RADIUS. Your Sophos Firewall continues to perform deep packet inspection and unified threat management across all traffic. The end result: a compliant, segmented network where guests authenticate via a branded Purple portal, employees connect via 802.1X with WPA2-Enterprise, and multi-tenant environments use Sophos Private Pre-Shared Keys (PPSK) for dynamic VLAN assignment. Purple runs across more than 80,000 physical venues globally and processed 440 million logins in 2024 (Purple internal data, 2024). It is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified.

Technical Deep Dive

How Redirection Works

This integration uses standard RADIUS protocols and HTTP redirection. When a venue visitor associates with your open Guest WiFi SSID on a Sophos AP6 or APX access point, the Sophos Firewall intercepts the unauthenticated device’s first HTTP request. Instead of serving a locally-hosted login page, the firewall issues a 302 redirect to Purple’s cloud-hosted login portal URL—typically formatted as https://region1.purpleportal.net/access/.

During this pre-authentication phase, the device sits within a Walled Garden: a strict whitelist of domains that an unauthenticated device is allowed to access. This whitelist must contain Purple’s portal assets, any social login providers (Facebook, Google, LinkedIn), and any identity federation endpoints you use, such as Microsoft Entra ID or Okta. Once the user completes authentication on the Purple login portal, Purple’s cloud RADIUS sends a RADIUS Access-Accept message back to the Sophos Firewall. The firewall updates the session state to authenticated and applies your post-authentication security policies.

RADIUS Authentication and Accounting

Purple provides RADIUS-as-a-Service. You do not need to deploy FreeRADIUS, Windows NPS, or any on-premises RADIUS infrastructure for the guest network. Simply configure the Sophos Firewall to point directly to Purple’s cloud RADIUS IP addresses.

Two RADIUS functions are required:

Function Protocol Port Purpose
Authentication UDP 1812 Verifies guest credentials and returns Access-Accept or Access-Reject
Accounting UDP 1813 Reports session starts, interim updates, and session ends to Purple

Accounting is not optional. It is the mechanism Sophos Firewall uses to report session duration, consumed bandwidth, and session termination events back to Purple. Without accounting data, your WiFi analytics dashboard will show incomplete visitor metrics. Configure the accounting interim interval to 120 seconds for a good balance between real-time visibility and network load.

The RADIUS shared secret must match exactly between the Sophos configuration and the Purple portal. A single character discrepancy will result in silent authentication failures.

Walled Garden Configuration

The Walled Garden is the most critical pre-authentication configuration element and the most common source of deployment failures. Configure this under Wireless > Hotspot Settings on the Sophos Firewall.

You must allow at least the following domains:

Category Allowed Domains
Purple Core region1.purpleportal.net, venuewifi.com, cloudfront.net
Payments (if applicable) stripe.com
Weather Widget (if used) openweathermap.org
Facebook Login facebook.com, fbcdn.net, connect.facebook.net, akamaihd.net
Google Login accounts.google.com, googleapis.com, gstatic.com
LinkedIn Login linkedin.com, licdn.net, licdn.com
Microsoft Entra ID login.microsoftonline.com, login.microsoft.com

Ensure that DNS resolution (UDP port 53) is allowed for unauthenticated clients. Without DNS, devices cannot resolve the Purple portal’s hostname, and the redirection will fail before it starts.

802.1X for Staff WiFi

For staff WiFi, use 802.1X (IEEE 802.1X port-based network access control) with WPA2-Enterprise or WPA3-Enterprise. Configure the Sophos APs to use EAP-TLS (certificate-based) or PEAP-MSCHAPv2 (username/password) against your internal RADIUS server or cloud identity provider, such as Microsoft Entra ID.

The RADIUS server returns VLAN assignment attributes to place the authenticated employee device into the correct internal VLAN. This is the same dynamic VLAN mechanism described below for PPSK, applied to enterprise authentication.

Keep the SSID and VLAN for staff WiFi completely separate from the Guest WiFi SSID and VLAN. Never bridge guest traffic to management or corporate subnets. This separation is a PCI DSS mandate if any network segment processes cardholder data.

Sophos PPSK and Dynamic VLAN Assignment for Multi-Tenant Environments

In multi-tenant environments (such as shared workspaces, build-to-rent residential buildings, student housing, or retail concessions), you need to isolate different user groups at the network level without broadcasting individual SSIDs for each tenant. Broadcasting multiple SSIDs increases radio frequency overhead and complicates management.

Sophos AP6 access points support PPSK (Private Pre-Shared Key), also known as Identity PSK or per-user PSK. PPSK allows a single SSID to accept multiple unique passwords, each mapped to a specific VLAN via RADIUS attributes.

The dynamic VLAN assignment process is as follows:

  1. Residents or members connect to the single shared SSID and enter their unique PPSK.
  2. The Sophos AP sends a RADIUS Access-Request to the configured RADIUS server, containing the PPSK as credentials.
  3. The RADIUS server validates the PPSK and returns an Access-Accept containing the following VLAN attributes:
    • Tunnel-Type = VLAN (value 13)
    • Tunnel-Medium-Type = IEEE-802 (value 6)
    • Tunnel-Private-Group-ID = `` (e.g. 100)
  4. The Sophos AP tags traffic from that device with the returned VLAN ID and places it in the correct isolated network segment.

This is how Identity-Based Networking works: a single SSID, multiple isolated VLANs, driven by the user's unique credentials.

ppsk_vlan_diagram.png

architecture_overview.png

Implementation Guide

Step 1: Obtain Purple Credentials

Log in to the Purple portal. Navigate to Management > Locations > [Your Location] > Hardware > Add Hardware. Select Sophos as the hardware type. The portal will display:

  • Primary and secondary RADIUS server IP addresses
  • RADIUS Shared Secret
  • Captive Portal URL (e.g. https://region1.purpleportal.net/access/)
  • Redirect URL (e.g. https://region1.purpleportal.net/access/?res=success)
  • Complete Walled Garden domain list

Please note down these four values before proceeding.

Step 2: Configure RADIUS Servers on Sophos Firewall

Navigate to Authentication > Servers on Sophos Firewall (or for AP-managed configurations, navigate to Sophos Central > Wireless > SSIDs > [SSID] > Advanced Settings).

  1. Click Add to create a new RADIUS server entry.
  2. Set Server IP to the primary Purple RADIUS IP address.
  3. Set Authentication port to 1812.
  4. Set Accounting port to 1813.
  5. Enter the Shared secret from the Purple portal.
  6. Repeat this step for the secondary Purple RADIUS server.

For Sophos AP6 managed via Sophos Central, configure the RADIUS servers under the Advanced Settings > Backend authentication section of the SSID.

Step 3: Configure Walled Garden

Navigate to Wireless > Hotspot Settings on Sophos Firewall.

  1. Under Walled garden, click Add new item.
  2. Add each domain from the list provided by Purple.
  3. Ensure unauthenticated clients are allowed DNS (UDP port 53) via pre-authentication firewall rules.
  4. Click Apply.

Step 4: Create Guest SSID

Navigate to Wireless > Wireless Settings > SSIDs (or Sophos Central > Wireless > SSIDs).

  1. Click Add SSID.
  2. Set Encryption mode to Open (no pre-shared key).
  3. Under Advanced Settings > Captive portal, enable Captive Portal.
  4. Select Backend authentication as the authentication type.
  5. Enter the Purple RADIUS server IP, port 1812, and shared secret.
  6. Set Redirect URL to the Purple splash page URL.
  7. Assign the SSID to a dedicated guest VLAN (e.g. VLAN 100).
  8. Enable Client isolation to prevent traffic between guest users.

Step 5: Create Post-Authentication Firewall Rules

Navigate to Rules and policies > Firewall rules.

  1. Create a rule allowing traffic from the guest VLAN to the WAN zone.
  2. Apply web filtering to block malicious categories.
  3. Apply traffic shaping to limit bandwidth per user (recommended guest network settings: 10 Mbps download, 5 Mbps upload).
  4. Explicitly block all traffic from the guest VLAN to any internal VLAN containing POS systems, PMS, or corporate resources.

Step 6: Configure PPSK for Multi-Tenant Environments (Optional)

  1. In Sophos Central, create a WPA2-Personal SSID.
  2. Enable RADIUS VLAN assignment under the SSID's advanced settings.
  3. Configure the RADIUS server to accept PPSK credentials and return the corresponding VLAN attributes based on user groups.
  4. Issue unique PPSKs to each tenant group via the Purple portal or your RADIUS management interface.

Best Practices

Isolate traffic at Layer 2 and Layer 3. Always place guest WiFi on a dedicated VLAN. Establish clear firewall rules to block all traffic from the guest VLAN to the RFC 1918 address space on internal network segments. This complies with PCI DSS network segmentation requirements and prevents lateral movement in the event of a compromised guest device.

Use bridge mode for high-density deployments. In environments with more than 200 concurrent guest connections (such as hotels, stadiums, and convention centres), configure the guest SSID to bridge mode. This routes traffic onto a VLAN handled by an enterprise-grade DHCP server, preventing the Sophos AP or firewall from becoming a DHCP performance bottleneck. A 500-room hotel with 70% occupancy and two devices per guest generates approximately 700 concurrent DHCP leases. Enterprise-grade DHCP can handle this demand; an AP's built-in DHCP cannot.

Use publicly trusted SSL certificates. Configure the Sophos firewall to serve a certificate signed by a public CA for the redirection interface. Self-signed certificates generate browser security warnings on iOS and Android, which in turn increases portal drop-off rates. This is particularly critical in hospitality environments where the guest experience directly impacts review scores. Configure RADIUS authentication and accounting. Authentication (port 1812) is used to authorise access. Accounting (port 1813) is used to track usage. Both are required for Purple's analytics features to function correctly. Accounting data drives session duration metrics, bandwidth reporting, and repeat visitor identification within the Purple dashboard.

Plan your Walled Garden before going live. Test the portal on at least one iOS device and one Android device before deploying to production. These two platforms have different Captive Portal detection mechanisms and may behave differently if the Walled Garden configuration is incomplete. During the pre-authentication phase, use the packet capture feature on the Sophos firewall to identify any blocked domains.

Apply Sophos Synchronised Security post-authentication. Sophos AP6 access points support Synchronised Security, which integrates with Sophos Endpoint Protection. If a guest device is detected as compromised (red Security Heartbeat status), the AP can automatically restrict that device to the Walled Garden, isolating it from the internet without manual intervention. This is a highly valuable security control for healthcare and retail environments.

For broader enterprise WiFi security context, see our guide: Enterprise WiFi Security: The Complete 2026 Guide .

Troubleshooting and Mitigation

Symptom: Portal page fails to load (blank screen or timeout) Cause: Incomplete Walled Garden configuration. The Sophos firewall is blocking pre-authentication access to Purple's CSS/JS assets or social login APIs. Resolution: Enable packet capture for the guest VLAN on the Sophos firewall. Identify blocked domains. Add them to the Walled Garden. Verify that DNS resolution is allowed pre-authentication.

Symptom: Portal loads, but authentication always fails Cause: RADIUS shared secret mismatch or UDP ports 1812/1813 are blocked. Resolution: Verify the shared secrets in the Sophos configuration and the Purple portal verbatim. Use nmap -sU -p 1812,1813 in the Sophos CLI to confirm UDP reachability.

Symptom: Analytics data shows zero session duration and no bandwidth data Cause: RADIUS accounting is not configured or is blocked. Resolution: Verify that the accounting server is configured with the correct shared secret on port 1813. Check for any intermediary ACLs blocking outbound UDP 1813.

Symptom: Certificate warnings appear on guest devices Cause: The Sophos firewall is using a self-signed certificate on the redirection interface. Resolution: Upload a certificate signed by a public CA (Let's Encrypt, DigiCert, or similar) to the Sophos firewall and assign it as the login page certificate under Wireless > Hotspot Settings.

Symptom: PPSK users enter the wrong VLAN Cause: RADIUS VLAN attributes are incorrectly configured, or the Sophos AP is not accepting dynamic VLAN assignment. Resolution: Verify that the RADIUS server returns Tunnel-Type = 13, Tunnel-Medium-Type = 6, and Tunnel-Private-Group-ID = . Confirm that RADIUS VLAN assignment for the SSID is enabled in Sophos Central.

ROI and Business Impact

Deploying Purple on Sophos infrastructure transforms guest WiFi from a utility cost into a first-party data asset. The business case is clear.

A 200-room hotel with 70% occupancy and an average length of stay of 1.8 nights will generate approximately 50,000 authenticated guest profiles annually via Purple's self-selected opt-in page. Each profile contains names, email addresses, demographic data, and visit history. This data can be directly imported into email marketing campaigns, significantly boosting direct bookings and food and beverage revenue.

For retail environments, Purple's analytics identify dwell times, repeat visit frequency, and peak footfall hours. A 50-location retail chain can use this data to optimise staffing levels, align promotional timing, and measure the impact of in-store events on visit frequency.

For public sector and transportation operators, Purple provides auditable GDPR consent logs and supports critical infrastructure operators in complying with the UK's Network and Information Systems (NIS) Regulations.

Purple's 99.999% availability SLA ensures that guest authentication services do not become a single point of failure for your network. The cloud RADIUS architecture means there are no on-premises authentication servers to maintain, patch, or replace.

For related integration guides, see the Alta Labs and Purple WiFi Integration: Setup and Captive Portal Configuration guide.

Key Definitions

Captive portal

A web page that intercepts a user's initial HTTP request and requires interaction (authentication, consent, or payment) before granting internet access.

The primary interface for Guest WiFi. Purple hosts the captive portal in the cloud; the Sophos Firewall redirects unauthenticated clients to it.

Walled Garden

A strict allowlist of domains and IP addresses that unauthenticated devices can access before completing portal authentication.

Must include Purple's portal domains, social login providers, and any identity federation endpoints. An incomplete Walled Garden is the most common cause of portal load failures.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralised authentication, authorisation, and accounting for users connecting to a network. Uses UDP port 1812 for authentication and 1813 for accounting.

Purple provides RADIUS-as-a-Service. The Sophos Firewall and APs communicate with Purple's cloud RADIUS to authenticate guests and report session data.

RADIUS accounting

The component of RADIUS that tracks network usage metrics, including session start time, duration, bytes transferred, and session termination reason.

Essential for Purple's WiFi Analytics. Without accounting data on port 1813, session duration and bandwidth metrics are unavailable in the Purple dashboard.

PPSK (Private Pre-Shared Key)

A WiFi security feature that allows a single SSID to accept multiple unique passphrases, each typically mapped to a specific VLAN or policy via RADIUS.

Used in Multi-Tenant WiFi deployments to provide per-user or per-group network isolation without broadcasting multiple SSIDs. Sophos AP6 supports PPSK with dynamic VLAN assignment.

Dynamic VLAN assignment

A process where the RADIUS server instructs the access point to place an authenticated user onto a specific VLAN by returning Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes in the Access-Accept message.

Enables Identity-Based Networks. Users are placed in the correct network segment based on their credentials, regardless of which physical AP they connect to.

802.1X

An IEEE standard for port-based network access control. Provides an authentication framework for devices connecting to a LAN or WLAN, requiring a supplicant (client), authenticator (AP or switch), and authentication server (RADIUS).

The enterprise standard for Staff WiFi. Sophos AP6 supports 802.1X with WPA2-Enterprise and WPA3-Enterprise, using EAP-TLS or PEAP-MSCHAPv2.

Bridge mode

A network configuration where the access point passes wireless client traffic directly onto the wired LAN as tagged VLAN frames, without performing NAT or local DHCP.

Recommended for high-density deployments. Offloads DHCP to enterprise servers and ensures Purple receives the true client IP address for accurate analytics.

First-party data

Information collected directly from users through your own channels, owned by you, not shared with or sourced from third parties.

The primary business value of Purple Guest WiFi. Captured through conscious-choice opt-ins at the captive portal, this data is GDPR-compliant and independent of third-party cookies.

Worked Examples

A 300-room hotel has deployed Sophos AP6 access points managed via Sophos Central. They need guests to authenticate through a branded Purple splash page and require the guest network to be completely isolated from the property management system (PMS) on VLAN 20 to maintain PCI DSS compliance. The hotel expects up to 600 concurrent guest connections during peak periods.

  1. In Sophos Central, create a dedicated guest SSID named 'Hotel Guest WiFi' with Open encryption. 2. Assign the SSID to VLAN 100 in Bridge mode to handle the 600-device DHCP load via the core network DHCP server. 3. Enable the captive portal under Advanced Settings and select Backend authentication. 4. Enter the Purple RADIUS server IP on port 1812 and the shared secret from the Purple portal. 5. Configure the Walled Garden to allow region1.purpleportal.net, venuewifi.com, and all social login domains. 6. On the Sophos Firewall, create a firewall rule allowing VLAN 100 to the WAN zone with web filtering applied. 7. Create an explicit DENY rule blocking all traffic from VLAN 100 to VLAN 20 (PMS network). 8. Configure RADIUS accounting on port 1813 with a 120-second interim interval. 9. Upload a publicly trusted SSL certificate to the Sophos Firewall for the redirect interface. 10. Test on both iOS and Android before go-live.
Examiner's Commentary: Bridge mode is essential here. At 600 concurrent connections, on-board AP DHCP would be overwhelmed. The explicit DENY rule from VLAN 100 to VLAN 20 satisfies PCI DSS network segmentation requirements. The publicly trusted certificate prevents iOS 14+ and Android 10+ from displaying security warnings that would increase portal abandonment. Configuring accounting is non-negotiable for Purple's analytics to function.

A coworking space operator manages 15 tenant companies across three floors. Each company requires its own isolated network segment. They currently broadcast 15 separate SSIDs, causing significant RF congestion. They want to consolidate to a single SSID using Sophos AP6 access points while maintaining strict Layer 2 isolation between tenants.

  1. Assign a unique VLAN to each tenant company (e.g., VLANs 200-214). 2. In Sophos Central, create a single WPA2-Personal SSID named 'CoWork WiFi'. 3. Enable RADIUS VLAN assignment on the SSID. 4. Configure the RADIUS server (Purple's cloud RADIUS or an integrated directory) to store a unique PPSK per tenant and return the appropriate VLAN attributes on authentication. 5. Issue each tenant company their unique PPSK via the Purple portal. 6. On the Sophos Firewall, configure inter-VLAN firewall rules to block all traffic between tenant VLANs. Allow each VLAN access to the internet only. 7. For tenants requiring shared services (e.g., a shared printer), create explicit permit rules for those specific resources only.
Examiner's Commentary: Consolidating from 15 SSIDs to one eliminates the RF overhead of 15 beacon frames per AP per second. PPSK with dynamic VLAN assignment provides the same isolation as separate SSIDs at the network layer. The key risk is RADIUS server availability: if the RADIUS server is unreachable, no tenants can connect. Deploy a secondary Purple RADIUS server and configure it as the fallback in Sophos Central to mitigate this.

Practice Questions

Q1. A retail chain has deployed Sophos AP6 access points across 50 stores. Shoppers report that the Purple splash page takes over 30 seconds to load, or times out completely. The IT team has confirmed that RADIUS authentication is configured correctly. What is the most likely cause and how do you resolve it?

Hint: Consider what happens before the user reaches the authentication step.

View model answer

The Walled Garden is incomplete. The Sophos Firewall is blocking access to Purple's CSS and JavaScript assets, or to social login CDN domains, before authentication. Enable a packet capture on the Sophos Firewall for the guest VLAN and filter for blocked traffic from unauthenticated clients. Identify the blocked domains and add them to the Walled Garden under Wireless > Hotspot Settings. Also verify that DNS (UDP port 53) is permitted pre-authentication. Without DNS resolution, the device cannot resolve the Purple portal hostname and the redirect fails immediately.

Q2. You are designing a Guest WiFi deployment for a 5,000-seat stadium using Sophos AP6 access points. The venue expects 4,000 concurrent fan connections during events. Should you configure the guest SSID in NAT mode or Bridge mode? Justify your decision.

Hint: Consider the DHCP load generated by 4,000 simultaneous connections.

View model answer

Bridge mode. At 4,000 concurrent connections, NAT mode would overwhelm the on-board DHCP server of the Sophos APs or the firewall. In Bridge mode, the APs drop guest traffic directly onto a dedicated VLAN, and enterprise DHCP servers handle IP address assignment. This prevents DHCP exhaustion and ensures the Purple platform receives the true client IP address for accurate analytics. Bridge mode also provides higher throughput than NAT mode, which is important for a high-density event environment. Configure a DHCP scope on the core network with sufficient addresses for the expected peak load, plus a 20% buffer.

Q3. Your Purple Analytics dashboard shows the correct number of logins, but all session durations are reported as zero minutes and bandwidth usage is not tracked. The guest portal is working correctly and guests can browse the internet. What configuration element is missing?

Hint: Authentication grants access. What tracks usage after access is granted?

View model answer

RADIUS accounting is not configured or is being blocked. Authentication on port 1812 grants internet access, but accounting on port 1813 is the mechanism that reports session duration and bandwidth data back to Purple. Check the Sophos Firewall configuration to confirm the accounting server is set to the Purple RADIUS IP on port 1813 with the correct shared secret. Then verify that UDP port 1813 is not blocked by any intermediate ACL or firewall rule between the Sophos Firewall and Purple's cloud RADIUS servers. Use a packet capture to confirm accounting packets are leaving the Sophos Firewall and receiving responses.

Q4. A coworking space operator wants to use Sophos PPSK to give each of their 20 tenant companies an isolated network segment. After configuration, all PPSK users connect successfully but all land on the same VLAN regardless of which PPSK they use. What is the most likely cause?

Hint: Think about what the RADIUS server needs to return and what the AP needs to accept.

View model answer

There are two likely causes. First, the RADIUS server is not returning the correct VLAN attributes in the Access-Accept message. Verify that the RADIUS server returns Tunnel-Type = 13 (VLAN), Tunnel-Medium-Type = 6 (IEEE-802), and Tunnel-Private-Group-ID = the correct VLAN ID for each PPSK. Second, RADIUS VLAN assignment may not be enabled on the SSID in Sophos Central. Navigate to the SSID's Advanced Settings and confirm that RADIUS VLAN assignment is toggled on. Use a RADIUS debug log or packet capture to inspect the Access-Accept messages and confirm the VLAN attributes are present and correctly formatted.

Continue reading in this series

Cisco WLC and Catalyst Integration with Purple WiFi: Step-by-Step Guest Access Guide

This authoritative guide details the step-by-step integration of Cisco Catalyst 9800 WLCs with Purple WiFi. It covers External Web Authentication for guest captive portals, 802.1X EAP-TLS for secure staff access, and Cisco iPSK for multi-tenant dynamic VLAN segmentation.

Read the guide →

Cisco WLC and Catalyst Integration with Purple WiFi: Step-by-Step Guest Access Guide

This authoritative guide details the step-by-step integration of Cisco Catalyst 9800 WLCs with Purple WiFi. It covers External Web Authentication for guest captive portals, 802.1X EAP-TLS for secure staff access, and Cisco iPSK for multi-tenant dynamic VLAN segmentation.

Read the guide →

CommScope Ruckus Integration with Purple WiFi: Setup and Configuration Guide

This technical reference guide provides an authoritative configuration playbook for integrating CommScope Ruckus architectures with Purple WiFi. It details step-by-step deployments for Guest WiFi captive portals, Secure Staff WiFi via 802.1X, and Multi-Tenant network isolation using Ruckus Dynamic PSK.

Read the guide →