Sophos Firewall and Access Points Integration with Purple WiFi

This guide details the technical integration of Sophos Firewall (XG/XGS) and Sophos AP6/APX access points with Purple WiFi. It covers external captive portal redirection, RADIUS authentication and accounting configuration, Walled Garden setup, 802.1X for Staff WiFi, and dynamic VLAN assignment using Sophos PPSK for secure Multi-Tenant network segregation across hospitality, retail, and public-sector venues.

📖 9 min read📝 2,208 words🔧 2 worked examples❓ 4 practice questions📚 9 key definitions

Listen to this guide

View podcast transcript

Welcome to the Purple Architecture Briefing. Today we are diving into a critical integration for enterprise networks: deploying Purple WiFi alongside Sophos infrastructure, specifically Sophos AP6 and APX access points and Sophos XG and XGS firewalls. If you are an IT manager, a network architect, or a CTO managing a venue, whether that is a retail chain, a stadium, or a hospital, this session is designed to give you the actionable blueprint for making these two powerful platforms work together seamlessly.

Let us set the context. Sophos is renowned for its robust security posture. Sophos Firewall appliances provide deep packet inspection and synchronised security. However, when it comes to Guest WiFi, you do not just want security. You want business value. You want to capture demographic data, understand visitor behaviour, and drive marketing return on investment. That is where Purple comes in. By integrating Purple as an external captive portal, you offload the heavy lifting of guest identity management, GDPR consent, and social logins to Purple's cloud RADIUS, while letting the Sophos Firewall do what it does best: secure the perimeter.

So, how does this actually work under the hood? Let us get into the technical deep-dive.

The architecture relies on standard RADIUS protocols and HTTP redirection. When a venue user associates with your open Guest WiFi SSID broadcasted by the Sophos AP, the Sophos Firewall intercepts that initial web request. Instead of serving a basic, locally stored portal page, the firewall redirects the client to Purple's cloud-hosted splash page.

Now, here is the critical concept: the Walled Garden. During this pre-authentication phase, the user does not have internet access. But they need to load the portal graphics, and they might need to reach Facebook or Google to log in. The Walled Garden is a strict allowlist configured on the Sophos Firewall that permits traffic to these specific domains. Once the user authenticates, Purple's platform sends a RADIUS Access-Accept message back to the Sophos Firewall. The firewall then flips the switch, changing the session state to authenticated, and drops the user into your post-authentication firewall policy.

Let us talk about the RADIUS configuration in more detail, because this is where precision matters. Purple provides you with two sets of RADIUS credentials: one for authentication on port 1812, and one for accounting on port 1813. Both must be configured. The accounting server is not optional. It is the mechanism by which the Sophos Firewall reports session data back to Purple, including duration, bandwidth consumed, and session termination events. Without accurate accounting data, your Purple analytics dashboard will show incomplete or inaccurate visitor metrics. Set your accounting interim interval to 120 seconds. This provides a good balance between real-time visibility and network overhead.

Now let us talk about a scenario that comes up constantly in enterprise deployments: Multi-Tenant WiFi. Think of a coworking space, a build-to-rent residential block, or a student accommodation building. You have multiple distinct groups of users who all need WiFi access, but they must be completely isolated from each other at the network level. Broadcasting a separate SSID for every tenant is not viable. It creates radio frequency congestion and is an operational nightmare to manage.

The answer is Sophos Private Pre-Shared Keys, or PPSK, combined with dynamic VLAN assignment. Here is how it works. You configure a single SSID on your Sophos AP6 access points. You then issue a unique passphrase to each tenant or user group. When a device connects and presents its unique key, the Sophos AP authenticates that key via RADIUS. The RADIUS server returns a specific VLAN ID attribute in the Access-Accept message. The AP dynamically tags the user's traffic with that VLAN ID, placing them onto their dedicated network segment. Identity-Based Networking in action. One SSID, multiple isolated networks, zero radio frequency overhead from additional broadcasts.

This architecture also has a significant compliance benefit. Under PCI DSS requirements, Guest WiFi networks must be completely isolated from any network segment that handles cardholder data. By placing the guest SSID on a dedicated VLAN and enforcing strict firewall policies on the Sophos Firewall to block all RFC 1918 private IP space destinations, you satisfy this requirement cleanly. Purple, which operates across 80,000 live venues and has processed 440 million logins in 2024, is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified, so the compliance story extends to the identity layer as well.

Now let us move on to implementation recommendations. When you are setting this up, you have a crucial decision to make regarding IP assignment: NAT mode versus Bridge mode.

If you are deploying a small retail branch with perhaps fifty to a hundred concurrent guest connections, NAT mode is perfectly adequate. The Sophos AP hands out DHCP addresses to guests from a dedicated internal subnet and translates them as traffic exits. It is simple and requires minimal additional infrastructure.

But if you are deploying a high-density environment, say a five-hundred-room hotel, a conference centre with multiple concurrent events, or a stadium, you must use Bridge mode. In Bridge mode, the Sophos AP drops the guest traffic directly onto a dedicated VLAN, allowing your core enterprise DHCP servers to handle the load. This prevents the access point or firewall from becoming a DHCP bottleneck during peak connection events. Bridge mode also ensures the Purple platform sees the true client IP address, which is vital for accurate analytics and troubleshooting.

Let us talk about the step-by-step configuration sequence, because order matters here.

Start in the Purple portal. Retrieve your RADIUS server credentials: the server IP addresses, shared secrets, the captive portal URL, and the redirect URL. These are the four critical pieces of information you need before touching the Sophos configuration.

Then, move to Sophos Central or your local firewall management interface. Define your RADIUS servers first, authentication on 1812, accounting on 1813. Then configure your Walled Garden under Hotspot Settings. Next, create your guest SSID, set encryption to Open, enable the Captive Portal, and input the Purple portal URL. And finally, define your post-authentication firewall rules.

For the Walled Garden specifically, you must allow the following domains as a minimum: the Purple portal domain, typically region1.purpleportal.net; venuewifi.com; and any social login domains your guests will use, such as facebook.com, accounts.google.com, and their associated CDN domains. If you are using Microsoft Entra ID or Okta for identity federation, those domains must also be included.

What about pitfalls? Where do deployments usually go wrong?

The number one issue, without question, is an incomplete Walled Garden. If a guest connects and gets a blank screen or a connection timeout, it almost always means the Sophos Firewall is blocking access to Purple's CSS files, JavaScript assets, or the social login APIs before authentication. You must ensure every required domain is explicitly allowed in that pre-authentication policy. Purple provides a comprehensive list of required domains. Use it in full.

Also, do not forget DNS. Unauthenticated clients must be allowed to resolve DNS queries, or the redirect simply will not work. The device needs to resolve the Purple portal hostname before it can even attempt to load the page.

The second most common pitfall is certificate errors. Ensure your Sophos Firewall is presenting a valid, publicly trusted SSL certificate for the redirection interface. If you use the default self-signed certificate, modern iPhones and Android devices will throw significant security warnings, and your guests will abandon the connection entirely. This is a particularly acute problem in hospitality environments where guest experience is paramount.

The third pitfall is RADIUS timeout errors. If the portal loads but authentication consistently fails, verify that the shared secrets match exactly between your Sophos configuration and the Purple portal. Even a single character difference will cause all authentication attempts to fail silently. Also verify that no intermediate firewall is blocking UDP ports 1812 and 1813 between your Sophos infrastructure and Purple's cloud RADIUS servers.

Let us wrap up with a rapid-fire question and answer session based on the most common questions we hear from clients.

Question one: does using Purple bypass my Sophos Firewall security policies? Absolutely not. Purple handles the authentication and identity capture. Once authenticated, all guest traffic flows through your Sophos Firewall's post-authentication policy. This is precisely where you apply web filtering, block peer-to-peer traffic, and shape bandwidth. Think of it this way: pre-authentication is permissive to allow login; post-authentication is punitive to protect the network.

Question two: do I need to deploy local RADIUS servers? No. Purple provides RADIUS-as-a-Service. You configure the Sophos APs to point directly to Purple's cloud RADIUS IP addresses. There is no need to deploy and maintain FreeRADIUS or Windows NPS for the guest network.

Question three: can I use Purple with both Sophos AP6 and the older APX series? Yes. The integration approach is consistent across both hardware generations. Note, however, that Sophos has announced an end-of-life date for the APX Series of December 31, 2027. If you are planning a new deployment, invest in the AP6 Series, which supports Wi-Fi 6 and Wi-Fi 6E.

Question four: what about GDPR compliance? Purple captures explicit consent at the portal level, presenting your terms and conditions and data processing notices before authentication. This consent data is stored within the Purple platform and is auditable. The Sophos Firewall's role is purely network enforcement.

To summarise the key takeaways from today's briefing.

First: segregate your Staff and Guest SSIDs absolutely. Staff on 802.1X with WPA2-Enterprise. Guests on Purple with an external captive portal.

Second: meticulously configure your Walled Garden. It is the most common failure point and the most important pre-authentication configuration element.

Third: use Bridge mode for any high-density deployment to avoid DHCP bottlenecks and to ensure accurate client IP visibility.

Fourth: configure both RADIUS authentication and accounting servers. Accounting is not optional if you want meaningful analytics.

Fifth: leverage Sophos PPSK for Multi-Tenant environments to enable Identity-Based Networking with dynamic VLAN assignment. One SSID, multiple isolated networks.

Sixth: apply Sophos security policies strictly post-authentication. Web filtering, application control, and bandwidth shaping should all be applied in the post-authentication firewall policy.

By executing this integration correctly, you transform Guest WiFi from a cost centre into a compliant, secure, and revenue-generating asset. The combination of Sophos security depth and Purple's marketing intelligence is genuinely powerful for any venue operator who wants to take their guest experience and data strategy seriously.

Thanks for listening to the Purple Architecture Briefing. If you would like to discuss your specific deployment requirements, visit purple.ai to speak with the solutions team.

Key Takeaways

✓Purple integrates with Sophos Firewall (XG/XGS) and AP6/APX access points as an external captive portal, offloading guest identity management to Purple's cloud RADIUS while Sophos enforces network security.
✓Configure both RADIUS authentication (port 1812) and accounting (port 1813). Accounting is not optional: it drives all session duration and bandwidth data in Purple's WiFi Analytics dashboard.
✓The Walled Garden is the most common failure point. Allow all Purple portal domains, social login CDN domains, and DNS resolution before authentication. Test on iOS and Android before go-live.
✓Use Bridge mode for deployments with more than 150 concurrent connections to offload DHCP to enterprise servers and prevent bottlenecks.
✓Sophos PPSK with dynamic VLAN assignment enables Identity-Based Networking: one SSID, multiple isolated VLANs, each user placed on the correct segment by RADIUS attributes returned on authentication.
✓Segregate Guest WiFi and Staff WiFi at both the SSID and VLAN level. Staff use 802.1X with WPA2-Enterprise; guests use the Purple external captive portal. Never bridge guest traffic onto corporate subnets.
✓Purple is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified, operating across 80,000+ live venues with 99.999% uptime.

Executive summary

If you run Sophos infrastructure and need to deploy Guest WiFi that captures first-party data, this guide gives you the exact configuration steps. Purple integrates with Sophos Firewall (XG and XGS series) and Sophos AP6/APX access points as an external captive portal, offloading guest identity management, GDPR consent capture, and social login handling to Purple's cloud RADIUS. Your Sophos Firewall continues to enforce deep packet inspection and unified threat management on all traffic. The result: a compliant, segmented network where guests authenticate through a branded Purple splash page, staff connect via 802.1X with WPA2-Enterprise, and multi-tenant environments use Sophos Private Pre-Shared Keys (PPSK) for dynamic VLAN assignment. Purple operates across 80,000+ live venues and processed 440 million logins in 2024 (Purple internal data, 2024). It is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified.

Technical deep-dive

How the redirect works

The integration uses standard RADIUS protocols and HTTP redirection. When a venue user associates with your open Guest WiFi SSID on a Sophos AP6 or APX access point, the Sophos Firewall intercepts the first HTTP request from that unauthenticated device. Rather than serving a locally stored login page, the firewall issues a 302 redirect to Purple's cloud-hosted splash page URL - typically in the format https://region1.purpleportal.net/access/.

During this pre-authentication phase, the device sits inside a Walled Garden: a strict allowlist of domains that unauthenticated devices can reach. This allowlist must include Purple's portal assets, any social login providers (Facebook, Google, LinkedIn), and any identity federation endpoints you use, such as Microsoft Entra ID or Okta. Once the user completes authentication on the Purple splash page, Purple's cloud RADIUS sends a RADIUS Access-Accept message to the Sophos Firewall. The firewall updates the session state to authenticated and applies your post-authentication security policy.

RADIUS authentication and accounting

Purple provides RADIUS-as-a-Service. You do not need to deploy FreeRADIUS, Windows NPS, or any local RADIUS infrastructure for the guest network. Configure the Sophos Firewall to point directly to Purple's cloud RADIUS IP addresses.

Two RADIUS functions are required:

Function	Protocol	Port	Purpose
Authentication	UDP	1812	Validates guest credentials and returns Access-Accept or Access-Reject
Accounting	UDP	1813	Reports session start, interim updates, and session stop to Purple

Accounting is not optional. It is the mechanism by which the Sophos Firewall reports session duration, bandwidth consumed, and session termination events back to Purple. Without accounting data, your WiFi Analytics dashboard will show incomplete visitor metrics. Set the accounting interim interval to 120 seconds for a good balance between real-time visibility and network overhead.

The RADIUS shared secret must match exactly between your Sophos configuration and the Purple portal. A single character difference causes silent authentication failures.

Walled Garden configuration

The Walled Garden is the most important pre-authentication configuration element and the most common source of deployment failures. Configure it under Wireless > Hotspot Settings on the Sophos Firewall.

You must allow the following domains as a minimum:

Category	Domains to allow
Purple core	`region1.purpleportal.net`, `venuewifi.com`, `cloudfront.net`
Payment (if applicable)	`stripe.com`
Weather widget (if used)	`openweathermap.org`
Facebook login	`facebook.com`, `fbcdn.net`, `connect.facebook.net`, `akamaihd.net`
Google login	`accounts.google.com`, `googleapis.com`, `gstatic.com`
LinkedIn login	`linkedin.com`, `licdn.net`, `licdn.com`
Microsoft Entra ID	`login.microsoftonline.com`, `login.microsoft.com`

Always allow DNS resolution (UDP port 53) for unauthenticated clients. Without DNS, devices cannot resolve the Purple portal hostname and the redirect fails before it starts.

802.1X for Staff WiFi

For Staff WiFi, use 802.1X (IEEE 802.1X port-based network access control) with WPA2-Enterprise or WPA3-Enterprise. Configure the Sophos AP to use EAP-TLS (certificate-based) or PEAP-MSCHAPv2 (username/password) against your internal RADIUS server or a cloud identity provider such as Microsoft Entra ID.

The RADIUS server returns VLAN assignment attributes to place authenticated staff devices onto the correct internal VLAN. This is the same dynamic VLAN mechanism described below for PPSK, applied to enterprise authentication.

Keep the Staff WiFi SSID and VLAN completely separate from the Guest WiFi SSID and VLAN. Never bridge guest traffic onto the management or corporate subnets. This separation is a PCI DSS requirement if any network segment handles cardholder data.

Sophos PPSK and dynamic VLAN assignment for multi-tenant environments

In multi-tenant environments - coworking spaces, build-to-rent residential blocks, student accommodation, or retail concessions - you need to isolate different user groups at the network level without broadcasting a separate SSID for each tenant. Broadcasting multiple SSIDs increases radio frequency overhead and complicates management.

Sophos AP6 access points support PPSK (Private Pre-Shared Key), also referred to as Identity PSK or per-user PSK. PPSK allows a single SSID to accept multiple unique passphrases, each mapped to a specific VLAN via RADIUS attributes.

The dynamic VLAN assignment flow works as follows:

A resident or member connects to the single shared SSID and enters their unique PPSK.
The Sophos AP sends a RADIUS Access-Request to the configured RADIUS server, including the PPSK as the credential.
The RADIUS server validates the PPSK and returns an Access-Accept with the following VLAN attributes:
- Tunnel-Type = VLAN (value 13)
- Tunnel-Medium-Type = IEEE-802 (value 6)
- Tunnel-Private-Group-ID = `` (e.g., 100)
The Sophos AP tags the device's traffic with the returned VLAN ID, placing it onto the correct isolated network segment.

This is Identity-Based Networking: one SSID, multiple isolated VLANs, driven by the user's unique credential.

Implementation guide

Step 1: Retrieve Purple credentials

Log in to the Purple portal. Navigate to Management > Locations > [Your Venue] > Hardware > Add Hardware. Select Sophos as the hardware type. The portal displays:

Primary and secondary RADIUS server IP addresses
RADIUS shared secret
Captive portal URL (e.g., https://region1.purpleportal.net/access/)
Redirect URL (e.g., https://region1.purpleportal.net/access/?res=success)
Full Walled Garden domain list

Note all four values before proceeding.

Step 2: Configure RADIUS servers on Sophos Firewall

Navigate to Authentication > Servers on the Sophos Firewall (or Sophos Central > Wireless > SSIDs > [SSID] > Advanced Settings for AP-managed configurations).

Click Add to create a new RADIUS server entry.
Set Server IP to the primary Purple RADIUS IP address.
Set Authentication port to 1812.
Set Accounting port to 1813.
Enter the Shared secret from the Purple portal.
Repeat for the secondary Purple RADIUS server.

For Sophos AP6 managed via Sophos Central, configure the RADIUS server under the SSID's Advanced Settings > Backend authentication section.

Step 3: Configure the Walled Garden

Navigate to Wireless > Hotspot Settings on the Sophos Firewall.

Under Walled garden, click Add new item.
Add each domain from the Purple-provided list.
Ensure DNS (UDP port 53) is permitted for unauthenticated clients via a pre-authentication firewall rule.
Click Apply.

Step 4: Create the guest SSID

Navigate to Wireless > Wireless Settings > SSIDs (or Sophos Central > Wireless > SSIDs).

Click Add SSID.
Set Encryption mode to Open (no pre-shared key).
Under Advanced Settings > Captive portal, enable the captive portal.
Select Backend authentication as the authentication type.
Enter the Purple RADIUS server IP, port 1812, and shared secret.
Set the Redirect URL to the Purple splash page URL.
Assign the SSID to a dedicated guest VLAN (e.g., VLAN 100).
Enable Client isolation to prevent guest-to-guest traffic.

Step 5: Create post-authentication firewall rules

Navigate to Rules and policies > Firewall rules.

Create a rule allowing traffic from the guest VLAN to the WAN zone.
Apply web filtering to block malicious categories.
Apply traffic shaping to limit bandwidth per user (recommended: 10 Mbps down, 5 Mbps up for guest networks).
Explicitly block all traffic from the guest VLAN to any internal VLAN containing POS systems, PMS, or corporate resources.

Step 6: Configure PPSK for multi-tenant environments (optional)

In Sophos Central, create a WPA2-Personal SSID.
Enable RADIUS VLAN assignment under the SSID's advanced settings.
Configure the RADIUS server to accept PPSK credentials and return the appropriate VLAN attributes per user group.
Issue unique PPSKs to each tenant group via the Purple portal or your RADIUS management interface.

Best practices

Segregate traffic at Layer 2 and Layer 3. Always place Guest WiFi on a dedicated VLAN. Create explicit firewall rules to block all traffic from the guest VLAN to RFC 1918 address space on internal segments. This satisfies PCI DSS network segmentation requirements and prevents lateral movement if a guest device is compromised.

Use Bridge mode for high-density deployments. In environments with more than 200 concurrent guest connections - hotels, stadiums, conference centres - configure the guest SSID in Bridge mode. This drops traffic onto a VLAN handled by enterprise DHCP servers, preventing the Sophos AP or firewall from becoming a DHCP bottleneck. A 500-room hotel at 70% occupancy with two devices per guest generates roughly 700 DHCP leases simultaneously. Enterprise DHCP handles this; on-board AP DHCP does not.

Use a publicly trusted SSL certificate. Configure the Sophos Firewall to present a certificate signed by a public CA for the redirection interface. Self-signed certificates generate browser security warnings on iOS and Android, increasing portal abandonment rates. This is particularly important in hospitality environments where guest experience directly affects review scores.

Configure both RADIUS authentication and accounting. Authentication (port 1812) grants access. Accounting (port 1813) tracks usage. Both are required for Purple's analytics to function correctly. Accounting data drives session duration metrics, bandwidth reports, and repeat visitor identification in the Purple dashboard.

Plan your Walled Garden before go-live. Test the portal on at least one iOS device and one Android device before deploying to production. The two platforms have different captive portal detection mechanisms and may behave differently with incomplete Walled Garden configurations. Use a packet capture on the Sophos Firewall to identify any blocked domains during the pre-authentication phase.

Apply Sophos Synchronized Security post-authentication. Sophos AP6 access points support Synchronized Security, which integrates with Sophos Endpoint Protection. If a guest device is identified as compromised (red Security Heartbeat status), the AP can automatically restrict that device to the Walled Garden, isolating it from the internet without manual intervention. This is a meaningful security control for healthcare and retail environments.

For broader enterprise WiFi security context, see our guide on Enterprise WiFi Security: A Complete Guide for 2026 .

Troubleshooting and risk mitigation

Symptom: Portal page fails to load (blank screen or timeout) Cause: Incomplete Walled Garden. The Sophos Firewall is blocking access to Purple's CSS/JS assets or social login APIs before authentication. Fix: Enable packet capture on the Sophos Firewall for the guest VLAN. Identify blocked domains. Add them to the Walled Garden. Verify DNS is permitted pre-authentication.

Symptom: Portal loads but authentication always fails Cause: RADIUS shared secret mismatch, or UDP ports 1812/1813 are blocked. Fix: Verify the shared secret character-for-character in both the Sophos configuration and the Purple portal. Use nmap -sU -p 1812,1813 from the Sophos CLI to confirm UDP reachability.

Symptom: Analytics show zero session duration and no bandwidth data Cause: RADIUS accounting is not configured or is blocked. Fix: Verify the accounting server is configured on port 1813 with the correct shared secret. Check that no intermediate ACL blocks UDP 1813 outbound.

Symptom: Certificate warning on guest devices Cause: Sophos Firewall is using a self-signed certificate for the redirect interface. Fix: Upload a certificate signed by a public CA (Let's Encrypt, DigiCert, or similar) to the Sophos Firewall and assign it as the login page certificate under Wireless > Hotspot Settings.

Symptom: PPSK users land on wrong VLAN Cause: RADIUS VLAN attributes are not configured correctly, or the Sophos AP is not accepting dynamic VLAN assignment. Fix: Verify the RADIUS server returns Tunnel-Type = 13, Tunnel-Medium-Type = 6, and Tunnel-Private-Group-ID = . Confirm RADIUS VLAN assignment is enabled on the SSID in Sophos Central.

ROI and business impact

Deploying Purple on Sophos infrastructure converts Guest WiFi from a utility cost into a first-party data asset. The business case is straightforward.

A 200-room hotel running at 70% occupancy with an average stay of 1.8 nights will generate roughly 50,000 verified guest profiles per year through Purple's conscious-choice opt-in portal. Each profile includes name, email address, demographic data, and visit history. This data feeds directly into email marketing campaigns, driving measurable increases in direct bookings and Food and Beverage revenue.

For retail environments, Purple's analytics identify dwell time, repeat visit frequency, and peak footfall periods. A retail chain with 50 locations can use this data to optimise staffing, adjust promotional timing, and measure the impact of in-store events on visit frequency.

For public-sector and transport operators, Purple provides auditable GDPR consent records and supports compliance with the UK's Network and Information Systems (NIS) regulations for operators of essential services.

Purple's 99.999% uptime SLA ensures the guest authentication service does not become a single point of failure for your network. The cloud RADIUS architecture means there is no on-premises authentication server to maintain, patch, or replace.

For related integration guidance, see the Alta Labs Integration with Purple WiFi: Setup and Captive Portal Configuration guide.

Key Definitions

Captive portal

A web page that intercepts a user's initial HTTP request and requires interaction (authentication, consent, or payment) before granting internet access.

The primary interface for Guest WiFi. Purple hosts the captive portal in the cloud; the Sophos Firewall redirects unauthenticated clients to it.

Walled Garden

A strict allowlist of domains and IP addresses that unauthenticated devices can access before completing portal authentication.

Must include Purple's portal domains, social login providers, and any identity federation endpoints. An incomplete Walled Garden is the most common cause of portal load failures.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralised authentication, authorisation, and accounting for users connecting to a network. Uses UDP port 1812 for authentication and 1813 for accounting.

Purple provides RADIUS-as-a-Service. The Sophos Firewall and APs communicate with Purple's cloud RADIUS to authenticate guests and report session data.

RADIUS accounting

The component of RADIUS that tracks network usage metrics, including session start time, duration, bytes transferred, and session termination reason.

Essential for Purple's WiFi Analytics. Without accounting data on port 1813, session duration and bandwidth metrics are unavailable in the Purple dashboard.

PPSK (Private Pre-Shared Key)

A WiFi security feature that allows a single SSID to accept multiple unique passphrases, each typically mapped to a specific VLAN or policy via RADIUS.

Used in Multi-Tenant WiFi deployments to provide per-user or per-group network isolation without broadcasting multiple SSIDs. Sophos AP6 supports PPSK with dynamic VLAN assignment.

Dynamic VLAN assignment

A process where the RADIUS server instructs the access point to place an authenticated user onto a specific VLAN by returning Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes in the Access-Accept message.

Enables Identity-Based Networks. Users are placed in the correct network segment based on their credentials, regardless of which physical AP they connect to.

802.1X

An IEEE standard for port-based network access control. Provides an authentication framework for devices connecting to a LAN or WLAN, requiring a supplicant (client), authenticator (AP or switch), and authentication server (RADIUS).

The enterprise standard for Staff WiFi. Sophos AP6 supports 802.1X with WPA2-Enterprise and WPA3-Enterprise, using EAP-TLS or PEAP-MSCHAPv2.

Bridge mode

A network configuration where the access point passes wireless client traffic directly onto the wired LAN as tagged VLAN frames, without performing NAT or local DHCP.

Recommended for high-density deployments. Offloads DHCP to enterprise servers and ensures Purple receives the true client IP address for accurate analytics.

First-party data

Information collected directly from users through your own channels, owned by you, not shared with or sourced from third parties.

The primary business value of Purple Guest WiFi. Captured through conscious-choice opt-ins at the captive portal, this data is GDPR-compliant and independent of third-party cookies.

Worked Examples

A 300-room hotel has deployed Sophos AP6 access points managed via Sophos Central. They need guests to authenticate through a branded Purple splash page and require the guest network to be completely isolated from the property management system (PMS) on VLAN 20 to maintain PCI DSS compliance. The hotel expects up to 600 concurrent guest connections during peak periods.

In Sophos Central, create a dedicated guest SSID named 'Hotel Guest WiFi' with Open encryption. 2. Assign the SSID to VLAN 100 in Bridge mode to handle the 600-device DHCP load via the core network DHCP server. 3. Enable the captive portal under Advanced Settings and select Backend authentication. 4. Enter the Purple RADIUS server IP on port 1812 and the shared secret from the Purple portal. 5. Configure the Walled Garden to allow region1.purpleportal.net, venuewifi.com, and all social login domains. 6. On the Sophos Firewall, create a firewall rule allowing VLAN 100 to the WAN zone with web filtering applied. 7. Create an explicit DENY rule blocking all traffic from VLAN 100 to VLAN 20 (PMS network). 8. Configure RADIUS accounting on port 1813 with a 120-second interim interval. 9. Upload a publicly trusted SSL certificate to the Sophos Firewall for the redirect interface. 10. Test on both iOS and Android before go-live.

Examiner's Commentary: Bridge mode is essential here. At 600 concurrent connections, on-board AP DHCP would be overwhelmed. The explicit DENY rule from VLAN 100 to VLAN 20 satisfies PCI DSS network segmentation requirements. The publicly trusted certificate prevents iOS 14+ and Android 10+ from displaying security warnings that would increase portal abandonment. Configuring accounting is non-negotiable for Purple's analytics to function.

A coworking space operator manages 15 tenant companies across three floors. Each company requires its own isolated network segment. They currently broadcast 15 separate SSIDs, causing significant RF congestion. They want to consolidate to a single SSID using Sophos AP6 access points while maintaining strict Layer 2 isolation between tenants.

Assign a unique VLAN to each tenant company (e.g., VLANs 200-214). 2. In Sophos Central, create a single WPA2-Personal SSID named 'CoWork WiFi'. 3. Enable RADIUS VLAN assignment on the SSID. 4. Configure the RADIUS server (Purple's cloud RADIUS or an integrated directory) to store a unique PPSK per tenant and return the appropriate VLAN attributes on authentication. 5. Issue each tenant company their unique PPSK via the Purple portal. 6. On the Sophos Firewall, configure inter-VLAN firewall rules to block all traffic between tenant VLANs. Allow each VLAN access to the internet only. 7. For tenants requiring shared services (e.g., a shared printer), create explicit permit rules for those specific resources only.

Examiner's Commentary: Consolidating from 15 SSIDs to one eliminates the RF overhead of 15 beacon frames per AP per second. PPSK with dynamic VLAN assignment provides the same isolation as separate SSIDs at the network layer. The key risk is RADIUS server availability: if the RADIUS server is unreachable, no tenants can connect. Deploy a secondary Purple RADIUS server and configure it as the fallback in Sophos Central to mitigate this.

Practice Questions

Q1. A retail chain has deployed Sophos AP6 access points across 50 stores. Shoppers report that the Purple splash page takes over 30 seconds to load, or times out completely. The IT team has confirmed that RADIUS authentication is configured correctly. What is the most likely cause and how do you resolve it?

Hint: Consider what happens before the user reaches the authentication step.

View model answer

The Walled Garden is incomplete. The Sophos Firewall is blocking access to Purple's CSS and JavaScript assets, or to social login CDN domains, before authentication. Enable a packet capture on the Sophos Firewall for the guest VLAN and filter for blocked traffic from unauthenticated clients. Identify the blocked domains and add them to the Walled Garden under Wireless > Hotspot Settings. Also verify that DNS (UDP port 53) is permitted pre-authentication. Without DNS resolution, the device cannot resolve the Purple portal hostname and the redirect fails immediately.

Q2. You are designing a Guest WiFi deployment for a 5,000-seat stadium using Sophos AP6 access points. The venue expects 4,000 concurrent fan connections during events. Should you configure the guest SSID in NAT mode or Bridge mode? Justify your decision.

Hint: Consider the DHCP load generated by 4,000 simultaneous connections.

View model answer

Bridge mode. At 4,000 concurrent connections, NAT mode would overwhelm the on-board DHCP server of the Sophos APs or the firewall. In Bridge mode, the APs drop guest traffic directly onto a dedicated VLAN, and enterprise DHCP servers handle IP address assignment. This prevents DHCP exhaustion and ensures the Purple platform receives the true client IP address for accurate analytics. Bridge mode also provides higher throughput than NAT mode, which is important for a high-density event environment. Configure a DHCP scope on the core network with sufficient addresses for the expected peak load, plus a 20% buffer.

Q3. Your Purple Analytics dashboard shows the correct number of logins, but all session durations are reported as zero minutes and bandwidth usage is not tracked. The guest portal is working correctly and guests can browse the internet. What configuration element is missing?

Hint: Authentication grants access. What tracks usage after access is granted?

View model answer

RADIUS accounting is not configured or is being blocked. Authentication on port 1812 grants internet access, but accounting on port 1813 is the mechanism that reports session duration and bandwidth data back to Purple. Check the Sophos Firewall configuration to confirm the accounting server is set to the Purple RADIUS IP on port 1813 with the correct shared secret. Then verify that UDP port 1813 is not blocked by any intermediate ACL or firewall rule between the Sophos Firewall and Purple's cloud RADIUS servers. Use a packet capture to confirm accounting packets are leaving the Sophos Firewall and receiving responses.

Q4. A coworking space operator wants to use Sophos PPSK to give each of their 20 tenant companies an isolated network segment. After configuration, all PPSK users connect successfully but all land on the same VLAN regardless of which PPSK they use. What is the most likely cause?

Hint: Think about what the RADIUS server needs to return and what the AP needs to accept.

View model answer

There are two likely causes. First, the RADIUS server is not returning the correct VLAN attributes in the Access-Accept message. Verify that the RADIUS server returns Tunnel-Type = 13 (VLAN), Tunnel-Medium-Type = 6 (IEEE-802), and Tunnel-Private-Group-ID = the correct VLAN ID for each PPSK. Second, RADIUS VLAN assignment may not be enabled on the SSID in Sophos Central. Navigate to the SSID's Advanced Settings and confirm that RADIUS VLAN assignment is toggled on. Use a RADIUS debug log or packet capture to inspect the Access-Accept messages and confirm the VLAN attributes are present and correctly formatted.

Continue reading in this series

MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide

This technical guide provides step-by-step instructions for integrating MikroTik RouterOS with Purple's WiFi platform. It covers Guest WiFi captive portal configuration, Staff WiFi 802.1X authentication, and Multi-Tenant WiFi using Private PSKs for dynamic VLAN segmentation.

MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide

Alta Labs Integration with Purple WiFi: Setup and Captive Portal Configuration

This technical reference guide covers the end-to-end integration of Alta Labs AP6 and AP6 Pro access points with Purple's cloud-hosted captive portal. It details external redirect configuration, RADIUS authentication, walled garden requirements, and multi-tenant segmentation using AltaPass Private Pre-Shared Keys. Venue operators and IT teams will leave with a repeatable deployment playbook for hospitality, retail, and smart office environments.