Skip to main content
English (UK)
Pricing

TP-Link Omada and Purple WiFi for SMB Deployments

This authoritative guide provides IT managers and network architects with a definitive blueprint for integrating TP-Link Omada access points with Purple's cloud RADIUS infrastructure. It covers architectural design, step-by-step captive portal configuration, Walled Garden requirements, and a commercial comparison against UniFi for SMB deployments.

📖 6 min read📝 1,477 words🔧 2 examples3 questions📚 8 key terms

🎧 Listen to this Guide

View Transcript
TP-Link Omada and Purple WiFi for SMB Deployments — Podcast Script Approximate runtime: 10 minutes | UK English voice | Consultant briefing tone --- [INTRO & CONTEXT — approximately 1 minute] Welcome. If you're evaluating WiFi infrastructure for a small or medium-sized business — whether that's a boutique hotel, a retail chain, a conference centre, or a public-sector venue — this briefing is for you. Today we're covering TP-Link Omada access points integrated with Purple's guest WiFi platform. Specifically: does it work, how do you configure it, when does it make more sense than UniFi, and what are the limits you need to know about before you commit. I'll keep this tight and practical. No fluff. Let's get into it. --- [TECHNICAL DEEP-DIVE — approximately 5 minutes] First, the headline: yes, Purple fully supports TP-Link Omada. It's on Purple's official supported hardware list, and there's a documented configuration path for both Omada Controller v3 and v4 plus. If you're running the current software — which you should be — you're working with v4 plus. Now, how does the integration actually work? Purple uses an External RADIUS Server model combined with an External Web Portal. That's the key architectural point. The Omada controller doesn't do the authentication itself — it delegates that entirely to Purple's cloud RADIUS infrastructure. This is actually a strength, not a limitation, because it means Purple handles all the identity management, data capture, GDPR compliance, and analytics on its side, while Omada handles what it's good at: radio management, roaming, and network control. Let me walk you through the three configuration steps. Step one is wireless settings. You create a new SSID — call it Guest WiFi or whatever fits your venue branding. You enable Guest Network mode, set security to None — because the authentication is handled at the portal layer, not the wireless layer — and apply dual-band across 2.4 and 5 gigahertz. Step two is the guest portal configuration. This is where the integration lives. In the Wireless Control tab, you add a new portal and set the Authentication Type to External RADIUS Server. You then input Purple's RADIUS server IP address and secret, which you get from your Purple dashboard. Port 1812 for authentication, port 1813 for accounting. You set the Authentication Mode to PAP, enable RADIUS Accounting with an interim update interval of 120 seconds, and critically, you set Portal Customisation to External Web Portal and paste in Purple's access URL. That URL is what redirects the guest to Purple's branded splash page. Step three is the walled garden. This is often overlooked and it's where deployments break. Before a guest authenticates, their device needs to be able to reach Purple's servers to load the splash page. You do this by adding Purple's domains to the Pre-Authentication Access List under Access Control. Purple maintains a published list of these domains — you need all of them, not just the obvious ones. For venues that want to go further — specifically, enabling Purple's SecurePass or Passpoint functionality for seamless reconnection — there's an additional configuration step. You create a separate RADIUS profile pointing at Purple's secure WiFi servers, create a WPA-Enterprise SSID called PurpleConnex, enable Hotspot 2.0, and configure the NAI realm as securewifi.purple.ai with EAP-TTLS authentication. This is the path to passwordless, profile-based reconnection for returning guests — no splash page on subsequent visits. Now, a word on the Omada controller itself. You have three deployment options: software controller running on a local server or VM, the OC200 or OC300 hardware controller appliance, or Omada Cloud — which is TP-Link's hosted cloud management platform and is free. For most SMB deployments, the cloud option is the right call. It removes the single point of failure of a local controller, and it costs nothing. The only reason to go local is if you have strict data residency requirements or an unreliable internet connection at the site. One important architectural note: the Omada controller must remain reachable for ongoing network management, but the RADIUS authentication path goes directly from the access point to Purple's cloud servers. So if your controller goes offline temporarily, existing authenticated sessions stay up — it's only new authentications and network changes that are affected. --- [OMADA VS UNIFI — part of the technical deep-dive] Let's address the Omada versus UniFi question directly, because it comes up constantly. Hardware cost is the most obvious difference. Omada access points are consistently 15 to 30 percent cheaper than comparable UniFi hardware. A WiFi 6 ceiling-mount AP from Omada — the EAP670, for example — retails around 130 to 150 US dollars. The equivalent UniFi U6 Pro sits at 179 dollars. Multiply that across 20 or 30 access points in a mid-sized venue and you're talking about a meaningful budget difference. Cloud management is another differentiator. Omada Cloud is free, permanently. UniFi's cloud management — UniFi Cloud — requires a subscription at 29 US dollars per site per month, or you self-host the Network Application. For MSPs managing multiple SMB sites, that subscription cost adds up quickly. Where UniFi wins is ecosystem maturity and feature depth. UniFi has a more polished management interface, a broader hardware range including cameras and access control, and a larger community producing documentation and integrations. If your client is already deep in the UniFi ecosystem, there's no compelling reason to migrate. For a greenfield SMB deployment where budget is the primary constraint, Omada is the right call. For a venue that needs a unified security and networking platform with cameras, door access, and VoIP all in one pane of glass, UniFi's ecosystem advantage becomes relevant. The good news: Purple works equally well on both. The RADIUS integration path is identical. So your Purple investment is hardware-agnostic. --- [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approximately 2 minutes] A few things I see go wrong in Omada plus Purple deployments. The most common issue is an incomplete walled garden. If you don't whitelist all of Purple's required domains, guests on iOS devices will see a broken captive portal — the Captive Network Assistant on iOS is particularly unforgiving about this. Always cross-reference Purple's published walled garden list and test with an iPhone before you sign off on a deployment. The second pitfall is HTTPS redirect. Leave it disabled. Purple's portal flow requires HTTP redirect to intercept the initial connection. Enabling HTTPS redirect on the Omada portal breaks the splash page redirect chain. Third: NAS ID. Set it to something meaningful — typically the venue name or SSID name. This value appears in Purple's RADIUS accounting logs and makes troubleshooting significantly easier when you're trying to identify which site or SSID a session came from. Fourth: interim update interval. Set it to 120 seconds for the standard captive portal, and 240 seconds for the SecurePass RADIUS profile. This controls how frequently session accounting data is sent to Purple. Too long and you lose granularity in the analytics. Too short and you're generating unnecessary RADIUS traffic. Finally: controller reachability. If you're using the OC200 hardware controller on-site, make sure it's on a UPS. A controller reboot during peak hours won't drop existing sessions, but it will prevent new authentications until it comes back up. --- [RAPID-FIRE Q&A — approximately 1 minute] Does Purple work with TP-Link Omada? Yes. Fully supported, documented configuration available. Do I need a paid Purple plan? No. The Connect plan is free and supports the full RADIUS captive portal integration with Omada. You get branded splash pages, network analytics, and GDPR-compliant data handling at zero cost. Can I run multiple SSIDs — one for guests and one for staff — on the same Omada deployment? Yes. Create separate SSIDs: guest SSID using Purple's External RADIUS portal, staff SSID using WPA2 or WPA3-Enterprise against your Active Directory or Entra ID via Purple's SAML connector. What's the maximum number of concurrent users Omada APs support? It varies by model. The EAP670 supports up to 574 concurrent clients. For high-density venues like conference centres or stadiums, look at the EAP660 HD which is purpose-built for dense deployments. Is the integration PCI DSS compliant? The guest network isolation — enforced by Omada's Guest Network mode — combined with Purple's GDPR-compliant data handling gives you a solid compliance baseline. For full PCI DSS scope, you'll need to ensure the guest VLAN is properly segmented from any cardholder data environment. --- [SUMMARY & NEXT STEPS — approximately 1 minute] To wrap up: TP-Link Omada and Purple is a well-supported, cost-effective combination for SMB guest WiFi deployments. The hardware cost advantage over UniFi is real and meaningful at scale. The integration is straightforward if you follow the three-step configuration — SSID, portal with External RADIUS, and walled garden. The most common failure points are the walled garden and HTTPS redirect settings, both of which are easy to get right if you know to look for them. For next steps: if you're evaluating this for a client, start with Purple's free Connect plan — there's no financial risk. Spin up an Omada Cloud account, deploy a single EAP650 or EAP670 as a proof of concept, and run through the configuration. You'll have a working captive portal in under an hour. If you're ready to go further — data capture, CRM integration, behavioural analytics — that's where Purple's Capture and Engage plans come in. But start with Connect, prove the value, and scale from there. Thanks for listening. If you found this useful, there's a full written guide with configuration tables, architecture diagrams, and worked examples available at purple.ai. --- END OF SCRIPT

header_image.png

Executive Summary

For SMBs in Hospitality , Retail , and public venues, delivering secure, branded Guest WiFi is no longer a luxury—it is an operational requirement. Historically, IT managers have faced a difficult choice: deploy expensive, enterprise-grade hardware like UniFi, or compromise on security and analytics with consumer-grade access points. TP-Link Omada fundamentally changes this equation. By combining Omada's cost-effective, cloud-managed hardware with Purple's enterprise-grade authentication and WiFi Analytics , venue operators can achieve a secure, scalable network architecture at a fraction of the traditional cost.

This technical reference guide provides a definitive blueprint for deploying TP-Link Omada access points with Purple's cloud RADIUS infrastructure. We will examine the architectural integration, detail the specific configuration parameters required for a seamless captive portal experience, and provide a candid cost-benefit analysis comparing Omada to UniFi for SMB deployments. This is a practical, vendor-neutral implementation guide designed for senior IT professionals and network architects who need actionable guidance to deploy robust guest networks this quarter.

Technical Deep-Dive

The integration between TP-Link Omada and Purple relies on a standard External RADIUS Server architecture combined with an External Web Portal redirect. This decoupling of the radio access network from the identity management plane is a fundamental principle of modern Internet of Things Architecture: A Complete Guide .

Architectural Overview

In a standard deployment, the Omada Access Point (e.g., EAP670 or EAP650) handles the RF environment, client association, and roaming. However, it does not handle authentication. When a client device connects to the guest SSID, the Omada controller intercepts the connection and redirects the user's browser to Purple's hosted splash page.

captive_portal_flow.png

Once the user submits their credentials (or accepts the terms of service) on the Purple portal, Purple's cloud infrastructure acts as the RADIUS server. It sends an Access-Accept message back to the Omada controller, which then authorises the MAC address of the client device on the local network. Purple also handles all RADIUS Accounting, tracking session duration and data usage for analytics and compliance purposes.

Omada Controller Options

The Omada Software Defined Networking (SDN) platform requires a controller to manage the access points and handle the captive portal redirection. You have three primary deployment models:

  1. Omada Cloud-Based Controller: Hosted entirely by TP-Link. This is the recommended approach for most SMB deployments as it removes the need for on-site controller hardware and provides high availability.
  2. Hardware Controller (OC200/OC300): A physical appliance installed on the local network. Suitable for environments with unreliable WAN links where local management is critical.
  3. Software Controller: Installed on a local server or VM (Windows or Linux).

Crucially, the Omada controller must remain online to process new guest authentications. If the controller goes offline, existing authenticated sessions will remain active, but new clients will be unable to load the captive portal.

Implementation Guide

Deploying Purple on an Omada v4+ controller requires configuring three distinct components: the Wireless Network, the Guest Portal, and the Walled Garden.

Step 1: Wireless Settings Configuration

The foundation is a dedicated SSID configured for guest access without local encryption.

  1. Navigate to Wireless Settings in the Omada controller and click Add.
  2. Define the SSID (e.g., "Guest WiFi").
  3. Enable the Guest Network toggle. This is critical as it enables Layer 2 client isolation, preventing guests from communicating with each other or accessing local corporate resources—a mandatory requirement for PCI DSS compliance.
  4. Set Security Mode to None. Authentication will be handled at Layer 7 via the captive portal, not Layer 2.
  5. Apply the settings across both 2.4GHz and 5GHz bands.

Step 2: Guest Portal and RADIUS Configuration

This step binds the Omada controller to Purple's cloud infrastructure.

  1. Navigate to Wireless Control > Portal and click Add a New Portal.
  2. Select the SSID created in Step 1.
  3. Set Authentication Type to External RADIUS Server.
  4. Configure the Primary RADIUS Server:
    • RADIUS Server IP: Provided in your Purple dashboard.
    • RADIUS Port: 1812
    • RADIUS Password: Your unique Purple RADIUS secret.
    • Authentication Mode: PAP
  5. Enable RADIUS Accounting:
    • Accounting Server IP: Provided in your Purple dashboard.
    • Accounting Server Port: 1813
    • Accounting Server Password: Your unique Purple RADIUS secret.
  6. Enable Interim Update and set the interval to 120 seconds. This ensures accurate session tracking.
  7. Under Portal Customization, select External Web Portal.
  8. Input the External Web Portal URL provided by Purple.

Critical Note: Ensure HTTPS Redirect is set to Disable. The initial captive portal intercept relies on HTTP. Enabling HTTPS redirect at the controller level will break the splash page load process.

Step 3: Walled Garden (Pre-Authentication Access)

The Walled Garden is the most common point of failure in guest WiFi deployments. Before a user authenticates, their device must be able to resolve and reach Purple's servers to load the splash page and process social logins.

  1. Navigate to the Access Control header within the Portal settings.
  2. Enable Pre-authentication Access.
  3. Add every domain listed in Purple's official Walled Garden whitelist. This includes Purple's core domains, CDN endpoints, and domains required for social login providers (Facebook, Google, X).
  4. Failure to configure this correctly will result in the Captive Network Assistant (CNA) on iOS and Android failing to render the page.

Best Practices

To ensure a robust and compliant deployment, adhere to the following industry-standard recommendations:

  • VLAN Segmentation: Always place the guest SSID on a dedicated VLAN, completely isolated from corporate traffic, Point of Sale (POS) systems, and management interfaces. This mitigates risk and simplifies compliance auditing.
  • Bandwidth Rate Limiting: Implement rate limiting on the guest SSID (e.g., 5 Mbps down / 1 Mbps up per client) to prevent a single user from saturating the WAN link and impacting business operations.
  • SecurePass Integration: For venues with high repeat visitor rates, configure Purple's SecurePass (WPA-Enterprise with Hotspot 2.0). This allows returning guests to authenticate automatically via a profile, bypassing the captive portal entirely for a frictionless experience.
  • Controller High Availability: If using an on-premise hardware controller (OC200), ensure it is connected to an Uninterruptible Power Supply (UPS). A controller reboot will halt new authentications.

Troubleshooting & Risk Mitigation

When deploying third-party captive portals, specific failure modes frequently arise. Here is how to address them:

iOS Captive Network Assistant (CNA) Fails to Load

If Apple devices connect to the WiFi but the splash page does not automatically pop up, the issue is almost always an incomplete Walled Garden. The iOS CNA attempts to reach specific Apple endpoints (e.g., captive.apple.com) to detect internet access. If these are blocked, or if Purple's CDN domains are missing from the Pre-Authentication Access list, the page will fail to render. Verify the whitelist against Purple's current documentation.

Sessions Not Appearing in Analytics

If users can authenticate and access the internet, but their session data (duration, bandwidth) is missing from the Purple dashboard, verify the RADIUS Accounting configuration. Ensure the Accounting Port is set to 1813, the secret matches exactly, and the Interim Update interval is enabled and set to 120 seconds.

Authentication Timeouts

If the portal loads but users receive a timeout error upon clicking 'Connect', the Omada controller is failing to reach the Purple RADIUS server on port 1812. Verify outbound firewall rules on your edge router to ensure UDP ports 1812 and 1813 are open to Purple's IP addresses.

ROI & Business Impact

For IT directors and CTOs, the decision to deploy Omada hardware with Purple software is fundamentally a commercial one. How does this architecture compare to alternatives, and what is the expected return on investment?

The Omada vs. UniFi Decision

omada_vs_unifi_comparison.png

Ubiquiti's UniFi platform is the incumbent leader in the SMB space. However, TP-Link Omada offers a compelling financial advantage without sacrificing core functionality.

  • Capital Expenditure (CapEx): Omada access points (e.g., EAP670) are typically 15-30% less expensive than their UniFi equivalents (e.g., U6 Pro). In a 50-AP deployment, this represents thousands of pounds in hardware savings.
  • Operational Expenditure (OpEx): TP-Link offers the Omada Cloud controller for free. UniFi's official cloud hosting requires a monthly subscription per site.
  • Integration: Both platforms support External RADIUS and integrate seamlessly with Purple.

For a feature-rich, unified ecosystem that includes cameras and door access, UniFi remains superior. However, for a pure-play wireless deployment focused on cost-efficiency and reliable guest access, Omada delivers exceptional value.

Measuring Success

Deploying Purple Connect (the free tier) on Omada hardware provides immediate ROI by reducing the IT support burden associated with managing guest passwords. To understand the broader commercial impact of upgrading to paid tiers for data capture and marketing automation, review our comprehensive analysis: Why Use WiFi Marketing? The Business Case With Real Data .

By leveraging Omada's cost-effective hardware, venues can reallocate budget from infrastructure CapEx toward software solutions that actively drive revenue, transforming the network from a cost centre into a marketing asset.

Key Terms & Definitions

External RADIUS Server

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management. In this context, Purple acts as the RADIUS server, verifying users and instructing the Omada controller to grant network access.

IT teams use this architecture to decouple identity management from local network hardware, enabling cloud-based analytics and compliance.

Captive Portal

A web page that a user of a public-access network is obliged to view and interact with before access is granted.

This is the primary touchpoint for data capture and brand engagement in guest WiFi deployments.

Walled Garden (Pre-Authentication Access)

A limited environment that controls the user's access to web content and services before they have fully authenticated on the network.

Crucial for allowing devices to reach the splash page hosted on Purple's servers and to communicate with social login providers like Google or Facebook before internet access is granted.

Captive Network Assistant (CNA)

The pseudo-browser built into mobile operating systems (like iOS and Android) that automatically detects captive portals and pops up the login screen.

IT teams must ensure the Walled Garden is perfectly configured, as the CNA is highly sensitive to blocked resources and will fail silently if it cannot reach necessary endpoints.

RADIUS Accounting

The process of tracking network resource consumption by users, including session duration and bytes transferred.

Essential for generating accurate analytics in the Purple dashboard and for enforcing bandwidth or time limits on guest sessions.

Layer 2 Isolation (Guest Network Mode)

A security feature that prevents devices connected to the same wireless network from communicating directly with each other.

A mandatory requirement for public networks to prevent lateral movement of malware and to comply with security standards like PCI DSS.

Interim Update Interval

The frequency at which the network controller sends accounting data updates to the RADIUS server during an active session.

Setting this to 120 seconds ensures Purple has near real-time data on user sessions without overwhelming the network with RADIUS traffic.

Passpoint (Hotspot 2.0)

A standard that enables mobile devices to automatically discover and connect to Wi-Fi networks securely without requiring a captive portal login.

Used by Purple's SecurePass feature to provide a frictionless, secure (WPA-Enterprise) connection for returning guests, improving the user experience and increasing connection rates.

Case Studies

A 150-room boutique hotel needs to deploy guest WiFi across all bedrooms and public areas. They have a strict budget but require GDPR-compliant data capture and seamless roaming. They are evaluating UniFi U6 Pro vs TP-Link Omada EAP670.

The hotel should deploy 40 TP-Link Omada EAP670 access points managed via the free Omada Cloud Controller. They will configure a 'Guest WiFi' SSID with no Layer 2 security, relying on Purple's External RADIUS integration for authentication. They must implement a strict Walled Garden to allow pre-authentication access to Purple's splash pages. The guest network will be placed on an isolated VLAN.

Implementation Notes: This approach reduces hardware CapEx by approximately 20% compared to UniFi, while eliminating recurring controller hosting fees. By delegating authentication to Purple, the hotel achieves enterprise-grade compliance and data capture capabilities on cost-effective hardware. The critical success factor is ensuring the Walled Garden is comprehensive to prevent iOS captive portal failures.

A retail chain with 20 small footprint stores wants to offer free WiFi to customers to capture email addresses for their loyalty program. They currently have unmanaged consumer routers in each store and no centralized IT support.

Deploy a single TP-Link Omada EAP650 access point in each store, connected to an Omada Cloud Controller for centralized management. Configure Purple's 'Connect' or 'Capture' tier via External RADIUS. Implement bandwidth rate limiting (e.g., 5Mbps down/1Mbps up) on the guest SSID to protect the stores' limited WAN connections, which are also used for Point of Sale (POS) systems.

Implementation Notes: The Omada Cloud Controller is essential here, providing a single pane of glass for all 20 sites without requiring on-premise hardware. The bandwidth rate limiting is a crucial risk mitigation step; without it, a single guest downloading a large file could disrupt POS transactions. Purple handles the complex task of GDPR-compliant data capture across multiple distributed locations.

Scenario Analysis

Q1. A venue reports that users can connect to the guest WiFi and browse the internet, but no session data or analytics are appearing in the Purple dashboard. What is the most likely configuration error on the Omada controller?

💡 Hint:Think about the specific RADIUS protocol responsible for tracking usage, not just granting access.

Show Recommended Approach

The RADIUS Accounting configuration is likely incorrect or disabled. The IT team should verify that Accounting is enabled, the Accounting Server IP is correct, the Accounting Port is set to 1813, and the Interim Update interval is set to 120 seconds.

Q2. During a pilot deployment, Android devices successfully load the Purple splash page, but iOS devices show a blank screen and drop the WiFi connection. How should the network architect resolve this?

💡 Hint:iOS and Android handle captive portal detection differently. iOS relies heavily on specific domains being reachable before authentication.

Show Recommended Approach

The network architect must update the Pre-Authentication Access List (Walled Garden) on the Omada controller. The iOS Captive Network Assistant (CNA) is failing because it cannot reach required Apple domains or Purple CDN endpoints. They must cross-reference their configuration with Purple's official Walled Garden whitelist.

Q3. A client wants to migrate from an expensive, subscription-based cloud managed WiFi solution to TP-Link Omada to save on OpEx, but they are concerned about losing the enterprise-grade analytics they currently rely on. What is the recommended architecture?

💡 Hint:How can you separate the hardware management plane from the analytics and identity plane?

Show Recommended Approach

The client should deploy TP-Link Omada access points managed by the free Omada Cloud Controller to eliminate hardware subscription fees. They should then integrate this with Purple WiFi via an External RADIUS configuration. This architecture provides cost-effective hardware management while retaining enterprise-grade analytics, data capture, and CRM integration through the Purple platform.

About us
Careers
B Corp Report
Plans
Guest WiFi Features
Guest WiFi Pricing
Professional Services
Book a Demo
Passwordless WiFi
RADIUS-as-a-Service
WPA-Enterprise
Captive Portal Software
Multi-Tenant WiFi
Staff WiFi
Solutions
WiFi for Marketing Teams
WiFi for IT & Network Teams
WiFi for Small Business
WiFi Marketing & Analytics
Passwordless Onboarding
Industries
WiFi for Hospitality
WiFi for Hotels
WiFi for Retail
WiFi for Healthcare
WiFi for Higher Education
WiFi for Stadiums
WiFi for Restaurants
WiFi for Corporate Offices
Browse all industries
Policies
Legal
Privacy policy
Terms of use
My data
Cookie policy
Standard SLA
Resources
WiFi blog
WiFi guides
WiFi glossary
Case studies
All resources
ROI Calculator
Pricing Calculator
Access Point Calculator
Guest WiFi Feature Checklist
WiFi Tools
Purple Support
Whatsapp
© 2026 Purple. All Rights Reserved.
Manage Cookie Preferences