WatchGuard Firebox Integration with Purple WiFi: Setup and Configuration Guide

This guide is a step-by-step integration playbook for IT managers and network architects deploying WatchGuard Firebox and Access Points with Purple. It covers external captive portal redirection for Guest WiFi, secure 802.1X authentication for Staff WiFi, and multi-tenant segmentation using WatchGuard Private Pre-Shared Keys (PPSK) with dynamic VLAN steering - giving you a single, unified architecture across all access tiers.

📖 8 min read📝 1,854 words🔧 2 worked examples❓ 3 practice questions📚 10 key definitions

Listen to this guide

View podcast transcript

Welcome to the integration briefing. Today we are covering the WatchGuard Firebox and Access Point integration with Purple WiFi. This is a technical playbook for IT managers, network architects, and venue operations directors who need to deploy secure, scalable wireless infrastructure. We will be looking at Guest WiFi captive portals, Secure Staff WiFi using 802.1X, and Multi-Tenant segmentation using WatchGuard Private Pre-Shared Keys, or PPSK. Let's get straight into the context.

When you are managing a complex venue, say a stadium, a large retail centre, or a multi-dwelling unit, you need precise control over who accesses the network and what they can do once connected. You also need to capture first-party data to drive marketing revenue. WatchGuard provides the unified security platform and the hardware. Purple provides the cloud overlay, the identity management, and the analytics. By integrating the two, you automate identity-based access control. You eliminate the need for separate guest and staff gateways, which reduces hardware expenditure and simplifies management. Purple currently serves over 80,000 live venues and has processed 440 million logins in 2024 alone, so the platform is built to handle the scale of any venue you are likely to be managing.

Let's move into the technical deep-dive. The architecture relies on standard RADIUS protocols and HTTP redirection. We have three main access tiers. First, Guest WiFi. This is an open SSID. The WatchGuard AP intercepts HTTP requests and redirects the user to Purple's hosted splash page. Second, Staff WiFi. This is a secure WPA3-Enterprise SSID using 802.1X. Devices authenticate directly against Purple's RADIUS servers using EAP-TLS or PEAP. Third, Multi-Tenant WiFi. This uses WatchGuard PPSK. Multiple users connect to a single SSID, but each uses a unique password. The WatchGuard AP queries Purple's RADIUS server, which then dynamically assigns a VLAN based on that specific key.

So, how do we configure the Guest WiFi captive portal? Step one is setting up the RADIUS server in WatchGuard Cloud or the Firebox Policy Manager. You point the primary RADIUS server to Purple's IP address for your region. Authentication is on port 1812, accounting on port 1813. You enter the shared secret provided by Purple, and crucially, you ensure the NAS ID matches the MAC address of the Firebox or AP. This tells Purple which venue the request is coming from.

Step two is the captive portal redirection itself. In the SSID settings, you select Third-Party Hosted Captive Portal with RADIUS Authentication. You enter the Purple splash page URL, and you enter the portal shared secret. This is a specific secret generated in the Purple Analyze dashboard, and it is used to create an HMAC digest to validate authentication requests. The HMAC-SHA1 algorithm ensures that the authentication success message from Purple is genuine and has not been tampered with in transit.

Step three, and this is where many deployments stumble, is the Walled Garden. If you do not configure this, the device cannot load the splash page. You must allow access to star dot mypurple dot com, api dot mypurple dot com, and cdn dot mypurple dot com before login. If you are using social logins like Microsoft Entra ID or Google Workspace, you need to add those identity provider domains too. Think of the Walled Garden as the pre-authentication lobby. Without it, the guest cannot even reach the front door.

Now, let's look at Multi-Tenant segmentation with WatchGuard PPSK. If you manage a retail centre with 15 shops, broadcasting 15 different SSIDs is a poor approach. It causes co-channel interference, it clutters the airspace, and it creates a management overhead. PPSK solves this elegantly. You broadcast one SSID, say Centre-Retail. You enable Private Pre-Shared Key in the WatchGuard SSID settings, which requires firmware version 2.6 or higher on your WatchGuard Access Points. In Purple, you create unique keys, one per tenant.

To isolate the traffic, you use Dynamic VLAN Assignment. In WatchGuard Cloud, you set the VLAN to Dynamic VLAN assigned by RADIUS. When a shop connects a device using their specific key, the AP sends an Access-Request to Purple's RADIUS server. Purple validates the key and sends back an Access-Accept packet with three vital IETF RADIUS attributes. Tunnel-Type, which is attribute 64, set to VLAN. Tunnel-Medium-Type, attribute 65, set to 802. And Tunnel-Private-Group-ID, attribute 81, set to the assigned VLAN ID, for example VLAN 100 for Retail Tenant A. The WatchGuard AP then places that device onto VLAN 100, completely isolated from the other tenants. This is Identity-Based Networking in practice.

Let's discuss implementation recommendations and common pitfalls. First, session timeouts. Configure strict session timeouts in both Purple and WatchGuard to force re-authentication. This keeps your analytics accurate and ensures stale sessions do not consume bandwidth. Set your RADIUS Interim-Update intervals to 10 minutes. Second, firmware. You must ensure your WatchGuard Access Points are running firmware version 2.6 or higher to support PPSK. Earlier firmware versions do not support this feature. Third, MAC randomisation. Modern devices randomise their MAC addresses by default. For your secure Staff WiFi network, educate your staff to disable this feature for that specific SSID to ensure stable 802.1X authentication. MAC randomisation can cause authentication failures and inconsistent analytics data.

What happens when things go wrong? If the captive portal fails to load, check the Walled Garden first. If the device cannot resolve DNS or reach the Purple servers, it will show a timeout error rather than the splash page. If VLAN steering fails and the client receives an IP from the wrong VLAN, check the RADIUS logs in the Purple portal. Ensure the Tunnel-Private-Group-ID attribute is formatted correctly as a string and matches a VLAN that actually exists on the switch port connected to the AP. If you see HMAC digest errors in the WatchGuard logs, your Captive Portal Shared Secret does not match between WatchGuard and Purple. It must be identical in both systems, character for character.

Time for a rapid-fire Q&A. Question: Can I use PPSK and the Captive Portal on the same SSID? Answer: No. WatchGuard does not support running Dynamic VLANs via PPSK and a Captive Portal on the same SSID simultaneously. You need one SSID for the portal and a separate SSID for PPSK. Plan your SSID architecture accordingly. Question: What happens if the RADIUS server does not return a VLAN ID for a PPSK user? Answer: In WatchGuard Cloud, you configure an Unassigned Clients fallback option. You can drop them onto an untagged VLAN or a specific isolated quarantine VLAN to ensure they do not gain access to the corporate network. Always configure this fallback to avoid accidental access.

To summarise, integrating WatchGuard Firebox with Purple gives you a unified platform for security, identity, and analytics across Guest, Staff, and Multi-Tenant networks. You use external captive portal redirection for guests, 802.1X for staff, and PPSK with dynamic VLANs for multi-tenant environments. The ROI is clear. You reduce hardware costs by consolidating gateways, you simplify management through a single cloud platform, and you drive revenue by capturing first-party data through the Purple captive portal. Your next steps are to review your current SSID architecture, ensure your WatchGuard firmware is at version 2.6 or higher, and begin configuring your RADIUS settings in the Purple portal. Thank you for listening.

Key Takeaways

✓WatchGuard Firebox integrates with Purple via standard RADIUS (ports 1812/1813) and HTTP captive portal redirection, supporting Guest WiFi, Staff WiFi, and Multi-Tenant WiFi from a single AP fleet.
✓Guest WiFi captive portal requires a Splash Page URL, a Shared Secret (for HMAC-SHA1 validation), and Walled Garden entries for Purple's domains - missing any one of these causes the portal to fail.
✓Staff WiFi uses IEEE 802.1X (EAP-TLS or PEAP) with Purple as the RADIUS server, which can proxy authentication to Microsoft Entra ID, Okta, or Google Workspace for identity lifecycle management.
✓WatchGuard PPSK (firmware v2.6+) enables multi-tenant segmentation on a single SSID - each tenant receives a unique key, and Purple's RADIUS server returns VLAN attributes (Tunnel-Type 64, Tunnel-Medium-Type 65, Tunnel-Private-Group-ID 81) to isolate their traffic.
✓Dynamic VLAN steering and Captive Portal cannot run on the same SSID in WatchGuard - plan your SSID architecture with separate SSIDs for guest portal and PPSK multi-tenant access.
✓Always configure a quarantine fallback VLAN for unassigned PPSK clients to prevent devices that fail RADIUS validation from landing on the management VLAN.
✓Purple is ISO 27001, GDPR, CCPA, and Cyber Essentials certified, and maintains 99.999% uptime - the platform handles the compliance and availability requirements for enterprise venue deployments.

Executive summary

Deploying a secure, scalable wireless infrastructure across complex venues requires precise integration between your security gateway and identity provider. This guide details the integration of WatchGuard Firebox and WatchGuard Access Points with Purple, covering three distinct access tiers: Guest WiFi captive portal redirection, Secure Staff WiFi using IEEE 802.1X, and Multi-Tenant WiFi segmentation via WatchGuard Private Pre-Shared Keys (PPSK).

By combining WatchGuard's unified security platform with Purple's cloud overlay, you automate identity-based access control, enforce granular security policies, and capture first-party data at scale. Purple operates across 80,000+ live venues and processed 440 million logins in 2024 (Purple internal data). The integration is hardware-agnostic by design - WatchGuard sits alongside Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet in Purple's supported hardware list. For a broader view of enterprise WiFi security standards, see our Enterprise WiFi Security: A Complete Guide for 2026 .

Technical architecture

The integration connects WatchGuard hardware to Purple's cloud services using two standard mechanisms: RADIUS (Remote Authentication Dial-In User Service) for authentication and accounting, and HTTP redirection for captive portal delivery. The architecture supports three access tiers on a single physical infrastructure.

Access Tier	SSID Type	Authentication Method	Purple Role
Guest WiFi	Open	External captive portal + RADIUS accounting	Splash page, data capture, analytics
Staff WiFi	WPA3-Enterprise	802.1X (EAP-TLS or PEAP)	RADIUS server, identity provider proxy
Multi-Tenant WiFi	WPA2/WPA3 Personal + PPSK	PPSK validated via RADIUS	Key management, dynamic VLAN assignment

All three tiers can run simultaneously across the same WatchGuard Access Point fleet. WatchGuard Wi-Fi 6 models - the AP130, AP230W, AP330, AP332CR, AP430CR, and AP432 - support PPSK from firmware v2.6 onwards.

Configuring Guest WiFi captive portal redirection

The WatchGuard captive portal integration redirects unauthenticated HTTP requests to Purple's hosted splash page. This is the primary mechanism for capturing first-party data and enforcing terms of service.

Step 1: RADIUS server configuration

In WatchGuard Cloud or Firebox Policy Manager, define Purple as the RADIUS authentication and accounting server.

Primary RADIUS server: Set to the Purple RADIUS IP address for your region (available in the Purple portal under Settings > Hardware Integration).
Authentication port: 1812
Accounting port: 1813
Shared secret: Enter the unique secret provided in the Purple portal.
NAS ID: Set this to the MAC address of the Firebox or AP using the %m format specifier. This identifies the venue to Purple and routes analytics to the correct account.
Accounting interval: Set to 10 minutes to ensure session data flows to Purple's analytics dashboard at regular intervals.

Step 2: SSID and captive portal settings

In WatchGuard Cloud, navigate to Configure > Devices > [Your AP] > Device Configuration > SSIDs. Create or edit the Guest SSID.

Security: Open (no pre-authentication password).
Captive portal type: Select Third-Party Hosted Captive Portal with RADIUS Authentication.
Splash Page URL: Enter the Purple splash page URL (e.g., https://wifi.mypurple.com/splash). Retrieve this from Purple > Analyze > Portals.
Shared secret: Enter the portal shared secret from the same Purple Analyze Portals page. This secret generates the HMAC-SHA1 digest that WatchGuard uses to validate the authentication success response from Purple.

Step 3: Walled Garden configuration

The Walled Garden defines which domains a device can access before authentication completes. Without this, the device cannot load the Purple splash page. Add the following entries to Websites that users can access before login:

*.mypurple.com
api.mypurple.com
cdn.mypurple.com
assets.mypurple.com

If you enable social or federated logins via Microsoft Entra ID, Okta, or Google Workspace, add the relevant identity provider domains (e.g., login.microsoftonline.com, accounts.google.com). For legal and compliance context on shared WiFi infrastructure, see our guide on Legal and Compliance Requirements for Shared WiFi Infrastructure .

How the HMAC authentication flow works

Understanding this flow helps you diagnose failures quickly.

The guest device connects to the open SSID and makes an HTTP request.
The WatchGuard AP intercepts the request and redirects the browser to the Purple splash page URL, appending a challenge parameter (a random hex string) and the device MAC address.
Purple displays the splash page. The guest completes the login form.
Purple generates an HMAC-SHA1 digest using the portal shared secret and the challenge value.
Purple redirects the browser back to the WatchGuard AP's login URL, appending the challenge and digest.
The WatchGuard AP validates the digest using the same shared secret. If it matches, the AP grants internet access and sends a RADIUS Accounting Start packet to Purple.

Secure Staff WiFi with 802.1X

For Staff WiFi, you replace the captive portal with IEEE 802.1X - the enterprise standard for port-based network access control. Each staff member authenticates with unique credentials or a certificate, eliminating the shared-password risk.

In WatchGuard Cloud, configure the Staff SSID with WPA3 Enterprise security and point the Authentication Domain to Purple's RADIUS server. Purple acts as the RADIUS server and can proxy authentication requests to Microsoft Entra ID, Okta, or Google Workspace via SAML or LDAP.

For certificate-based authentication (EAP-TLS), deploy client certificates via your MDM to managed devices. For credential-based authentication (PEAP-MSCHAPv2), users authenticate with their directory credentials. Purple validates the request against the configured identity provider and returns a RADIUS Access-Accept or Access-Reject to the WatchGuard AP.

For a detailed walkthrough of 802.1X configuration across device types, see our guide on 802.1X authentication: securing network access on modern devices .

Important note on MAC randomisation: Modern iOS and Android devices randomise their MAC addresses by default. For 802.1X Staff WiFi, instruct staff to disable MAC randomisation for the Staff SSID. Randomised MACs cause inconsistent authentication logs and break MAC-based policy enforcement.

Multi-Tenant WiFi with WatchGuard PPSK

Broadcasting a separate SSID per tenant in a retail centre, coworking space, or Build-to-Rent (BTR) development causes co-channel interference and clutters the RF environment. WatchGuard PPSK (Private Pre-Shared Key) - introduced in AP firmware v2.6 - solves this by assigning a unique password to each user or tenant on a single SSID.

Step 1: Enable PPSK on the SSID

In WatchGuard Cloud, edit the target SSID (e.g., Venue-WiFi).

Security: WPA2 Personal or WPA3 Personal.
Authentication: Enable Private Pre-Shared Key (PPSK).
RADIUS server: Point to Purple's RADIUS server. Purple manages the PPSK credential store and returns VLAN attributes on authentication.

Step 2: Configure Dynamic VLAN assignment

To isolate tenant traffic, the WatchGuard AP assigns a specific VLAN based on the PPSK used.

VLAN setting: Select Dynamic VLAN assigned by RADIUS.
Unassigned clients fallback: Select an isolated quarantine VLAN (e.g., VLAN 999) to ensure devices that fail RADIUS validation cannot access the corporate network.

Requirements for Dynamic VLANs on WatchGuard Access Points:

AP firmware v2.2 or higher.
NAT must be disabled on the SSID.
Dynamic VLANs and Captive Portal cannot run on the same SSID simultaneously.
The switch port connected to the AP must be configured as a trunk port carrying all relevant VLANs.

Step 3: RADIUS attributes for VLAN steering

When a user connects using a PPSK, the WatchGuard AP sends a RADIUS Access-Request to Purple. Purple validates the key and returns an Access-Accept packet containing three IETF RADIUS attributes:

RADIUS Attribute	Attribute Number	Value
Tunnel-Type	64	13 (VLAN)
Tunnel-Medium-Type	65	6 (802)
Tunnel-Private-Group-ID	81	VLAN ID (e.g., "100")

The WatchGuard AP reads attribute 81 and places the client on the corresponding VLAN. In Purple, you map each PPSK credential to a specific VLAN ID and role. This is the mechanism behind Identity-Based Networks - the credential determines the network segment, not the SSID.

Implementation best practices

These recommendations apply to hospitality , retail , healthcare , and transport deployments.

Session timeouts: Configure session timeouts in both Purple and WatchGuard to force re-authentication at regular intervals. This keeps analytics accurate and prevents stale sessions from consuming bandwidth. Set RADIUS Interim-Update (Acct-Interim-Interval) to 600 seconds (10 minutes).

Firmware management: Ensure WatchGuard Access Points run firmware v2.6 or higher for PPSK support. Use WatchGuard Cloud to schedule firmware upgrades during off-peak hours to avoid coverage gaps.

PCI DSS compliance: For retail environments processing card payments, isolate POS devices on a dedicated VLAN (e.g., VLAN 200) using PPSK. Ensure the Guest WiFi VLAN has no route to the POS VLAN. This supports PCI DSS network segmentation requirements.

GDPR and data collection: Purple's captive portal uses conscious-choice opt-ins, ensuring data collection meets GDPR requirements. Purple is ISO 27001, GDPR, CCPA, and Cyber Essentials certified. Ensure your splash page includes a clear privacy notice and terms of service link before data capture begins.

Troubleshooting and risk mitigation

Captive portal fails to load: The Walled Garden is the first place to check. If the device cannot resolve DNS or reach Purple's servers pre-authentication, the browser shows a timeout error rather than the splash page. Verify all Purple domains are in the Walled Garden list and that the WatchGuard DNS settings allow pre-auth resolution.

HMAC digest validation errors: If WatchGuard logs show authentication failures with HMAC errors, the Captive Portal Shared Secret does not match between WatchGuard and Purple. It must be identical in both systems. Regenerate the secret in Purple and re-enter it in WatchGuard Cloud.

VLAN steering fails: If a PPSK user receives an IP from the wrong VLAN, check the RADIUS logs in the Purple portal. Verify that Purple is returning all three IETF RADIUS attributes. Ensure the Tunnel-Private-Group-ID value is formatted as a string and matches a VLAN ID configured on the switch trunk port.

PPSK and Captive Portal conflict: WatchGuard does not support Dynamic VLANs and Captive Portal on the same SSID. If you need both, use two SSIDs: one for guest captive portal and one for PPSK multi-tenant access.

802.1X authentication failures: Use the packet capture tool available in WatchGuard AP firmware v2.5 and higher to capture traffic between the AP and the RADIUS server. Look for RADIUS Access-Reject packets and the reason code in the reply message attribute.

ROI and business impact

The WatchGuard and Purple integration consolidates security and analytics into a single architecture. A 200-room hotel using this integration eliminates the need for separate guest and staff gateways, reducing hardware expenditure by approximately 30% compared to a multi-gateway deployment (Purple internal data). The Guest WiFi captive portal captures first-party data - email addresses, demographic information, and visit frequency - that drives direct marketing revenue through Purple's Engage plan.

For multi-tenant venues, PPSK eliminates the operational overhead of managing multiple SSIDs. A retail centre managing 15 shop units on a single SSID reduces AP radio utilisation and simplifies network audits. WiFi Analytics from Purple provides venue operators with dwell time, footfall, and repeat visit data - metrics that justify the infrastructure investment to finance teams.

Purple maintains 99.999% uptime (Purple internal data), ensuring the Guest WiFi captive portal remains available even during peak periods at high-density venues like stadiums and conference centres.

Key Definitions

PPSK (Private Pre-Shared Key)

A security feature that assigns a unique password to each user or device on a WPA2/WPA3 Personal SSID. Introduced in WatchGuard AP firmware v2.6.

Used in multi-tenant environments - retail centres, coworking spaces, BTR developments - to segment users without requiring 802.1X supplicant configuration on client devices.

Dynamic VLAN steering

The process of assigning a network device to a specific Virtual LAN based on RADIUS attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) returned during authentication.

The mechanism that isolates tenant, staff, and guest traffic on the same physical access point. Requires AP firmware v2.2 or higher on WatchGuard hardware.

Walled Garden

A list of IP addresses or domains that an unauthenticated user is permitted to access before completing captive portal authentication.

Required to allow guest devices to load the Purple splash page and complete federated logins (Microsoft Entra ID, Google Workspace) before full internet access is granted.

HMAC digest

A cryptographic hash (HMAC-SHA1) used to verify the integrity and authenticity of the authentication success message from the captive portal.

WatchGuard validates the HMAC digest using the Captive Portal Shared Secret. A mismatch between the secret in WatchGuard and Purple causes authentication failures.

RADIUS accounting

The component of the RADIUS protocol that tracks network usage, including session start, session duration, and data transfer volume.

Purple relies on RADIUS Accounting packets from the WatchGuard Firebox to populate the analytics dashboard and enforce session time limits. Operates on port 1813.

Captive portal

A web page that a device is redirected to before being granted access to a public network. WatchGuard intercepts HTTP requests and redirects to the configured external portal URL.

The primary mechanism for capturing first-party data and enforcing terms of service on Guest WiFi networks. Purple hosts the splash page and manages the data.

802.1X

An IEEE standard for port-based network access control. Requires each device to authenticate with unique credentials or a certificate before network access is granted.

The enterprise standard for securing Staff WiFi. Eliminates the shared-password risk of WPA2 Personal. Requires a RADIUS server (Purple) and a supplicant on the client device.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

A highly secure 802.1X authentication method requiring both a client certificate and a server certificate for mutual authentication.

Used in high-security environments where devices are managed by an MDM. Ensures only corporate-owned devices with valid certificates can connect to the Staff WiFi SSID.

NAS ID (Network Access Server Identifier)

A string sent in RADIUS packets that identifies the network device (AP or Firebox) making the authentication request.

Purple uses the NAS ID to identify which venue a RADIUS request originates from. Typically set to the AP MAC address using the %m format specifier in WatchGuard.

Identity-Based Networking

A network architecture where access policies, VLAN assignments, and security controls are determined by the user's identity rather than their physical port or SSID.

The combination of WatchGuard PPSK, Purple RADIUS, and dynamic VLAN steering delivers Identity-Based Networking - the credential determines the network segment automatically.

Worked Examples

A 200-room Premier Inn property needs to provide Guest WiFi for guests, secure Staff WiFi for front-of-house and back-office teams, and a separate network for IoT devices (smart TVs, door locks). They have WatchGuard AP330 access points managed via WatchGuard Cloud and a Firebox T85 gateway. How should they architect the three networks?

Deploy three SSIDs on the WatchGuard AP330 fleet. SSID 1: 'Premier-Guest' - open SSID with external captive portal redirection to Purple. Configure the Firebox T85 as the RADIUS client pointing to Purple's servers (port 1812/1813). Add Purple's Walled Garden domains. Guests authenticate via the Purple splash page using email, social login, or a room code. SSID 2: 'Premier-Staff' - WPA3-Enterprise SSID with 802.1X authentication. Point the authentication domain to Purple's RADIUS server, which proxies credentials to the property's Microsoft Entra ID tenant. Staff authenticate with their corporate credentials. SSID 3: 'Premier-IoT' - WPA2 Personal SSID with a static PSK, placed on a dedicated VLAN (e.g., VLAN 50) with firewall rules blocking access to the staff and guest VLANs. The Firebox T85 enforces inter-VLAN routing policies. All three SSIDs broadcast on the same AP hardware, reducing infrastructure cost.

Examiner's Commentary: This architecture follows the principle of least privilege. Each access tier has the minimum network access required for its function. The IoT SSID uses a static PSK rather than PPSK because IoT devices typically cannot handle dynamic credential rotation. The key decision is using Purple as the RADIUS server for both guest and staff tiers, which centralises identity management and analytics in a single platform.

A retail centre managing 12 shop units wants to provide each tenant with isolated WiFi access using a single SSID. The centre also needs to ensure that a compromised tenant credential does not expose other tenants' traffic. They are running WatchGuard AP230W access points on firmware v2.6.

Configure one SSID: 'Centre-Retail' with WPA2 Personal and PPSK enabled. In Purple, create 12 unique PPSK credentials, one per tenant. Map each credential to a dedicated VLAN (e.g., VLAN 101 for Tenant 1, VLAN 102 for Tenant 2, and so on). In WatchGuard Cloud, set the SSID VLAN to 'Dynamic VLAN assigned by RADIUS' with a fallback to a quarantine VLAN (VLAN 999). Configure the switch ports connected to the AP230W as trunk ports carrying VLANs 101-112 and 999. When a tenant device connects using their PPSK, the AP queries Purple RADIUS, receives the Tunnel-Private-Group-ID attribute, and places the device on the correct VLAN. A compromised credential for Tenant 3 only exposes VLAN 103 - all other tenants remain isolated.

Examiner's Commentary: PPSK provides per-credential isolation without the complexity of 802.1X certificate management. The critical design decision is the fallback VLAN. Without a quarantine VLAN configured, a device that fails RADIUS validation could be placed on the default untagged VLAN, potentially gaining access to management infrastructure. Always configure the fallback explicitly.

Practice Questions

Q1. A hotel IT manager reports that guests connect to the WiFi but the Purple splash page never appears. The browser shows a connection timeout error. The WatchGuard Cloud configuration shows the correct Purple splash page URL and shared secret. What is the most likely cause and how do you resolve it?

Hint: Consider what must happen before the device is authenticated. What domains does the device need to reach to load the splash page?

View model answer

The Walled Garden is missing or incomplete. The WatchGuard Firebox is blocking the device's initial HTTP request to Purple's servers before authentication completes. Add the required Purple domains to the 'Websites that users can access before login' list: *.mypurple.com, api.mypurple.com, and cdn.mypurple.com. If guests are using social logins, also add the relevant identity provider domains (e.g., login.microsoftonline.com for Entra ID).

Q2. You are configuring PPSK-based VLAN steering for a coworking space with 8 members. RADIUS authentication succeeds (the WatchGuard logs show Access-Accept), but every member device receives an IP address from VLAN 1 (the default management VLAN) instead of their assigned tenant VLAN. How do you diagnose and resolve this?

Hint: Authentication succeeded, so the credential is valid. The issue is in the VLAN assignment step. What does WatchGuard need from the RADIUS server to assign a VLAN?

View model answer

The RADIUS Access-Accept packet from Purple is missing or incorrectly formatting the VLAN attributes. Capture the RADIUS traffic on the AP using the WatchGuard packet capture tool and inspect the Access-Accept packet. Verify that Purple is returning all three IETF attributes: Tunnel-Type (attribute 64, value 13), Tunnel-Medium-Type (attribute 65, value 6), and Tunnel-Private-Group-ID (attribute 81, set to the VLAN ID as a string, e.g. '101'). Also confirm that the switch port connected to the AP is configured as a trunk port carrying the relevant VLANs, and that the SSID VLAN setting in WatchGuard Cloud is set to 'Dynamic VLAN assigned by RADIUS' rather than a static VLAN ID.

Q3. A venue operator wants to run a Guest WiFi captive portal (Purple splash page) and a multi-tenant PPSK network for 6 retail units on the same WatchGuard AP330 access point. They plan to configure both features on a single SSID to simplify the RF environment. Is this possible? If not, what is the correct architecture?

Hint: Review the WatchGuard Dynamic VLAN requirements. Are there any feature conflicts?

View model answer

This is not possible on a single SSID. WatchGuard does not support Dynamic VLANs (required for PPSK) and Captive Portal on the same SSID simultaneously. The correct architecture uses two SSIDs: SSID 1 ('Venue-Guest') configured as an open SSID with external captive portal redirection to Purple for public guests. SSID 2 ('Venue-Retail') configured with WPA2 Personal, PPSK enabled, and Dynamic VLAN assignment for the 6 retail tenants. Both SSIDs broadcast from the same AP330 hardware, so the RF impact is limited to one additional SSID beacon. The switch port connected to the AP must be a trunk port carrying all relevant VLANs for both SSIDs.

Continue reading in this series

Alta Labs Integration with Purple WiFi: Setup and Captive Portal Configuration

This technical reference guide covers the end-to-end integration of Alta Labs AP6 and AP6 Pro access points with Purple's cloud-hosted captive portal. It details external redirect configuration, RADIUS authentication, walled garden requirements, and multi-tenant segmentation using AltaPass Private Pre-Shared Keys. Venue operators and IT teams will leave with a repeatable deployment playbook for hospitality, retail, and smart office environments.

Zyxel Nebula Cloud and USG Integration with Purple WiFi

This technical reference guide covers the end-to-end integration of Zyxel Nebula Cloud and USG Flex Firewalls with the Purple WiFi platform. It provides step-by-step configuration instructions for guest captive portal redirection, RADIUS authentication, Walled Garden setup, secure Staff WiFi using 802.1X, and multi-tenant network segmentation using Zyxel Private Pre-Shared Keys (PPSK) with dynamic VLAN assignment. IT managers, MSPs, and network architects deploying WiFi across hospitality, retail, and multi-tenant venues will find actionable guidance grounded in industry standards including PCI DSS, IEEE 802.1X, and GDPR.

Arista Cognitive Wi-Fi Integration with Purple WiFi

This technical reference details the step-by-step integration of Arista Cognitive Wi-Fi (CV-CUE) with Purple's guest WiFi platform for enterprise venues. It covers Arista captive portal configuration, Walled Garden ACL design, RADIUS server setup, secure staff 802.1X authentication, and Multi-Tenant isolation using Arista PPSK with dynamic VLAN steering - giving IT teams and network architects a definitive deployment blueprint.