Cambium cnPilot and guest WiFi: captive portal setup with Purple

Cambium Networks cnPilot and cnMaestro Integration with Purple WiFi. A Consultant Briefing. Welcome. If you're running a Cambium Networks environment and you've been asked to deliver a guest WiFi experience that captures data, drives marketing, and stays compliant — this briefing is exactly what you need. I'm going to walk you through how Cambium cnPilot access points, the cnMaestro cloud controller, and Purple WiFi fit together. We'll cover the architecture, the RADIUS authentication flow, walled garden configuration, secure staff WiFi using 802.1X, and multi-tenant segmentation using Cambium's ePSK feature with dynamic VLAN assignment. Whether you're managing a hotel estate, a retail portfolio, a conference centre, or a public-sector campus, the principles are the same. Let's get into it. First, a quick orientation on the two platforms. Cambium Networks produces the cnPilot range of enterprise WiFi access points — the e410, e425H, e430H, and e505 for indoor and outdoor deployments. These APs are managed centrally through cnMaestro, Cambium's cloud management platform. cnMaestro gives you centralised visibility, configuration management, and firmware updates across your entire AP estate — whether that's a handful of devices in a single venue or thousands of APs across a national estate. Purple WiFi is an enterprise guest WiFi intelligence platform. It handles the captive portal — the branded splash page your guests see when they connect — and it also acts as a RADIUS authentication server, a data capture engine, and a marketing automation platform. Purple operates across 80,000 live venues and has processed 440 million logins in 2024 alone. The combination of Cambium cnMaestro and Purple gives you a production-grade guest WiFi stack that is both technically solid and commercially valuable. Now, let's talk about the integration architecture. The core mechanism is a captive portal redirect combined with RADIUS authentication. Here is how the flow works in practice. A guest device associates with your guest SSID. That SSID is configured in cnMaestro as an open network — no pre-shared key for guests. The Cambium AP intercepts the first HTTP request from the device and redirects it to Purple's captive portal URL. This redirect is configured in cnMaestro under the WLAN's Guest Access settings, where you set the External Page URL to your Purple venue portal endpoint. The guest then interacts with the Purple portal. They might authenticate via social login, email, SMS verification, or a custom form. Once they complete the authentication flow, Purple's backend sends a RADIUS Access-Accept message back to the Cambium AP on UDP port 1812. The AP then moves the device from the pre-authentication state to full network access. Let me walk you through the exact configuration steps in cnMaestro. Navigate to Configuration, then WiFi Profiles, then WLANs. Create a new WLAN for your guest network. Set the SSID name — something like "Hotel Guest WiFi" — and set the security to Open. Under Guest Access, enable the External Hotspot option. This is the key setting that tells cnMaestro to redirect unauthenticated clients to an external portal. Set the External Page URL to your Purple venue portal URL. Enable RADIUS authentication and enter Purple's RADIUS server IP address, the shared secret, and set the authentication port to UDP 1812. Enable RADIUS accounting on UDP 1813 — this is critical for Purple's analytics to function correctly. Without accounting records, Purple cannot build session data, dwell time metrics, or visit frequency analytics. Now, the walled garden. This is the list of domains and IP addresses that guest devices can reach before they authenticate. You need to whitelist Purple's portal domain and any CDN endpoints used to serve portal assets. You also need to whitelist any authentication provider domains — if you're using social login via Google or Facebook, their OAuth domains need to be in the walled garden. A misconfigured walled garden is the single most common cause of captive portal failures. The guest device needs to resolve DNS and reach the Purple portal over HTTPS before it can authenticate. In cnMaestro, the walled garden is configured under the External Hotspot settings. Add entries for Purple's portal domain, any social login provider domains, and any payment gateway domains if you're running paid WiFi tiers. Now let's talk about secure staff WiFi using IEEE 802.1X. For staff networks, you do not want a captive portal. You want certificate-based or credential-based authentication that happens silently at the device level. In cnMaestro, create a separate WLAN for staff. Set the security to WPA2-Enterprise. Configure the RADIUS server details — again, Purple's RADIUS server IP on UDP 1812. Staff devices authenticate using EAP-PEAP with username and password credentials, or EAP-TLS with device certificates for the highest security posture. Purple integrates with Microsoft Entra ID, Okta, and Google Workspace as identity providers. This means your staff can authenticate to the WiFi using their existing corporate credentials — no separate WiFi password to manage. Purple validates the credentials against your identity provider and returns an Access-Accept to the Cambium AP. Dynamic VLAN assignment then places the authenticated staff device on the correct staff VLAN, isolating it from guest traffic. Now, multi-tenant segmentation using Cambium ePSK. ePSK — enhanced pre-shared key — is Cambium's implementation of what the industry calls PPSK or iPSK. The concept is straightforward: instead of one shared password for an entire SSID, each user or tenant gets their own unique passphrase. They all connect to the same SSID, but each unique key maps to a specific VLAN, giving you network isolation without the complexity of running multiple SSIDs. cnMaestro supports up to 2,000 ePSK entries per WLAN. Each ePSK can be assigned a specific VLAN ID, a rate limit, and an expiry date. This makes it ideal for multi-tenant environments — think a conference centre where each exhibitor gets their own isolated network segment, or a build-to-rent residential building where each resident gets their own private area network. To configure ePSK in cnMaestro, navigate to Configuration, WiFi Profiles, WLANs. Create a new WLAN. Set the security to WPA2 Pre-Shared Key. Enable the ePSK option. You can then add individual ePSK entries manually, or use the cnMaestro API to provision them programmatically — which is the approach you want for large-scale deployments. For each ePSK entry, set the passphrase, the assigned VLAN ID, and optionally the rate limit and expiry. When a device connects using that passphrase, the Cambium AP automatically places it on the assigned VLAN. No RADIUS required for the ePSK flow itself — the VLAN assignment is handled locally by the AP based on the passphrase used. Purple integrates with this model by managing the ePSK lifecycle through the cnMaestro API. Purple can provision new ePSK entries when a new tenant is onboarded, update the VLAN assignment, set expiry dates, and revoke access when a tenant leaves. This removes the manual overhead of managing hundreds or thousands of individual keys. Right, let's talk about what can go wrong and how to avoid it. The most common pitfall is the walled garden. If your walled garden entries are incomplete, the captive portal redirect never completes. Guests see a connection timeout, not a login page. Always test with a fresh device — not one that has previously connected — and verify that the Purple portal loads before authentication. Check that DNS resolution works for the Purple portal domain from the pre-authentication state. Second: RADIUS shared secret mismatches. In large deployments with multiple sites, it is easy to have a shared secret configured differently in cnMaestro versus what Purple has on record. Always verify the shared secret on both sides before going live. Use a strong, randomly generated secret — at least 32 characters — and store it in a secrets manager, not a spreadsheet. Third: RADIUS accounting. Do not skip it. The accounting records are what Purple uses to build session analytics — dwell time, visit frequency, device type. Configure RADIUS accounting on UDP 1813 in cnMaestro. Without it, you lose the analytics value that Purple provides. It is a five-minute configuration step. Fourth: VLAN trunking. For dynamic VLAN assignment to work, the VLANs must be trunked on the switch ports connecting to your Cambium APs. If VLAN 100 for guests is not allowed on the trunk, authenticated guests will not get an IP address and will appear to have no internet access even after successful authentication. Verify your switch trunk configuration before testing. Fifth: ePSK VLAN range conflicts. Make sure your ePSK VLAN range does not conflict with existing VLANs in your network — particularly management VLANs or infrastructure VLANs. Document your VLAN allocation before you start. Sixth: firmware version. Ensure your cnPilot APs are running firmware version 6.0 or later for full external hotspot support and ePSK functionality. Earlier firmware versions have known issues with captive portal redirect behaviour. Now for some rapid-fire questions. Can I use Purple with Cambium without RADIUS — just a simple redirect? Yes, but you lose dynamic VLAN assignment and session accounting data. For anything beyond a basic splash page, RADIUS is strongly recommended. Does Purple support WPA3 on Cambium APs? Yes. Purple's portal-based authentication is compatible with WPA3-SAE on the SSID. The RADIUS flow is independent of the wireless security protocol. Can I run Purple across multiple Cambium sites from a single Purple account? Absolutely. Purple's multi-venue architecture is designed exactly for this. Each site maps to a venue in Purple, and cnMaestro's network policies scale cleanly across a national estate. How many ePSK entries can cnMaestro support? Up to 2,000 per WLAN. For deployments requiring more, use a RADIUS-based approach for key management. To summarise: the Cambium cnMaestro and Purple WiFi integration is a well-proven architecture that delivers guest WiFi with data capture, RADIUS authentication, dynamic VLAN segmentation, and full analytics — all managed centrally through cnMaestro's cloud console. The key steps to get this live: configure your guest WLAN in cnMaestro with External Hotspot enabled and the Purple portal URL set, add Purple's RADIUS server details for authentication and accounting, configure your walled garden entries, verify VLAN trunking on your switches, and test with a fresh device before go-live. For multi-tenant deployments, configure ePSK on a dedicated WLAN, assign VLAN IDs per tenant, and use the cnMaestro API for lifecycle management at scale. The ROI case is straightforward. Purple's analytics platform turns your guest WiFi from a cost centre into a first-party data asset. Harrods achieved a 57-times marketing ROI from their Purple guest WiFi deployment. AGS Airports generated an 842% ROI. Combined with Cambium's enterprise-grade infrastructure, you get a solution that scales from a single venue to a national estate without architectural changes. For your next steps: get Purple's RADIUS server details from your Purple account manager, pull up the cnMaestro WLAN configuration for your guest SSID, and run through the configuration checklist. Most single-site deployments go live within a day. Thanks for listening. If you want to go deeper on captive portal design, VLAN segmentation strategy, or ePSK lifecycle management, the Purple documentation and support team are the right next call.