View podcast transcript
Welcome to the Purple Technical Briefing Series. I'm your host, and today we're covering something that comes up on almost every enterprise WiFi deployment we see — setting up a captive portal on Ruckus SmartZone and Ruckus Unleashed controllers. Whether you're an MSP deploying guest WiFi across a hotel chain, a hospitality IT lead rolling out a new property, or a wireless engineer integrating Purple's platform with a Ruckus infrastructure, this episode is for you. Let's get into it.
---
So, first — why does the Ruckus captive portal integration matter? Ruckus, now under CommScope, is one of the dominant enterprise WiFi platforms globally. SmartZone in particular is the controller of choice for high-density environments — stadiums, convention centres, large hotels, and retail chains. When you're deploying guest WiFi at that scale, you need more than just an open SSID. You need a structured authentication flow, GDPR-compliant data capture, and the ability to push that guest data into your marketing stack. That's exactly where an external captive portal platform like Purple comes in.
The architecture here is a WISPr-based hotspot flow. WISPr stands for Wireless Internet Service Provider roaming — it's an industry standard that defines how a wireless controller intercepts unauthenticated HTTP traffic and redirects it to an external portal. The guest connects to your SSID, their device sends an HTTP request, the SmartZone controller intercepts it and issues an HTTP 302 redirect to your external portal URL. The guest authenticates — whether that's via social login, email, SMS, or a custom form — and then the portal communicates back to the controller via the Northbound Interface, or NBI, to grant access. Clean, standards-based, and highly reliable when configured correctly.
---
Now let's get into the technical configuration. I'll walk through SmartZone first, then cover the differences for Unleashed.
On SmartZone — and this applies to both physical SZ300 and virtual vSZ deployments — the configuration has four main components: the RADIUS authentication server profile, the RADIUS accounting server profile, the Hotspot WISPr portal profile, and the WLAN itself.
Start with your RADIUS servers. Navigate to Services and Profiles, then Authentication. Create a new AAA server profile. Set the Service Protocol to RADIUS. Your primary server IP and shared secret will be provided by your portal vendor — in Purple's case, these are documented in the Purple portal admin console. Port 1812 for authentication. Always configure a backup RADIUS server for resilience — port 1812 on the secondary as well. Then do the same for accounting under Services and Profiles, Accounting — port 1813, same shared secret.
Next, the Hotspot WISPr profile. Go to Services and Profiles, Hotspots and Portals, and select the Hotspot WISPr tab. Create a new profile. Set the Login URL to External, and enter your portal redirect URL — this is the URL your guests will be sent to before they authenticate. Set the Start Page to redirect to a post-authentication URL, typically a success page or your venue's homepage.
Now, the Walled Garden. This is where a lot of engineers trip up. The Walled Garden defines which domains and IP addresses a guest can reach before they've authenticated. You need to include your portal domain, any CDN or asset domains your portal loads from, and standard OS captive portal detection endpoints. In SmartZone, wildcards are supported using the asterisk-dot format — so for example, star-dot-purple-dot-ai. That single entry covers all subdomains. You also need to include Apple's captive portal detection domains — captive.apple.com — and Google's connectivity check endpoints to prevent the CNA mini-browser from misbehaving on iOS and Android devices.
One critical step that's easy to miss: by default, SmartZone encrypts the MAC address and IP address it passes to the external portal in the redirect URL. Your portal vendor needs to see the actual client MAC address to perform MAC-based session management. You must disable this via the CLI. SSH into your SmartZone, enter config mode, and run: no encrypt-mac-ip. That's it — one command, but it's a blocker if you skip it.
The Northbound Interface is the other piece. This is the API that allows your portal platform to communicate back to the SmartZone to grant or deny access after authentication. Enable it under Administration, External Services, WISPr Northbound Interface. Set a username and password, and provide those credentials to your portal vendor. The NBI runs on TCP port 9080 for HTTP and 9443 for HTTPS — make sure your firewall allows inbound connections from your portal platform's IP range to these ports.
Finally, create your WLAN. Set the Authentication Type to Hotspot WISPr, select your portal profile, and assign your RADIUS authentication and accounting services. Set the NAS ID to User-defined if your portal vendor requires a specific value, set Called Station ID to AP MAC, and enable Single Session ID. That last setting ensures that a guest's session is tied to a single controller session record, which matters for accurate accounting.
---
Now for Unleashed. The architecture is fundamentally different — Unleashed is a distributed, controller-less model where one AP acts as the master. The configuration lives at Admin and Services, Services, Hotspot Services. The steps are broadly similar — create a Hotspot service, configure your external portal URL, set up your AAA authentication server, add your Walled Garden entries — but there are key differences.
First, there's no Northbound Interface requirement in Unleashed. The portal communication model is simpler. Second, MAC address encryption is not applied by default in Unleashed, so you don't need the CLI command. Third, Unleashed's walled garden accepts domain-level entries rather than the full wildcard syntax — so you'd enter purple.ai rather than star-dot-purple.ai. Check your vendor's documentation for the exact format they require.
Unleashed scales to around 50 access points, making it appropriate for mid-size hotels, retail branches, and SMB deployments. For anything larger — multi-property hotel groups, stadiums, large retail estates — SmartZone is the right platform.
---
Let me cover the two most common failure modes I see in the field.
The first is walled garden misconfiguration. If your portal page fails to load after redirect, the first thing to check is whether all the domains your portal page references are in the walled garden. Modern portal pages load assets from multiple CDN domains, analytics scripts, social login SDKs. If any of those are blocked pre-authentication, the page will either fail to load or load broken. Use your browser's developer tools on a test device connected to the guest SSID to identify which requests are being blocked.
The second is the NBI connectivity issue. If guests can see the portal and authenticate, but never get internet access, the likely cause is that the SmartZone can't receive the NBI callback from your portal platform. Check that ports 9080 and 9443 are open inbound to the SmartZone's management IP from your portal vendor's IP range. Also verify that the NBI credentials you've configured match what your portal vendor has on file.
A third one worth mentioning — Apple CNA, the Captive Network Assistant. On iOS, when a device connects to a network, it fires a probe to captive.apple.com. If that probe gets a non-200 response, iOS pops the mini-browser. If captive.apple.com is in your walled garden, the probe succeeds, iOS thinks there's internet, and the CNA doesn't appear. That sounds like a good thing, but it means your guests won't automatically see the portal. You need to decide: do you want the CNA to appear, or do you want guests to open a browser manually? Most hospitality deployments keep captive.apple.com out of the walled garden to trigger the CNA.
---
Rapid fire. Three questions I get asked constantly.
Do I need a VLAN for my guest WLAN? Yes. Always isolate guest traffic on a dedicated VLAN. This is both a security requirement and a PCI DSS compliance consideration if your venue processes card payments on the same network.
Can I use Purple with Ruckus Cloud instead of SmartZone? Yes, but the configuration path is different — it's under WiFi Networks, Guest Access settings. The walled garden and RADIUS configuration principles are the same.
Does Purple support SmartZone multi-zone deployments? Yes. Purple's integration handles multi-zone SmartZone environments, and you can scope portal configurations to individual zones for different venues or floors.
---
To wrap up. The Ruckus SmartZone captive portal integration with Purple is a mature, well-documented deployment pattern that delivers reliable guest authentication at scale. The key configuration points are: RADIUS on ports 1812 and 1813 with a backup server, the Hotspot WISPr profile with an external login URL, a correctly scoped walled garden using wildcard entries, the no encrypt-mac-ip CLI command, and the Northbound Interface enabled with the correct credentials. Get those five things right, and you have a solid foundation.
For Unleashed deployments, the same principles apply with a simpler configuration model and no NBI requirement.
If you're deploying Purple on Ruckus and want to validate your configuration before go-live, Purple's technical onboarding team can walk you through a pre-launch checklist. The Purple platform also provides real-time analytics on portal load times, authentication success rates, and session data — giving you the visibility to catch issues before your guests do.
Thanks for listening. Next episode we'll be covering 802.1X authentication with Cloud RADIUS — another integration that pairs well with Ruckus SmartZone for corporate guest access. Until then.
