DrayTek Vigor and guest WiFi: captive portal setup with Purple

Welcome to the Purple Integration Briefing. Today we are looking at DrayTek Vigor routers and VigorAP access points, and specifically how to integrate them with Purple WiFi. This briefing is for IT managers and network architects deploying guest, staff, and multi-tenant networks across SMB and mid-market venues. Let's start with the context. DrayTek hardware is incredibly popular in retail, hospitality, and multi-dwelling units because it offers robust routing, VPN, and wireless capabilities at a competitive price point. When you pair a DrayTek Vigor router with Purple, you transform a standard internet connection into an Identity-Based Network. Purple has over 80,000 live venues and processes 440 million logins a year. We bring the captive portal, the analytics, and the security layer. DrayTek provides the reliable edge infrastructure. Let's get into the technical deep dive. How do we actually make this work? The core of the integration relies on RADIUS authentication and external captive portal redirection. First, the Guest WiFi setup. You will configure the DrayTek Vigor router as a Hotspot Web Portal gateway. In the DrayOS interface, under Applications and RADIUS, you add Purple's RADIUS server IP and shared secret. Then, under Hotspot Web Portal, you set the Portal Method to External Server and paste your specific Purple access URL. The DrayTek router intercepts guest traffic, redirects it to Purple's cloud overlay for authentication, and then uses RADIUS to grant access. A critical step here is the Walled Garden. Guests need to reach Purple's servers before they are authenticated. You must configure the Destination Domain tab in the DrayTek Hotspot profile to allow traffic to Purple's authentication domains. If you miss this, the splash page simply will not load. This is one of the most common mistakes during initial deployment. Now, what about Staff WiFi? For secure staff access, you do not use a captive portal. You use 802.1X authentication, which is the IEEE standard for port-based network access control. In the DrayTek Wireless LAN Security settings, you select WPA2 slash 802.1X and point it to the Purple RADIUS server. Staff devices authenticate seamlessly using PEAP and MS-CHAPv2. This eliminates shared passwords entirely and allows you to revoke access instantly when an employee leaves. There is no need to change a password across the entire venue. Let's talk about Multi-Tenant environments. Think student accommodation, coworking spaces, or retail concessions. You need network segmentation. DrayTek handles this with VLANs and Multiple PSK, also known as PPSK or Private Pre-Shared Key. You configure VLANs on the DrayTek router. For example, VLAN 10 for Guests, VLAN 20 for Staff, and VLAN 30 for Tenants. Using DrayTek's WPA2-PPSK feature on the VigorAPs, each tenant gets a unique passphrase. When they connect, the access point binds that passphrase to their MAC address and drops them into their isolated VLAN. This means a coffee shop tenant on the ground floor of a hotel cannot see the hotel's internal network, even though they are sharing the same physical access point. Dynamic VLAN assignment takes this further. Purple's RADIUS server can return specific RADIUS attributes when a user authenticates. These are the Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes. The DrayTek router reads these values and dynamically assigns the authenticated client to the correct VLAN. This is Identity-Based Networking in practice: the network adapts to the identity of the user, not the other way around. Moving on to Implementation Recommendations and Pitfalls. Recommendation one: Always use a wired backhaul for your VigorAPs. Wireless distribution systems, or universal repeaters, cannot pass the 802.1Q VLAN tags required for proper network segmentation. If you want a guest network isolated from your internal LAN, you need those VLAN tags intact, and that means a physical Ethernet cable from each access point back to the DrayTek router or a managed switch. Recommendation two: Enable AP-Assisted Mobility on the VigorAPs. This feature intelligently disassociates clients with poor signal strength, forcing them to roam to a closer access point. It solves the sticky client problem that plagues many SMB deployments. In a retail environment, a shopper walking from the front of the store to the back should seamlessly transition between access points. Without AP-Assisted Mobility, their device may cling to the front access point even when the signal is weak. Recommendation three: Plan your VLAN numbering scheme before you start. Changing VLAN IDs after deployment requires reconfiguration of the router, all access points, and potentially any managed switches in the path. Document your scheme clearly. The biggest pitfall? Forgetting to reboot the DrayTek router after applying the RADIUS and Hotspot configurations. DrayOS requires a reboot to apply these specific changes. If you skip this, you will spend hours troubleshooting a configuration that is actually correct but simply not yet active. This is documented in Purple's official support guide for DrayTek hardware. Let's do a rapid-fire Q and A. Question: Can I use the Vigor router's internal RADIUS server? Answer: You can for local 802.1X authentication, but for Purple integration, you must use Purple's external RADIUS servers. This is what enables centralised policy management and the analytics that Purple provides. Question: Does DrayTek support dynamic VLAN steering via RADIUS? Answer: Yes. Purple's RADIUS server returns the Tunnel-Type and Tunnel-Private-Group-ID attributes on authentication. The DrayTek router reads these and dynamically assigns the client to the correct VLAN. Question: What happens if a user's iOS device uses a Private MAC address with PPSK? Answer: It will fail authentication. The PPSK profile binds to a specific MAC address. You must instruct users to disable Private WiFi Address for your specific network in their iOS settings to ensure stable connectivity. Question: Which DrayTek models are supported with Purple? Answer: The currently supported models include the 2862, 3220, 2926, 2952, 2765, 2865, 2866, 2927, 2962, and 3910 series. Check Purple's support documentation for the latest list. To summarise. DrayTek and Purple together give you enterprise-grade network control at SMB price points. You use the Hotspot Web Portal for guests, 802.1X for staff, and PPSK with VLANs for tenants. Map your VLANs carefully, configure your walled gardens, and always reboot after applying RADIUS settings. Use wired backhaul for your access points, enable AP-Assisted Mobility, and plan for MAC randomisation on iOS devices. Thank you for listening to this technical briefing. Get your hardware configured, and we will see you on the Purple platform.