MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide

This technical guide provides step-by-step instructions for integrating MikroTik RouterOS with Purple's WiFi platform. It covers Guest WiFi captive portal configuration, Staff WiFi 802.1X authentication, and Multi-Tenant WiFi using Private PSKs for dynamic VLAN segmentation.

📖 4 min read📝 872 words🔧 2 worked examples❓ 3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript

MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide - Podcast Script

[INTRO - approximately 1 minute]

Welcome. If you're managing WiFi infrastructure at a hotel, a retail chain, a stadium, or a conference centre, and you're running MikroTik RouterOS, this episode is for you.

I'm going to walk you through exactly how to integrate MikroTik's Hotspot Gateway with Purple's guest WiFi platform - covering three distinct use cases: guest WiFi with a captive portal and walled garden, secure staff WiFi using 802.1X, and multi-tenant network segregation using MikroTik's Private Pre-Shared Key feature.

This isn't a theoretical overview. By the end of this, you'll have the specific CLI commands, RADIUS attributes, and configuration logic you need to deploy or audit these setups yourself.

Let's get into it.

[TECHNICAL DEEP-DIVE - approximately 5 minutes]

Part one: Guest WiFi and the MikroTik captive portal.

MikroTik's Hotspot Gateway is the engine behind guest WiFi redirection on RouterOS. When a visitor connects to your guest SSID, the Hotspot Gateway intercepts their HTTP traffic and redirects them to a splash page - that's your captive portal. Purple hosts that splash page. Your MikroTik router acts as the Hotspot Gateway and RADIUS client. Purple's platform acts as the RADIUS server.

Here's how you set it up. First, run the Hotspot Setup wizard from the IP menu in Winbox or via the CLI. You'll assign it to your guest-facing interface - typically a VLAN interface or a bridge port. Set your local address pool, configure your DNS servers, and give the hotspot a DNS name. That DNS name is what guests see in their browser before they authenticate.

Once the wizard completes, you need to point the hotspot profile at Purple's RADIUS server. In the CLI, that looks like this:

/radius add service=hotspot address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET authentication-port=1812 accounting-port=1813

Then enable RADIUS on the hotspot profile:

/ip hotspot profile set default use-radius=yes

Purple will provide you with the RADIUS IP address, the shared secret, and the splash page URL when you set up your venue in the Purple dashboard.

Now, the walled garden. This is critical. Before a guest authenticates, their device needs to be able to reach Purple's splash page and any OAuth providers you're using - Google, Facebook, and so on. Without walled garden entries, the redirect loop breaks and guests can't log in.

In RouterOS, you add walled garden entries under IP, Hotspot, Walled Garden. You need to add Purple's splash page domain, any social login domains, and any CDN hosts that serve the login page assets. Purple's documentation lists the exact domains for your region. Add them as IP entries or hostname entries - hostname entries are more resilient when IP addresses change.

The key RADIUS attributes Purple returns on a successful authentication include the session timeout, which controls how long a guest stays connected before being prompted again, and optionally a bandwidth rate limit using the Mikrotik-Rate-Limit vendor-specific attribute. This lets you enforce fair-use policies per guest session directly from the Purple dashboard without touching the router config.

Part two: Secure Staff WiFi with 802.1X.

This is where you move away from shared passwords entirely. IEEE 802.1X is the standard for port-based network access control. On a MikroTik wireless interface, you enable WPA2-Enterprise or WPA3-Enterprise authentication, which means the access point becomes an authenticator - it passes EAP credentials from the staff device to a RADIUS server, which validates them and returns an Access-Accept or Access-Reject.

Purple's Staff WiFi product integrates with Microsoft Entra ID, Okta, and Google Workspace as identity providers. When a staff member's device connects, it presents a certificate or username and password via PEAP-MSCHAPv2. Purple's RADIUS server validates that credential against your identity provider in real time.

On the MikroTik side, you configure the wireless security profile with authentication-types set to wpa2-eap, and you point the RADIUS client at Purple's server with service=wireless. In CAPsMAN - that's MikroTik's centralised access point management system - you set this at the security configuration level so it applies across all your managed access points consistently.

The RADIUS server can return the Mikrotik-Wireless-VLANID attribute to place authenticated staff on a specific VLAN. This is how you enforce network segmentation - finance staff land on VLAN 10, operations on VLAN 20, and so on - all from a single SSID, all driven by identity.

For automatic revocation - when a staff member leaves - Purple's integration with your identity provider means that when you disable the account in Entra ID or Okta, the next re-authentication attempt fails and the device is disconnected. No manual router config changes required.

Part three: Multi-Tenant WiFi with Private Pre-Shared Keys.

This is the most architecturally interesting of the three. Private PSK - sometimes called PPSK or iPSK - lets you run a single SSID where each tenant, resident, or device group connects with a unique passphrase, and each passphrase maps to a different VLAN.

On MikroTik, this works through MAC-based RADIUS authentication on the wireless interface. When a device connects, the access point sends the device's MAC address to the RADIUS server as the username. The RADIUS server - either MikroTik's own User Manager in RouterOS 7, or FreeRADIUS - looks up that MAC address and returns two vendor-specific attributes: Mikrotik-Wireless-Psk, which is the per-device passphrase, and Mikrotik-Wireless-VLANID, which places the device on the correct VLAN.

The wireless security profile needs radius-mac-authentication set to yes, and the RADIUS client needs service=wireless.

In practice, for a build-to-rent property with 200 apartments, you'd pre-register each resident's device MAC addresses in Purple's platform when they move in. Purple maps each MAC to a unique PSK and a VLAN corresponding to that apartment's network segment. The resident connects using their apartment passphrase. Their devices land on an isolated VLAN. Their neighbour's devices are on a completely separate VLAN. Neither can see the other's traffic.

For devices that don't support 802.1X - smart TVs, games consoles, IoT devices - this approach is the practical alternative. The device just needs to support WPA2-PSK, which everything does.

[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - approximately 2 minutes]

Let me give you the four things that most commonly go wrong in these deployments.

First: walled garden gaps. If Purple's splash page fails to load, check your walled garden entries. The most common culprit is a missing CDN domain or a social login redirect that isn't whitelisted. Use the MikroTik torch tool or packet sniffer to watch what DNS queries are being blocked before authentication.

Second: RADIUS timeout mismatches. MikroTik's default RADIUS timeout is 1,100 milliseconds. If Purple's RADIUS server is geographically distant or the network path has latency, you'll see intermittent authentication failures. Increase the timeout to 3,000 milliseconds and configure a backup RADIUS server for resilience.

Third: VLAN filtering not enabled on the bridge. Dynamic VLAN assignment via RADIUS only works if bridge VLAN filtering is enabled. This is a RouterOS requirement. If you're seeing all clients land on the default VLAN regardless of what RADIUS returns, check that vlan-filtering=yes is set on your bridge interface.

Fourth: CAPsMAN version mismatch. If you're running a mix of CAPsMAN version 2 and version 3 managed access points, VLAN tagging behaviour can differ. Standardise on RouterOS 7 with CAPsMAN version 3 across your AP estate before deploying dynamic VLAN features.

One architectural recommendation: run your guest, staff, and management traffic on separate VLANs from day one, even if you're not using all three Purple use cases immediately. Retrofitting VLAN segmentation onto a flat network is significantly more disruptive than building it in from the start.

[RAPID-FIRE Q AND A - approximately 1 minute]

Can I use MikroTik's built-in User Manager instead of an external RADIUS server?

Yes, for smaller deployments. User Manager in RouterOS 7 supports PEAP-MSCHAPv2 for wireless 802.1X and can return the Mikrotik-Wireless-VLANID attribute. For production deployments with Purple, you'll use Purple's hosted RADIUS infrastructure, which handles the identity provider integration and session management for you.

Does Purple support MikroTik CAPsMAN?

Yes. Purple is hardware-agnostic. The integration works at the RADIUS and hotspot redirect level, so it's compatible with standalone MikroTik access points and CAPsMAN-managed deployments equally.

What RouterOS version do I need?

RouterOS 7.x is recommended for all three use cases covered in this guide. Dynamic VLAN assignment via wireless RADIUS and the updated User Manager are RouterOS 7 features. RouterOS 6.x supports hotspot and basic RADIUS authentication but lacks some of the wireless VLAN capabilities.

[SUMMARY AND NEXT STEPS - approximately 1 minute]

To summarise: MikroTik RouterOS gives you three distinct integration points with Purple. The Hotspot Gateway handles guest WiFi redirection and captive portal authentication. The wireless 802.1X configuration with RADIUS handles secure staff WiFi with identity-based access. And MAC-based RADIUS authentication with Private PSK handles multi-tenant network segregation for residential and mixed-use properties.

The common thread across all three is RADIUS. Get your RADIUS client configuration right - correct IP, correct shared secret, correct service type, correct timeout - and the rest follows.

Your next steps: log into your Purple dashboard, navigate to the venue configuration, and grab your RADIUS credentials. Then follow the CLI commands in the written guide to configure your hotspot profile, your wireless security profile, and your walled garden entries. Test with a single access point before rolling out to your full estate.

If you're deploying this at scale - multiple sites, hundreds of access points - Purple's Professional Services team can support the rollout. Purple runs across 80,000 live venues globally, with 99.999% uptime, and is certified to ISO 27001, GDPR, and Cyber Essentials.

Thanks for listening. The full written guide with all CLI commands, RADIUS attribute tables, and worked examples is linked in the show notes.

Executive Summary

Integrating MikroTik RouterOS with Purple creates a unified, identity-driven network across guest, staff, and multi-tenant environments. This guide delivers the specific configuration logic required to deploy Purple's cloud overlay across MikroTik hardware. You will learn how to configure the RouterOS Hotspot Gateway for Guest WiFi redirection, implement IEEE 802.1X for secure Staff WiFi, and deploy Private Pre-Shared Keys (PPSK) to isolate Multi-Tenant WiFi traffic.

By following these deployment models, you segment your network securely while capturing first-party data for WiFi Analytics . Purple processed 440 million logins in 2024 with 99.999% uptime, making this architecture suitable for high-density environments in Retail , Hospitality , and Transport .

Technical Deep-Dive

Guest WiFi: Captive Portal and Walled Garden

The MikroTik Hotspot Gateway intercepts unauthenticated HTTP traffic and redirects it to Purple's hosted captive portal. Purple acts as the RADIUS server, handling authentication and session management.

To ensure the captive portal loads correctly, you must configure a walled garden. This allows pre-authentication access to Purple's splash page domains, Content Delivery Networks (CDNs), and OAuth providers (such as Google Workspace and Microsoft Entra ID). Without these entries, the redirect loop breaks.

Upon successful authentication, Purple's RADIUS server returns standard attributes, including Session-Timeout to enforce connection limits, and optionally Mikrotik-Rate-Limit to enforce bandwidth constraints directly from the Purple dashboard.

Staff WiFi: 802.1X Authentication

For Staff WiFi, you eliminate shared passwords by deploying IEEE 802.1X. The MikroTik access point acts as the authenticator, passing EAP credentials to Purple's RADIUS server. Purple integrates natively with Microsoft Entra ID, Okta, and Google Workspace, validating credentials via PEAP-MSCHAPv2 or EAP-TLS.

When a staff member connects, Purple's RADIUS server can return the Mikrotik-Wireless-VLANID attribute. This instructs the MikroTik router to place the authenticated device onto a specific VLAN, enabling role-based network segmentation from a single SSID. For a broader overview of security standards, refer to Enterprise WiFi Security: A Complete Guide for 2026 .

Multi-Tenant WiFi: Private PSK (PPSK)

Multi-Tenant environments require secure isolation without the complexity of 802.1X, as many consumer devices (such as smart TVs and games consoles) do not support it. MikroTik supports Private PSK (PPSK) via MAC-based RADIUS authentication.

When a device connects to the SSID, the MikroTik router sends the device MAC address to Purple. Purple returns the Mikrotik-Wireless-Psk attribute (the unique passphrase for that tenant) and the Mikrotik-Wireless-VLANID attribute. This architecture allows hundreds of tenants to share a single SSID while remaining in completely isolated network bubbles.

Implementation Guide

1. Configuring the RADIUS Client

First, define Purple as the RADIUS server in RouterOS. This applies to all three use cases.

/radius
add address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET service=hotspot,wireless authentication-port=1812 accounting-port=1813 timeout=3000ms

2. Guest WiFi Hotspot Setup

Run the Hotspot setup wizard on your guest VLAN interface, then enable RADIUS authentication on the resulting profile.

/ip hotspot profile
set [ find default=yes ] use-radius=yes radius-accounting=yes

Configure the walled garden to allow access to Purple's infrastructure.

/ip hotspot walled-garden
add action=allow dst-host=*purple.ai
add action=allow dst-host=*purpleportal.net

3. Staff WiFi 802.1X Setup

Configure the wireless security profile to use WPA2-Enterprise and point it to the RADIUS server.

/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=passthrough mode=dynamic-keys name=staff-8021x radius-mac-authentication=no

Ensure bridge VLAN filtering is enabled to support dynamic VLAN assignment.

/interface bridge
set bridge1 vlan-filtering=yes

4. Multi-Tenant PPSK Setup

For PPSK, enable MAC authentication on the wireless security profile and configure the MAC address format.

/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=multi-tenant-ppsk radius-mac-authentication=yes radius-mac-format=XX:XX:XX:XX:XX:XX

Best Practices

Standardise on RouterOS 7: Dynamic VLAN assignment via wireless RADIUS is significantly more robust in RouterOS 7 compared to RouterOS 6.
Increase RADIUS Timeouts: The default MikroTik RADIUS timeout is 1100ms. Increase this to 3000ms to prevent intermittent authentication failures caused by network latency.
Use Hostname Walled Garden Entries: Always use dst-host instead of dst-address for walled garden entries, as cloud infrastructure IP addresses change frequently.
Enable Bridge VLAN Filtering: Dynamic VLAN assignment via RADIUS (Mikrotik-Wireless-VLANID) requires vlan-filtering=yes on the bridge interface.

Troubleshooting & Risk Mitigation

If the captive portal fails to load, the walled garden is almost certainly incomplete. Use the MikroTik Torch tool to monitor dropped DNS queries from unauthenticated clients on the guest VLAN. Add the missing domains to the walled garden.

If 802.1X clients fail to authenticate, verify the shared secret and ensure the RADIUS client is configured with service=wireless. Check the Purple dashboard logs to confirm whether the Access-Reject is originating from Purple or your identity provider.

If clients authenticate but receive the wrong IP address, confirm that bridge VLAN filtering is enabled and that the DHCP server is correctly bound to the dynamically assigned VLAN interface.

ROI & Business Impact

Deploying Purple across your MikroTik infrastructure transforms a cost centre into a revenue generator. By capturing first-party data, venues can build detailed digital profiles and automate marketing campaigns. For example, Avanti West Coast drove a 463% return on investment by capitalising on repeat travellers and upsell opportunities.

Furthermore, identity-driven networking reduces IT overhead. Automating onboarding and offboarding for Staff WiFi via Entra ID eliminates manual password management, while PPSK for Multi-Tenant WiFi allows property managers to provision isolated networks without deploying dedicated hardware per unit.

Key Definitions

Hotspot Gateway

A RouterOS feature that intercepts unauthenticated HTTP traffic and redirects it to a captive portal splash page.

Used to capture guest data and enforce terms of service before granting internet access.

Walled Garden

A list of allowed destinations that unauthenticated users can access.

Critical for allowing guests to reach the Purple splash page, CDNs, and OAuth providers (like Google) to complete the login process.

802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Used for secure Staff WiFi, allowing authentication via Entra ID or Okta instead of a shared password.

Private PSK (PPSK)

A security architecture where multiple unique Pre-Shared Keys are used on a single SSID, often tied to specific MAC addresses and VLANs.

Ideal for Multi-Tenant WiFi, providing isolated network bubbles for residents and their consumer devices.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorization, and Accounting (AAA) management.

The core protocol linking MikroTik hardware to Purple's cloud platform for identity validation.

VLAN Filtering

A RouterOS bridge setting that enforces VLAN tagging and untagging rules on bridge ports.

Must be enabled for dynamic VLAN assignment via RADIUS to function correctly.

CAPsMAN

Controlled Access Point system Manager. MikroTik's centralised wireless management system.

Used to deploy consistent wireless security profiles and RADIUS settings across multiple access points.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security. A highly secure authentication method requiring client-side certificates.

Supported by Purple for zero-trust Staff WiFi deployments where passwordless authentication is required.

Worked Examples

A 200-room hotel needs to deploy secure Staff WiFi across their MikroTik access points. They want finance staff on VLAN 10 and operations staff on VLAN 20, using their existing Microsoft Entra ID credentials.

Integrate Purple with Microsoft Entra ID in the Purple dashboard.
Configure the MikroTik RADIUS client to point to Purple with service=wireless.
Create a MikroTik wireless security profile with authentication-types=wpa2-eap.
Enable vlan-filtering=yes on the MikroTik bridge.
In Purple, map the Entra ID 'Finance' group to return Mikrotik-Wireless-VLANID=10 and the 'Operations' group to return Mikrotik-Wireless-VLANID=20.

Examiner's Commentary: This approach uses IEEE 802.1X for secure, passwordless authentication. By relying on Entra ID groups and RADIUS attributes, the network dynamically segments traffic at the edge, reducing the attack surface and eliminating manual VLAN configuration on the router.

A build-to-rent property manager needs to provide isolated WiFi networks for 50 apartments using a single SSID broadcast from MikroTik CAPsMAN.

Configure the MikroTik wireless security profile for the SSID with authentication-types=wpa2-psk and radius-mac-authentication=yes.
Ensure the RADIUS client is configured with service=wireless pointing to Purple.
In the Purple dashboard, register the MAC addresses of the residents' devices.
Assign a unique PSK and VLAN ID to each apartment in Purple.
When a device connects, Purple returns the Mikrotik-Wireless-Psk and Mikrotik-Wireless-VLANID attributes, placing the device in its isolated network bubble.

Examiner's Commentary: This Private PSK (PPSK) architecture provides enterprise-grade isolation while supporting consumer devices that lack 802.1X capabilities. It scales efficiently and allows centralised management via Purple.

Practice Questions

Q1. You have configured the MikroTik Hotspot Gateway and pointed it to Purple's RADIUS server. Guests connect to the SSID, but their browsers display a timeout error instead of the Purple splash page. What is the most likely configuration error?

Hint: Consider what must happen before the guest authenticates.

View model answer

The walled garden is misconfigured or missing entries. Without allowing access to Purple's splash page domains and associated CDNs in the /ip hotspot walled-garden, the unauthenticated guest cannot load the login page, resulting in a timeout.

Q2. A retail chain wants to deploy Staff WiFi using 802.1X and Entra ID. They configure `authentication-types=wpa2-eap` and set up the RADIUS client. However, authentication fails. You check the RADIUS client configuration and see `service=hotspot`. How do you resolve this?

Hint: Different wireless authentication methods require different RADIUS service types in RouterOS.

View model answer

Change the RADIUS client configuration to include service=wireless. The hotspot service type is only used for captive portal authentication. 802.1X and MAC authentication require the wireless service type.

Q3. You are deploying Multi-Tenant WiFi using Private PSKs. Purple successfully returns the `Mikrotik-Wireless-Psk` and `Mikrotik-Wireless-VLANID` attributes, and the device connects. However, the device receives an IP address from the default management subnet, not the isolated tenant subnet. What RouterOS setting is missing?

Hint: Dynamic VLAN assignment requires the bridge to process VLAN tags.

View model answer

Bridge VLAN filtering is disabled. You must set vlan-filtering=yes on the bridge interface. Without this, the bridge ignores the dynamic VLAN tag assigned by RADIUS, and the traffic falls back to the default untagged PVID.

Continue reading in this series

EnGenius Cloud Access Points Integration with Purple WiFi

This technical reference details the step-by-step integration of EnGenius Cloud Access Points and ECS switches with Purple's guest WiFi platform. It covers guest captive portal redirection via an external splash page, Walled Garden configuration, secure staff WiFi using IEEE 802.1X, and multi-tenant network isolation using EnGenius MyPSK with dynamic VLAN assignment. IT installers and network architects will find actionable configuration sequences, real-world case studies, and a troubleshooting framework for deploying Purple across EnGenius hardware estates.

DrayTek Vigor Routers and Access Points Integration with Purple WiFi

This guide provides step-by-step technical instructions for integrating DrayTek Vigor routers and VigorAP access points with Purple's cloud platform. It covers DrayTek captive portal configuration for Guest WiFi, 802.1X authentication for secure Staff WiFi, Walled Garden setup, and DrayTek Multiple PSK (PPSK) configuration for Multi-Tenant network segmentation with dynamic VLAN assignment. Designed for IT installers and SMB network administrators deploying Purple across hospitality, retail, and multi-tenant venues.