View podcast transcript
Welcome to this technical briefing on integrating HPE Aruba ClearPass with the Purple WiFi platform. I'm your host, and today we're diving deep into the architecture, deployment strategies, and operational benefits of combining ClearPass Policy Manager's robust network access control with Purple's industry-leading guest WiFi and analytics capabilities.
For IT managers, network architects, and CTOs managing large-scale venues — whether that's a sprawling retail chain, a high-density stadium, or a complex healthcare campus — delivering secure, segmented, and insightful wireless access is paramount. ClearPass is phenomenal at context-aware policy enforcement and 802.1X authentication for corporate devices. However, when it comes to guest onboarding, captive portals, and extracting actionable marketing analytics from visitor data, Purple is the undisputed leader.
The core question we're answering today is: How do you configure ClearPass to use Purple as the captive portal, while retaining ClearPass for NAC and dynamic role-based VLAN assignment? Let's get into it.
First, let's establish the architecture. At a high level, the integration relies on standard RADIUS protocols and HTTP redirect mechanisms. Your Aruba Mobility Controllers or Instant Access Points broadcast the guest SSID. When an unauthenticated device connects, the controller intercepts the HTTP traffic and redirects the user's browser to the Purple captive portal. This redirect is the first critical piece to get right.
Now, the user authenticates via Purple. This might be a social login through Facebook or Google, a custom email and password form, or even OpenRoaming, where Purple acts as a free identity provider under the Connect licence. Once Purple validates the user, it sends a RADIUS Access-Accept message back through the chain to the controller, which then grants network access.
But here's where ClearPass becomes essential. Rather than the Aruba controller talking directly to Purple's RADIUS servers, you insert ClearPass as a RADIUS proxy in the middle. The controller sends all RADIUS requests to ClearPass. ClearPass evaluates the request and, if it matches your guest service routing policy, forwards it to Purple's cloud RADIUS servers. Purple responds, and ClearPass passes that response back to the controller, but crucially, it can append its own policy attributes before doing so.
This proxy architecture gives you the best of both worlds. ClearPass maintains a complete audit log of every authentication event on your network, both corporate and guest. You get a single pane of glass for security operations. And Purple handles the user-facing experience and analytics without you needing to replace your existing NAC investment.
Let's talk about dynamic VLAN assignment, because this is where things get really powerful — and where most deployments run into trouble if they're not careful.
ClearPass uses a concept called Roles and Enforcement Profiles. When an authentication request comes in, ClearPass evaluates the context: who is the user, what device are they on, what time is it, what location are they connecting from? Based on these factors, it assigns a Role. For a standard guest, that might be ROLE_GUEST. For a VIP, it might be ROLE_VIP. For a contractor, ROLE_CONTRACTOR.
This Role is then mapped to an Enforcement Profile, which defines the specific RADIUS attributes to return to the Aruba controller. The most important attribute here is the Aruba-User-Role Vendor-Specific Attribute, or VSA. This tells the controller exactly which role to place the user in on the wireless side.
On the Aruba controller, each role maps to a specific VLAN and a set of firewall policies. So ROLE_GUEST maps to VLAN 20, with internet-only access and a 10 megabit per second bandwidth limit. ROLE_VIP maps to VLAN 40, with a 50 megabit limit. ROLE_IOT maps to VLAN 30, a completely isolated segment with no internet access, just local connectivity for smart devices.
This segmentation is not just good practice — it's a compliance requirement. Under PCI DSS, any network that touches cardholder data must be isolated from guest networks. Under GDPR, you need to be able to demonstrate that personal data collected through the guest portal is handled appropriately and that guest traffic cannot traverse your corporate infrastructure.
Now, let me walk you through a real-world scenario. A large hotel chain with 500 rooms across multiple properties. They have Aruba controllers at every site, ClearPass deployed centrally, and they want to roll out Purple for guest WiFi.
The deployment looks like this. Two SSIDs per site: Hotel_Corp and Hotel_Guest. Hotel_Corp uses 802.1X with certificates, authenticated against Active Directory via ClearPass. Hotel_Guest is an open SSID that triggers the Purple captive portal.
In ClearPass, they create two Services. Service One matches Hotel_Corp and handles 802.1X authentication locally. Service Two matches Hotel_Guest and uses a RADIUS Routing Policy to proxy requests to Purple. The Enforcement Policy for Service Two returns the Aruba-User-Role of guest-authenticated, which maps to VLAN 20 on the controller.
For IoT devices — smart TVs, thermostats, door locks — they use a third SSID, Hotel_IoT, with MAC-based authentication. ClearPass profiles the device using its OUI and assigns ROLE_IOT, dropping it into VLAN 30.
The result? Staff get full corporate access. Guests get a branded, engaging portal experience with social login and marketing opt-ins. IoT devices are isolated. And the IT team has complete visibility across all three user types in ClearPass's Access Tracker.
Now let's talk about the pitfalls, because there are several that will catch you out if you're not prepared.
Number one: the walled garden. This is the most common source of captive portal failures. Before a device is authenticated, the Aruba controller only allows traffic to a pre-defined list of destinations — the walled garden. If Purple's portal URL, its backend API endpoints, and the social login provider domains are not in that list, the portal simply won't load. You need to maintain this list proactively. Social login providers like Facebook and Google regularly change their IP ranges and CDN domains. Treat the walled garden as a living configuration.
Number two: RADIUS timeouts. The default RADIUS timeout on most Aruba controllers is three seconds. In a proxy architecture, the request travels from the AP to the controller, to ClearPass, across the internet to Purple's cloud RADIUS, and back. On a congested network, that round trip can easily exceed three seconds. Increase your timeout to at least ten seconds and configure retry logic.
Number three: shared secret mismatches. This one causes silent failures that are notoriously difficult to diagnose. The shared secret between the Aruba controller and ClearPass must match exactly. The shared secret between ClearPass and Purple's RADIUS servers must also match exactly. A single character difference will cause authentication to fail with no meaningful error message to the end user. Always double-check these.
Number four: role name case sensitivity. The Aruba-User-Role VSA returned by ClearPass must exactly match — including capitalisation — the role name defined on the Aruba controller. If ClearPass returns guest-authenticated but the controller has Guest-Authenticated defined, the user will fall back to the default role, which is typically the logon role with no internet access.
Number five: RADIUS accounting. Many deployments configure authentication proxying correctly but forget to proxy accounting as well. Purple uses RADIUS accounting data to track session duration, data usage, and to populate its analytics dashboards. If accounting isn't flowing to Purple, your analytics will be incomplete.
Let's move to the rapid-fire questions section.
Can I use a single SSID for both employees and guests? Yes, you can. Configure ClearPass to handle both 802.1X and MAC-Auth on the same SSID. Use Service Rules to differentiate the traffic type and route accordingly. It's more complex to manage but reduces SSID proliferation.
Does Purple support Change of Authorization? Yes. CoA allows the controller to dynamically update a user's session without requiring them to reconnect. This is useful for time-limited access or tier upgrades.
Can I use this integration with Aruba Instant rather than a full Mobility Controller? Yes, Aruba Instant supports external RADIUS servers and captive portal redirect. The configuration is slightly different but the principles are identical.
Does this integration work with WPA3? Yes. WPA3-SAE for personal networks and WPA3-Enterprise for 802.1X are both supported. For guest networks using captive portals, WPA3-SAE or an open SSID with Opportunistic Wireless Encryption are the typical choices.
To summarise today's briefing. The ClearPass and Purple integration is a RADIUS proxy architecture. ClearPass remains your central policy decision point for all network access. Purple handles the guest-facing experience and analytics. The Aruba controller enforces the resulting policies through dynamic VLAN assignment. The three most critical configuration elements are the walled garden, RADIUS timeouts, and role name consistency. Get those right, and you have a robust, compliant, and commercially valuable guest WiFi deployment.
Thank you for listening. If you want to explore this further, visit purple.ai to speak with a solutions architect about your specific deployment.
