View podcast transcript
Welcome to the Purple technical series. I'm your host, and today we're walking through one of the more nuanced enterprise WiFi integrations we see in the field - Huawei AirEngine access points and the CloudCampus iMaster NCE-Campus controller, integrated with Purple for guest WiFi, staff authentication, and multi-tenant network segmentation.
If you're a network architect or IT manager running a Huawei estate - whether that's a hotel group, a retail chain, a conference centre, or a public-sector campus - this episode is for you. We'll cover the full stack: captive portal redirection, pre-authentication ACLs, secure staff WiFi using 802.1X, and Huawei's Private Pre-Shared Key feature for dynamic VLAN steering across multiple tenants.
Let's get into it.
Section one: Context and architecture.
Huawei's AirEngine portfolio - covering the 5700, 6700, 8700, and 9700 series - runs on WiFi 6 and WiFi 6E, with the top-end 9700 series supporting WiFi 7. These are serious enterprise access points. The management layer is iMaster NCE-Campus, Huawei's cloud-based network controller, which handles everything from SSID provisioning and RADIUS relay to policy enforcement and syslog forwarding.
Purple sits above this as a cloud overlay. We operate across 80,000 live venues and have processed 440 million logins in 2024 alone. We're hardware-agnostic - meaning we integrate with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and yes, Huawei AirEngine - using the same RADIUS and captive portal standards that every enterprise controller supports.
The integration model here is straightforward. iMaster NCE-Campus acts as the RADIUS relay, forwarding authentication requests from the access points to Purple's RADIUS servers. Purple handles the authentication logic - whether that's a guest splash page, an 802.1X credential check, or a PPSK lookup - and returns the appropriate RADIUS response, including any dynamic VLAN assignment attributes.
Section two: Guest WiFi and captive portal configuration.
Let's start with the most common deployment: guest WiFi with a Purple captive portal.
In iMaster NCE-Campus, you navigate to Design, then Network Design, then Template Management. You create a RADIUS Relay Server template. The key parameters are: set the authentication service to Portal authentication, add Purple's RADIUS server IP addresses on UDP port 1812 for authentication and 1813 for accounting, set the NAS identifier to Device MAC, and configure the shared secret. Purple provides these RADIUS credentials from the venue configuration screen in the Purple dashboard.
Next, you create an ACL - this is your Walled Garden. Before a guest authenticates, they need to reach Purple's splash page and any supporting domains. Your ACL rules should permit DNS on UDP 53, permit HTTPS to Purple's portal domain, and permit any social login providers you've enabled - for example, Facebook's graph API endpoints if you're using social sign-on. Everything else is denied pre-authentication.
Then you configure the SSID. Set the network type to Open, select Open plus Portal authentication, set the authentication type to Relay authentication by cloud platform, and choose RADIUS relay as the interconnection mode. Set the page push protocol to HTTPS. In the third-party portal authentication parameters, paste in the Purple redirect URL - this is the splash page URL you copy from the Purple venue dashboard, with the suffix modified to include the Huawei-specific parameters: ap-mac, uaddress, umac, ssid, and redirect-url.
Finally, create a URL template in iMaster NCE-Campus that maps these parameter names to the values Huawei passes in the redirect. The parameter mapping is: redirect-url to redirect-url, loginurl to login-url, device-mac to ap-mac, user-ip to uaddress, user-mac to umac, and ssid to ssid.
Once this is configured, a guest connects to the SSID, gets a DHCP address, and their HTTP traffic is intercepted by the controller and redirected to the Purple splash page. They authenticate - via email, social login, or SMS verification - and Purple's RADIUS server sends an Access-Accept back to iMaster NCE-Campus, which grants the guest full internet access.
From a data perspective, Purple captures first-party consent data at this point. Every login is a conscious-choice opt-in, compliant with GDPR and CCPA. That data feeds Purple's analytics platform, giving you session duration, device type, repeat visitor rates, and dwell time - all without any third-party tracking.
Section three: Secure staff WiFi with 802.1X.
Now let's talk about staff WiFi. This is a different security posture entirely. You don't want staff on the same network segment as guests, and you don't want shared PSK passwords that walk out the door when someone leaves.
The answer is 802.1X authentication, defined in IEEE 802.1X-2020, using EAP-TLS or EAP-PEAP. In iMaster NCE-Campus, you create a separate SSID for staff - let's call it CorpNet. In the authentication profile for this SSID, you set the authentication mode to 802.1X, point it at Purple's RADIUS server, and set the security profile to WPA2-Enterprise or WPA3-Enterprise with AES-CCMP encryption.
Purple acts as the RADIUS server here too, but now it's validating credentials against your identity provider. Purple integrates natively with Microsoft Entra ID, Okta, and Google Workspace. When a staff member connects to CorpNet, their device sends EAP credentials to the access point, which relays them via RADIUS to Purple, which validates them against Entra ID using SCIM or SAML. If the credentials are valid, Purple returns an Access-Accept with a RADIUS attribute specifying the staff VLAN - say VLAN 20. iMaster NCE-Campus steers the client into that VLAN automatically.
The key RADIUS attributes for dynamic VLAN assignment are: Tunnel-Type set to VLAN or the value 13, Tunnel-Medium-Type set to 802 or the value 6, and Tunnel-Private-Group-ID set to the VLAN ID. These three attributes together tell the Huawei controller exactly which VLAN to assign the authenticated client to.
For EAP-TLS specifically - which is the gold standard for staff authentication - you need client certificates. Purple's SecurePass add-on handles certificate issuance and lifecycle management, integrating with your existing PKI or acting as a lightweight certificate authority. This eliminates password-based attacks entirely. No password, no phishing vector.
Section four: Multi-tenant segmentation with Huawei PPSK.
This is where it gets genuinely interesting. If you're running a mixed-use venue - a shopping centre with multiple retail tenants, a co-working space with multiple member companies, or a conference centre hosting concurrent events - you need network isolation between tenants without deploying a separate SSID for each one.
Huawei's PPSK feature - Private Pre-Shared Key - solves this. It's sometimes called iPSK in other vendor ecosystems. The concept is: one SSID, multiple unique passwords, each password mapped to a specific VLAN. Tenant A gets password Alpha, which maps to VLAN 30. Tenant B gets password Beta, which maps to VLAN 40. Both tenants see the same SSID, but they're completely isolated at Layer 2.
In the Huawei CLI, you configure this in WLAN view using the ppsk-user command. For each tenant, you run: ppsk-user psk pass-phrase, followed by the unique passphrase, then user-name, the tenant identifier, then vlan, the VLAN ID, then ssid, the SSID name. You can also set an expiry date, a maximum device count, and bind to a specific MAC address if you need tighter control.
In iMaster NCE-Campus, the PPSK lookup can be handled locally on the controller, or - for large-scale deployments - via RADIUS. When RADIUS-backed PPSK is used, Purple becomes the authoritative source for PPSK-to-VLAN mappings. A tenant's device connects with their unique passphrase, the controller sends a RADIUS Access-Request to Purple with the passphrase as the credential, Purple looks up the mapping, and returns an Access-Accept with the three VLAN tunnel attributes. The controller steers the client into the correct VLAN.
This architecture scales to hundreds of tenants on a single SSID. It also means you can provision, rotate, and revoke tenant credentials from the Purple dashboard without touching the controller configuration.
Section five: Implementation pitfalls and how to avoid them.
Let me give you the three failure modes I see most often in Huawei and Purple deployments.
First: the Walled Garden is incomplete. Guests hit the SSID, get redirected to the splash page, but the page won't load because a required domain - often a CDN endpoint or a social login API - is blocked by the pre-auth ACL. The fix is to test the splash page flow from a fresh device before go-live, capture the DNS queries and HTTPS connections it makes, and add every required domain to the ACL. Purple publishes a list of required domains in the integration documentation.
Second: RADIUS shared secret mismatch. The secret configured in iMaster NCE-Campus must exactly match the secret in the Purple dashboard. A single character difference causes silent authentication failures - the controller logs show Access-Reject with no useful error message. Always copy-paste the secret, never type it manually.
Third: VLAN trunk misconfiguration. Dynamic VLAN assignment via RADIUS only works if the VLAN is already trunked on the uplink port between the access point and the aggregation switch. If VLAN 20 isn't in the trunk allow-pass list on the switch interface, authenticated staff clients will get a DHCP timeout and appear to fail authentication. Audit your trunk configurations before testing RADIUS-assigned VLANs.
Section six: Rapid-fire questions.
Question: Can I use Purple's built-in RADIUS with Huawei's on-premises iMaster NCE-Campus deployment, not the cloud version?
Yes. Purple's RADIUS servers are cloud-hosted and reachable over the internet. Your on-premises iMaster NCE-Campus controller needs outbound UDP 1812 and 1813 to Purple's RADIUS IP ranges. Purple publishes these IP ranges in the dashboard under venue settings.
Question: Does Huawei PPSK support WPA3-SAE?
As of AirEngine firmware V600R025, WPA3-SAE-PPSK is supported on the 6700 and 9700 series. Check your firmware version before enabling WPA3 on PPSK SSIDs.
Question: How does Purple handle GDPR consent for guest WiFi on Huawei hardware?
Purple's splash page collects consent at the point of authentication. The consent record - including timestamp, IP address, and the specific terms accepted - is stored in Purple's platform and is exportable for compliance audits. This applies regardless of the underlying hardware vendor.
Section seven: Summary and next steps.
To recap: Huawei AirEngine and iMaster NCE-Campus integrate with Purple via RADIUS relay for guest captive portal, 802.1X for staff WiFi, and PPSK for multi-tenant VLAN segmentation. The configuration lives in iMaster NCE-Campus under Design, Network Design, Template Management for RADIUS and ACL setup, and under Provision, Device Configuration, Site Configuration for SSID and authentication profile binding.
Your next steps: pull the Purple RADIUS credentials from your venue dashboard, configure the RADIUS relay server template in iMaster NCE-Campus, build your Walled Garden ACL, create the guest SSID with Open plus Portal authentication, and test end-to-end with a fresh device before rolling out to the floor.
If you're deploying PPSK for multi-tenant isolation, plan your VLAN scheme first - make sure every tenant VLAN is trunked end-to-end before you configure a single PPSK user.
For the full step-by-step configuration guide, including CLI examples and architecture diagrams, read the complete written guide on the Purple website. Thanks for listening.
