Ruckus Unleashed and guest WiFi: captive portal setup with Purple

Welcome to the Purple Technical Briefing. I'm your host, and today we're covering a deployment pattern that comes up on nearly every enterprise WiFi project we see at scale - integrating CommScope Ruckus with Purple's cloud platform. Whether you're running a hotel group, a retail estate, a stadium, or a conference centre, this episode will give you the configuration playbook you need. Let's set the scene first. Ruckus - now under CommScope - is one of the dominant enterprise WiFi platforms globally. SmartZone in particular is the controller of choice for high-density environments. Hotels like Premier Inn, large retail chains, stadiums, and convention centres all run Ruckus infrastructure. When you're deploying guest WiFi at that scale, you need more than an open SSID. You need structured authentication, GDPR-compliant data capture, and the ability to feed that guest data into your marketing stack. That's exactly where Purple comes in. Purple operates across 80,000 plus live venues, has processed 440 million logins in 2024 alone, and holds ISO 27001, GDPR, and Cyber Essentials certification. The Ruckus integration is one of our most mature deployment patterns. Now, Ruckus has three distinct controller platforms you need to understand before you touch a configuration screen. SmartZone - available as a physical SZ300 appliance or a virtual vSZ - is the enterprise controller for large, multi-site deployments. It manages thousands of access points across multiple zones, gives you deep policy control, and supports the full range of authentication methods we'll cover today. ZoneDirector is the legacy on-premises controller - still widely deployed, particularly in hospitality - and it supports the same WISPr-based captive portal flow, though with a slightly different configuration path. And Unleashed is the controller-less model, where one AP acts as the master for up to 128 others. It's ideal for smaller, single-site deployments - independent hotels, retail branches, SMB offices. Right. Let's get into the technical detail. I'll cover three distinct use cases: Guest WiFi with captive portal redirection, Secure Staff WiFi using 802.1X, and Multi-Tenant network isolation using Ruckus Dynamic PSK. Starting with Guest WiFi. The architecture here is a WISPr-based hotspot flow. WISPr - Wireless Internet Service Provider roaming - is an industry standard that defines how a wireless controller intercepts unauthenticated HTTP traffic and redirects it to an external portal. The guest connects to your SSID. Their device sends an HTTP request. SmartZone intercepts it and issues an HTTP 302 redirect to your external portal URL - in this case, Purple's captive portal. The guest authenticates - via social login, email, SMS, or a custom form - and then the portal communicates back to the controller via the Northbound Interface, or NBI, to grant access. On SmartZone, the configuration has four main components. First, the RADIUS authentication server profile. Navigate to Services and Profiles, then Authentication. Create a new AAA server profile. Set the Service Protocol to RADIUS. Your primary server IP and shared secret are provided in the Purple admin console. Port 1812 for authentication. Always configure a backup RADIUS server for resilience. Then create the accounting server under Services and Profiles, Accounting - port 1813, same shared secret. Second, the Hotspot WISPr profile. Go to Services and Profiles, Hotspots and Portals, and select the Hotspot WISPr tab. Create a new profile. Set the Login URL to External, and enter your portal redirect URL. Set the Start Page to redirect to your post-authentication URL - typically a success page or your venue's homepage. Now, the Walled Garden. This is where engineers trip up most often. The Walled Garden defines which domains and IP addresses a guest can reach before they've authenticated. You need to include your portal domain, any CDN or asset domains your portal loads from, and standard OS captive portal detection endpoints. In SmartZone, wildcards are supported using the asterisk-dot format - so star-dot-purple-dot-ai covers all subdomains. You also need Apple's captive portal detection domain - captive.apple.com - and Google's connectivity check endpoints to prevent the CNA mini-browser from misbehaving on iOS and Android devices. One critical step that's easy to miss. By default, SmartZone encrypts the MAC address and IP address it passes to the external portal in the redirect URL. Purple needs to see the actual client MAC address to perform MAC-based session management. You must disable this via the CLI. SSH into your SmartZone, enter config mode, and run: no encrypt-mac-ip. That's one command, but it's a hard blocker if you skip it. The Northbound Interface is the other essential piece. This is the API that allows Purple to communicate back to SmartZone to grant or deny access after authentication. Enable it under Administration, External Services, WISPr Northbound Interface. Set a username and password, and provide those credentials to Purple. The NBI runs on TCP port 9080 for HTTP and 9443 for HTTPS - make sure your firewall allows inbound connections from Purple's IP range to these ports. Finally, create your WLAN. Set the Authentication Type to Hotspot WISPr, select your portal profile, and assign your RADIUS authentication and accounting services. Set the NAS ID to User-defined if Purple requires a specific value, set Called Station ID to AP MAC, and enable Single Session ID. For Unleashed, the architecture is fundamentally different - it's a distributed, controller-less model. The configuration lives at Admin and Services, Services, Hotspot Services. The steps are broadly similar - create a Hotspot service, configure your external portal URL, set up your AAA authentication server, add your Walled Garden entries - but there are two key differences. There's no Northbound Interface requirement in Unleashed. And MAC address encryption is not applied by default, so you don't need the CLI command. Unleashed's walled garden also accepts domain-level entries rather than the full wildcard syntax. Now let's move to Secure Staff WiFi using 802.1X. This is a completely different authentication model. Instead of a captive portal, staff devices authenticate directly using the Extensible Authentication Protocol - EAP. The most common method in enterprise environments is PEAP-MSCHAPv2, where the user enters their Active Directory credentials, or EAP-TLS, where the device presents a certificate. Purple's SecurePass add-on integrates with Microsoft Entra ID, Okta, and Google Workspace to act as the RADIUS backend for this flow. On SmartZone, create a new WLAN and set the Authentication Type to 802.1X EAP. Under the AAA settings, point to your RADIUS server - Purple's SecurePass endpoint. The key difference from the guest flow is that you also configure dynamic VLAN assignment here. When Purple's RADIUS server returns an Access-Accept, it includes three IETF standard attributes: Tunnel-Type set to VLAN, value 13; Tunnel-Medium-Type set to IEEE-802, value 6; and Tunnel-Private-Group-ID containing the VLAN ID string - for example, twenty for the Staff VLAN. SmartZone reads these attributes and dynamically tags the staff member's traffic with the correct VLAN, regardless of which AP they're connected to. This is dynamic VLAN steering, and it's what allows a single SSID to serve multiple user roles with different network access policies. Enable AAA Override in the WLAN advanced settings to ensure SmartZone processes the RADIUS-returned VLAN attributes. Without that checkbox, the dynamic assignment won't work even if the RADIUS server is sending the correct attributes. The third use case is Multi-Tenant isolation using Ruckus Dynamic PSK - or DPSK. This is a Ruckus-proprietary technology that assigns a unique WPA2 passphrase to each user or tenant, all on a single SSID. Unlike a shared PSK where everyone uses the same password, DPSK means Tenant A has a unique 62-character key, Tenant B has a different one, and so on. Each key is bound to a specific VLAN, so Tenant A's traffic lands on VLAN 101 and Tenant B's lands on VLAN 102 - complete isolation, no shared password risk, and instant revocation without affecting other tenants. This is particularly powerful in co-working spaces, build-to-rent residential buildings, student accommodation, and multi-tenant retail parks. Purple integrates with Ruckus DPSK via the SmartZone API to automate key provisioning - when a new tenant is onboarded in Purple, a DPSK is generated, bound to the correct VLAN, and delivered to the tenant automatically. To configure DPSK on SmartZone: navigate to WLANs, add a new WLAN, and under Security set the method to Dynamic PSK. Set the DPSK length to 62 characters for maximum entropy. Under VLAN, enable Per-DPSK VLAN assignment. Then use the SmartZone API or the DPSK management interface to create individual keys per tenant, each mapped to its own VLAN ID. On Unleashed, the same feature is available under WiFi Networks, Advanced Options, Dynamic PSK. DPSK3 is the WPA3 variant, offering stronger SAE-based encryption. If your AP fleet supports WPA3 - which all current Ruckus R-series APs do - DPSK3 is the preferred choice for new deployments. Let me walk through two real-world implementation scenarios that illustrate how these three use cases come together. First scenario: a 250-room hotel. The property runs Ruckus SmartZone with R750 access points throughout. They need three network types: guest WiFi for hotel guests, secure staff WiFi for front-of-house and back-of-house staff, and an IoT network for smart room controls and CCTV. The guest WLAN uses the WISPr captive portal flow with Purple. Guests connect, get redirected to a branded Purple portal, authenticate via email or social login, and land on VLAN 10. The portal captures first-party data - email, marketing consent, stay preferences - which feeds directly into the hotel's CRM. Purple's analytics dashboard shows the hotel which floors have the highest connection rates, peak usage times, and repeat visitor rates. Premier Inn deployed this model across their UK estate and saw measurable improvements in guest satisfaction scores directly linked to the WiFi experience. The staff WLAN uses 802.1X with Purple's SecurePass. Staff authenticate with their Active Directory credentials via PEAP-MSCHAPv2. Front desk staff land on VLAN 20 with access to the property management system. Back-of-house staff land on VLAN 21 with access to HR and scheduling systems only. The VLAN assignment is driven entirely by the RADIUS attributes Purple returns - no manual port configuration required. When a member of staff leaves, their account is disabled in Microsoft Entra ID, and access is revoked instantly across all properties. The IoT WLAN uses a static PSK, isolated on VLAN 30, with client isolation enabled. Smart thermostats, door locks, and CCTV cameras sit here, completely separated from guest and staff traffic. Second scenario: a co-working space with 15 tenant companies. This is where DPSK really earns its place. The operator runs Ruckus Unleashed across three floors. Each tenant company gets a unique DPSK bound to its own VLAN. Tenant A's 20 staff members all use the same DPSK-A passphrase, but that passphrase is unique to Tenant A and maps only to VLAN 101. Tenant B uses DPSK-B, mapping to VLAN 102. The tenants are completely isolated from each other at the network layer. When a tenant leaves, the operator revokes their DPSK in SmartZone - or via Purple's management interface - and that's it. No other tenant is affected, no SSID changes required, no password resets across the building. Purple's multi-tenant management layer sits above this, giving the co-working operator a single dashboard to manage onboarding, access revocation, and usage analytics across all 15 tenants. Now let me cover the most common failure modes and how to avoid them. Number one: Walled Garden misconfiguration. If your portal page fails to load after redirect, the first thing to check is whether all the domains your portal page references are in the walled garden. Modern portal pages load assets from multiple CDN domains, analytics scripts, and social login SDKs. If any of those are blocked pre-authentication, the page will either fail to load or load broken. Use your browser's developer tools on a test device connected to the guest SSID to identify which requests are being blocked. Purple provides a documented walled garden list for SmartZone and Unleashed - use it as your baseline and add any venue-specific domains on top. Number two: the NBI connectivity issue. If guests can see the portal and authenticate, but never get internet access, the likely cause is that SmartZone can't receive the NBI callback from Purple. Check that ports 9080 and 9443 are open inbound to the SmartZone's management IP from Purple's IP range. Also verify that the NBI credentials you've configured match what Purple has on file. Number three: the missing no encrypt-mac-ip command. This is the most common SmartZone-specific gotcha. If Purple is receiving redirect requests but can't match the session to a MAC address, this is almost certainly the cause. It's a one-line CLI fix, but it's easy to miss because it's not surfaced in the GUI. Number four: AAA Override not enabled for dynamic VLAN. If staff are authenticating successfully on 802.1X but all landing on the same default VLAN rather than their role-specific VLAN, check that AAA Override is enabled in the WLAN advanced settings. This is the switch that tells SmartZone to honour the VLAN attributes returned by the RADIUS server. Number five: DPSK VLAN not propagating. If DPSK users are authenticating but not landing on the correct VLAN, verify that Per-DPSK VLAN assignment is enabled in the WLAN settings, and that the switch ports connected to your APs are configured as trunk ports carrying all the DPSK VLANs. If the switch port is an access port, the VLAN tagging will be stripped. Now, three rapid-fire questions I get asked on every Ruckus-Purple deployment. Do I need a dedicated VLAN for guest WiFi? Yes, always. Isolate guest traffic on a dedicated VLAN. This is both a security requirement and a PCI DSS compliance consideration if your venue processes card payments on the same network. Enable client isolation on the guest WLAN to prevent guest devices from communicating with each other. Can I use Purple with Ruckus One - the cloud-managed platform - instead of SmartZone? Yes. The configuration path is different - it's under WiFi Networks, Guest Access settings in the Ruckus One portal - but the walled garden and RADIUS configuration principles are identical. Does Purple support SmartZone multi-zone deployments? Yes. Purple's integration handles multi-zone SmartZone environments, and you can scope portal configurations to individual zones for different venues or floors within a single SmartZone instance. To wrap up. The Ruckus and Purple integration covers three distinct use cases, each with its own configuration model. Guest WiFi uses the WISPr captive portal flow - five key configuration points: RADIUS on ports 1812 and 1813 with a backup server, the Hotspot WISPr profile with an external login URL, a correctly scoped walled garden using wildcard entries, the no encrypt-mac-ip CLI command, and the Northbound Interface enabled with the correct credentials. Secure Staff WiFi uses 802.1X EAP with dynamic VLAN steering via RADIUS attributes - the critical enabler is AAA Override in the WLAN advanced settings. Multi-Tenant isolation uses Ruckus DPSK - unique per-tenant keys, each bound to a dedicated VLAN, with instant revocation and zero shared-password risk. Get those three patterns right, and you have a network architecture that scales from a 50-room independent hotel on Unleashed to a 5,000-seat stadium on SmartZone, with the same Purple platform sitting above it all providing unified analytics, GDPR-compliant data capture, and centralised access management. If you're planning a Ruckus deployment with Purple, the technical onboarding team can walk you through a pre-launch checklist and validate your configuration before go-live. The Purple platform also provides real-time analytics on portal load times, authentication success rates, and session data - giving you the visibility to catch issues before your guests do. Thanks for listening. Until next time.