View podcast transcript
Welcome to the Purple Architecture Briefing. Today we are diving into a critical integration for enterprise networks: deploying Purple WiFi alongside Sophos infrastructure, specifically Sophos AP6 and APX access points and Sophos XG and XGS firewalls. If you are an IT manager, a network architect, or a CTO managing a venue, whether that is a retail chain, a stadium, or a hospital, this session is designed to give you the actionable blueprint for making these two powerful platforms work together seamlessly.
Let us set the context. Sophos is renowned for its robust security posture. Sophos Firewall appliances provide deep packet inspection and synchronised security. However, when it comes to Guest WiFi, you do not just want security. You want business value. You want to capture demographic data, understand visitor behaviour, and drive marketing return on investment. That is where Purple comes in. By integrating Purple as an external captive portal, you offload the heavy lifting of guest identity management, GDPR consent, and social logins to Purple's cloud RADIUS, while letting the Sophos Firewall do what it does best: secure the perimeter.
So, how does this actually work under the hood? Let us get into the technical deep-dive.
The architecture relies on standard RADIUS protocols and HTTP redirection. When a venue user associates with your open Guest WiFi SSID broadcasted by the Sophos AP, the Sophos Firewall intercepts that initial web request. Instead of serving a basic, locally stored portal page, the firewall redirects the client to Purple's cloud-hosted splash page.
Now, here is the critical concept: the Walled Garden. During this pre-authentication phase, the user does not have internet access. But they need to load the portal graphics, and they might need to reach Facebook or Google to log in. The Walled Garden is a strict allowlist configured on the Sophos Firewall that permits traffic to these specific domains. Once the user authenticates, Purple's platform sends a RADIUS Access-Accept message back to the Sophos Firewall. The firewall then flips the switch, changing the session state to authenticated, and drops the user into your post-authentication firewall policy.
Let us talk about the RADIUS configuration in more detail, because this is where precision matters. Purple provides you with two sets of RADIUS credentials: one for authentication on port 1812, and one for accounting on port 1813. Both must be configured. The accounting server is not optional. It is the mechanism by which the Sophos Firewall reports session data back to Purple, including duration, bandwidth consumed, and session termination events. Without accurate accounting data, your Purple analytics dashboard will show incomplete or inaccurate visitor metrics. Set your accounting interim interval to 120 seconds. This provides a good balance between real-time visibility and network overhead.
Now let us talk about a scenario that comes up constantly in enterprise deployments: Multi-Tenant WiFi. Think of a coworking space, a build-to-rent residential block, or a student accommodation building. You have multiple distinct groups of users who all need WiFi access, but they must be completely isolated from each other at the network level. Broadcasting a separate SSID for every tenant is not viable. It creates radio frequency congestion and is an operational nightmare to manage.
The answer is Sophos Private Pre-Shared Keys, or PPSK, combined with dynamic VLAN assignment. Here is how it works. You configure a single SSID on your Sophos AP6 access points. You then issue a unique passphrase to each tenant or user group. When a device connects and presents its unique key, the Sophos AP authenticates that key via RADIUS. The RADIUS server returns a specific VLAN ID attribute in the Access-Accept message. The AP dynamically tags the user's traffic with that VLAN ID, placing them onto their dedicated network segment. Identity-Based Networking in action. One SSID, multiple isolated networks, zero radio frequency overhead from additional broadcasts.
This architecture also has a significant compliance benefit. Under PCI DSS requirements, Guest WiFi networks must be completely isolated from any network segment that handles cardholder data. By placing the guest SSID on a dedicated VLAN and enforcing strict firewall policies on the Sophos Firewall to block all RFC 1918 private IP space destinations, you satisfy this requirement cleanly. Purple, which operates across 80,000 live venues and has processed 440 million logins in 2024, is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified, so the compliance story extends to the identity layer as well.
Now let us move on to implementation recommendations. When you are setting this up, you have a crucial decision to make regarding IP assignment: NAT mode versus Bridge mode.
If you are deploying a small retail branch with perhaps fifty to a hundred concurrent guest connections, NAT mode is perfectly adequate. The Sophos AP hands out DHCP addresses to guests from a dedicated internal subnet and translates them as traffic exits. It is simple and requires minimal additional infrastructure.
But if you are deploying a high-density environment, say a five-hundred-room hotel, a conference centre with multiple concurrent events, or a stadium, you must use Bridge mode. In Bridge mode, the Sophos AP drops the guest traffic directly onto a dedicated VLAN, allowing your core enterprise DHCP servers to handle the load. This prevents the access point or firewall from becoming a DHCP bottleneck during peak connection events. Bridge mode also ensures the Purple platform sees the true client IP address, which is vital for accurate analytics and troubleshooting.
Let us talk about the step-by-step configuration sequence, because order matters here.
Start in the Purple portal. Retrieve your RADIUS server credentials: the server IP addresses, shared secrets, the captive portal URL, and the redirect URL. These are the four critical pieces of information you need before touching the Sophos configuration.
Then, move to Sophos Central or your local firewall management interface. Define your RADIUS servers first, authentication on 1812, accounting on 1813. Then configure your Walled Garden under Hotspot Settings. Next, create your guest SSID, set encryption to Open, enable the Captive Portal, and input the Purple portal URL. And finally, define your post-authentication firewall rules.
For the Walled Garden specifically, you must allow the following domains as a minimum: the Purple portal domain, typically region1.purpleportal.net; venuewifi.com; and any social login domains your guests will use, such as facebook.com, accounts.google.com, and their associated CDN domains. If you are using Microsoft Entra ID or Okta for identity federation, those domains must also be included.
What about pitfalls? Where do deployments usually go wrong?
The number one issue, without question, is an incomplete Walled Garden. If a guest connects and gets a blank screen or a connection timeout, it almost always means the Sophos Firewall is blocking access to Purple's CSS files, JavaScript assets, or the social login APIs before authentication. You must ensure every required domain is explicitly allowed in that pre-authentication policy. Purple provides a comprehensive list of required domains. Use it in full.
Also, do not forget DNS. Unauthenticated clients must be allowed to resolve DNS queries, or the redirect simply will not work. The device needs to resolve the Purple portal hostname before it can even attempt to load the page.
The second most common pitfall is certificate errors. Ensure your Sophos Firewall is presenting a valid, publicly trusted SSL certificate for the redirection interface. If you use the default self-signed certificate, modern iPhones and Android devices will throw significant security warnings, and your guests will abandon the connection entirely. This is a particularly acute problem in hospitality environments where guest experience is paramount.
The third pitfall is RADIUS timeout errors. If the portal loads but authentication consistently fails, verify that the shared secrets match exactly between your Sophos configuration and the Purple portal. Even a single character difference will cause all authentication attempts to fail silently. Also verify that no intermediate firewall is blocking UDP ports 1812 and 1813 between your Sophos infrastructure and Purple's cloud RADIUS servers.
Let us wrap up with a rapid-fire question and answer session based on the most common questions we hear from clients.
Question one: does using Purple bypass my Sophos Firewall security policies? Absolutely not. Purple handles the authentication and identity capture. Once authenticated, all guest traffic flows through your Sophos Firewall's post-authentication policy. This is precisely where you apply web filtering, block peer-to-peer traffic, and shape bandwidth. Think of it this way: pre-authentication is permissive to allow login; post-authentication is punitive to protect the network.
Question two: do I need to deploy local RADIUS servers? No. Purple provides RADIUS-as-a-Service. You configure the Sophos APs to point directly to Purple's cloud RADIUS IP addresses. There is no need to deploy and maintain FreeRADIUS or Windows NPS for the guest network.
Question three: can I use Purple with both Sophos AP6 and the older APX series? Yes. The integration approach is consistent across both hardware generations. Note, however, that Sophos has announced an end-of-life date for the APX Series of December 31, 2027. If you are planning a new deployment, invest in the AP6 Series, which supports Wi-Fi 6 and Wi-Fi 6E.
Question four: what about GDPR compliance? Purple captures explicit consent at the portal level, presenting your terms and conditions and data processing notices before authentication. This consent data is stored within the Purple platform and is auditable. The Sophos Firewall's role is purely network enforcement.
To summarise the key takeaways from today's briefing.
First: segregate your Staff and Guest SSIDs absolutely. Staff on 802.1X with WPA2-Enterprise. Guests on Purple with an external captive portal.
Second: meticulously configure your Walled Garden. It is the most common failure point and the most important pre-authentication configuration element.
Third: use Bridge mode for any high-density deployment to avoid DHCP bottlenecks and to ensure accurate client IP visibility.
Fourth: configure both RADIUS authentication and accounting servers. Accounting is not optional if you want meaningful analytics.
Fifth: leverage Sophos PPSK for Multi-Tenant environments to enable Identity-Based Networking with dynamic VLAN assignment. One SSID, multiple isolated networks.
Sixth: apply Sophos security policies strictly post-authentication. Web filtering, application control, and bandwidth shaping should all be applied in the post-authentication firewall policy.
By executing this integration correctly, you transform Guest WiFi from a cost centre into a compliant, secure, and revenue-generating asset. The combination of Sophos security depth and Purple's marketing intelligence is genuinely powerful for any venue operator who wants to take their guest experience and data strategy seriously.
Thanks for listening to the Purple Architecture Briefing. If you would like to discuss your specific deployment requirements, visit purple.ai to speak with the solutions team.
