Three SSIDs to rule them all: guest, Passpoint, and IoT WiFi setup guide

This technical guide provides a definitive blueprint for implementing the three-SSID WiFi design across enterprise venues. It details the configuration of an open Guest WiFi portal, automated Passpoint onboarding, and per-device xPSK authentication to achieve complete VLAN segmentation and zero-trust network access.

📖 5 min read📝 1,176 words🔧 2 worked examples❓ 3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript

Welcome to the Purple technical briefing series. Today we are covering the three-SSID WiFi design - a network architecture that consolidates guest access, secure automated onboarding, and IoT device management under three purpose-built wireless networks. If you are running WiFi across a hotel, a retail estate, a stadium, or a conference centre, this is the design you should be deploying in 2025 and beyond.

[medium pause]

Let me set the context first. Most venues we encounter are still running two SSIDs at best - a guest network and something loosely called a staff network. The problem is that those two networks end up carrying everything. Card terminals sit on the same segment as guest smartphones. Contractors connect to the same SSID as your digital signage. IoT sensors share bandwidth with visitors streaming video. That is not a security posture. That is a liability.

The three-SSID design solves this by giving every class of device and user its own dedicated network, its own VLAN, and its own authentication method. Three SSIDs. Three VLANs. One coherent security architecture.

[medium pause]

Let us walk through each one.

SSID number one is your open Guest WiFi. This is the traditional captive portal network - the one your visitors see when they open their phone and connect. It is open, meaning no pre-shared key, because you want zero friction at the point of connection. The authentication happens at the portal layer. The visitor connects, gets redirected to a splash page, accepts your terms of service, and optionally provides an email address or phone number. That is your conscious-choice opt-in for GDPR compliance. Purple's platform handles this natively - the portal captures first-party data, logs the consent timestamp, and maps the session to VLAN 10, which is your guest segment. VLAN 10 gets internet access only. It cannot reach your POS systems, your back-office servers, or any other internal resource. Firewall rules enforce that at the edge.

From a compliance standpoint, this SSID does the heavy lifting. GDPR requires that you record consent, the lawful basis for processing, and the timestamp. Purple logs all of that automatically. If you are in a venue that falls under PCI DSS - a hotel with in-room payment terminals, for example - the guest SSID must be completely isolated from any cardholder data environment. VLAN segmentation with an inter-VLAN firewall policy achieves that.

[medium pause]

SSID number two is your Passpoint network, also known as Hotspot 2.0. This is where the design gets genuinely interesting. Passpoint is an IEEE 802.11u standard that allows a device to automatically discover, authenticate, and connect to a WiFi network without any user interaction. No portal. No password prompt. The device negotiates authentication in the background using EAP - Extensible Authentication Protocol - and connects encrypted from the first packet.

How does a device know to connect? It has a Passpoint profile installed. With Purple, that profile is delivered via the Purple app or via an SDK you embed in your own branded app. When a returning visitor walks into your venue, their device sees your Passpoint SSID broadcasting an ANQP response, matches it against the installed profile, and connects automatically. The whole process takes under two seconds. The user never touches their phone.

The authentication flow uses EAP-TLS or EAP-TTLS with PEAP, depending on your configuration. The device presents a credential to your RADIUS server - Purple acts as that RADIUS server in the cloud - and the server returns a RADIUS Access-Accept with a VLAN assignment attribute. That attribute tells the access point which VLAN to place that session on. So a loyalty app user might land on VLAN 20, which has access to your loyalty platform and richer content. A staff member using the same Passpoint SSID with a different credential lands on VLAN 30, which has access to internal systems. One SSID. Dynamic VLAN assignment. Policy enforced per identity.

[medium pause]

SSID number three is your xPSK network. xPSK is an umbrella term covering iPSK, PPSK, DPSK, and MPSK - all variations on the same concept of per-device or per-group pre-shared keys. The idea is straightforward: instead of one shared password for your IoT devices and contractors, every device or group gets its own unique key. That key maps to a specific VLAN. When a card terminal connects with its key, it lands on VLAN 40, which is your PCI-scoped payment network. When a digital signage player connects with its key, it lands on VLAN 50, which has access to your content management server but nothing else. When a contractor connects with a temporary key, they land on VLAN 60, which has internet access and nothing internal. When you revoke that contractor's key, they are off the network immediately. No password change required across every device.

The mechanism behind xPSK varies by vendor. On Cisco Meraki, it is called iPSK - Identity PSK - and it works via RADIUS. On HPE Aruba, the equivalent is MPSK, also RADIUS-driven. Ruckus calls it DPSK - Dynamic PSK. Juniper Mist uses PPSK with dynamic VLAN assignment through Mist's cloud dashboard. Ubiquiti UniFi supports Network Access Control with per-client VLAN assignment in recent firmware versions. Purple integrates with all five of these platforms as a cloud RADIUS provider.

[medium pause]

Now let us talk about implementation sequence. The order matters.

Start with your VLAN design before you touch the wireless configuration. Define your VLANs at the switch layer first. Configure your inter-VLAN routing policy and lock it down at the firewall before any device connects. This is the most common mistake we see: teams configure the wireless first, then try to retrofit the VLAN segmentation. Do it the other way around.

Second, configure your RADIUS server. In Purple's platform, you navigate to the RADIUS configuration section, generate your server credentials, and note the primary and secondary IP addresses, the authentication port - typically 1812 - and the shared secret.

Third, build your SSIDs. For the guest SSID, set security to open, enable captive portal redirect, and point the redirect URL at your Purple portal. For the Passpoint SSID, enable 802.11u and configure your ANQP elements - your NAI Realm, your Roaming Consortium OI if you are participating in OpenRoaming, and your venue information. Set WPA2-Enterprise or WPA3-Enterprise as the security type. For the xPSK SSID, configure the vendor-specific MPSK or DPSK settings and point authentication at your Purple RADIUS endpoint.

Fourth, configure your walled garden for the guest SSID. Include Purple's portal domains, your DNS resolver, and the captive portal detection endpoints that iOS and Android use - Apple's captivedetect.apple.com and Google's connectivitycheck.gstatic.com.

[medium pause]

Two real-world examples.

A 350-room hotel in central London deployed this architecture across 28 access points running HPE Aruba hardware. Before the deployment, card terminals shared a network segment with guest devices - a PCI compliance failure. The three-SSID redesign moved card terminals to a dedicated VLAN with firewall rules permitting only outbound HTTPS to the payment processor. The PCI audit passed on the next cycle. Guest data capture increased by 34% in the first three months because the portal experience was faster and the opt-in flow was cleaner.

A retail chain with 80 stores across the UK reduced their per-store SSID count from an average of 4.2 to three. EPOS terminals and signage moved to the xPSK SSID with per-device keys managed centrally through Purple. Staff moved to a Passpoint SSID using their Microsoft Entra ID credentials via EAP-TTLS. The IT team reported a 60% reduction in WiFi-related support tickets in the first quarter after rollout.

[medium pause]

A few implementation pitfalls to watch for.

RADIUS timeout configuration: if your access points cannot reach the Purple RADIUS server within the configured timeout, they will deny the connection. Always configure both primary and secondary RADIUS server addresses.

VLAN tagging on trunk ports: every access point uplink port must be configured as a trunk carrying all the VLANs your SSIDs use. A common mistake is configuring the VLAN at the controller but forgetting to add it to the trunk on the switch port.

Passpoint ANQP configuration: the NAI Realm list must match exactly what is in the Passpoint profile installed on the device. A mismatch will cause devices to skip your network during discovery. Test with a known-good device before rolling out to production.

xPSK key rotation: contractor keys should have an expiry date set at provisioning. Purple's dashboard lets you revoke individual keys without affecting any other device on the network.

[medium pause]

Rapid-fire questions.

Can I run all three SSIDs on the same access point? Yes. Keep the total SSID count per access point to six or fewer to minimise beacon overhead.

Does Passpoint require a specific app? With Purple, it requires either the Purple app or an SDK integrated into your own branded app. The SDK handles profile provisioning silently in the background.

Is xPSK PCI compliant for card terminals? Yes, provided the VLAN carrying payment device traffic is properly segmented and firewall rules restrict traffic to only what the payment processor requires.

What happens if a guest SSID portal goes down? Configure a fallback redirect or a local splash page on the access point controller. Purple's platform runs at 99.999% uptime, but belt-and-braces configuration is always good practice.

[medium pause]

To summarise. The three-SSID design gives you a guest network with a compliant captive portal for data capture, a Passpoint network for automated secure onboarding via the Purple app or SDK with dynamic VLAN assignment, and an xPSK network that consolidates IoT devices, card terminals, digital signage, contractors, and BYOD under per-device keys mapped to specific VLANs. The result is a cleaner security posture, a better visitor experience, and a network that is genuinely manageable at scale.

Start with your VLAN design, configure RADIUS, build your SSIDs, and set your walled garden. Purple's onboarding team can walk you through the configuration for your specific hardware platform.

The full written guide is available at purple.ai. Search for "three SSIDs to rule them all" for the step-by-step configuration reference with vendor-specific details for Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi.

Thanks for listening.

📚 Part of our core series: Enterprise WiFi security and authentication: the complete guide →

Executive Summary

Most enterprise venues still operate legacy wireless architectures that collapse all traffic onto one or two SSIDs. This approach creates unacceptable risk by placing unmanaged IoT devices, contractor hardware, and public visitors on shared network segments. The three-SSID WiFi design eliminates this vulnerability by assigning every class of device and user its own dedicated network, its own VLAN, and its own authentication method. This guide provides a step-by-step blueprint for deploying three distinct SSIDs: an open Guest WiFi network for compliance and data capture, a Passpoint (Hotspot 2.0) network for automated secure access via the Purple app or SDK, and an xPSK network that consolidates all headless devices under per-device keys. By standardising on this architecture, IT teams can achieve strict VLAN segmentation, reduce radio frequency overhead, and streamline network operations across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi deployments.

Listen to the Briefing

Technical Architecture Deep-Dive

The three-SSID design is a zero-trust approach applied to the wireless edge. It relies on the principle that the SSID is merely the entry point; the actual security boundary is the VLAN assignment dictated by the authentication method.

1. Guest WiFi (Open SSID)

The first SSID is an open network with a captive portal. It serves visitors, temporary guests, and casual users. Because it is open, there is zero friction at the point of connection. The security control point shifts to the portal layer. When a device connects, it is assigned an IP address from a heavily restricted subnet and placed in a walled garden. The user is redirected to a splash page where they accept terms of service and optionally provide identity data.

This SSID is critical for compliance. Under GDPR, you must record consent and the lawful basis for processing data. Purple handles this natively, logging the consent timestamp and capturing first-party data. Once authenticated, the session is mapped to VLAN 10. Firewall rules enforce that VLAN 10 has internet access only, completely isolated from internal systems. For venues subject to PCI DSS, this segmentation ensures guest traffic never touches the cardholder data environment.

2. Passpoint (Hotspot 2.0)

The second SSID leverages IEEE 802.11u Passpoint to provide automated, encrypted access. This is designed for returning guests, loyalty members, and staff. Instead of a captive portal, Passpoint uses an installed profile to negotiate authentication in the background via EAP-TLS or EAP-TTLS with PEAP.

When a user with the Purple app (or your own app integrating the Purple SDK) enters the venue, their device detects the Passpoint SSID broadcasting specific ANQP (Access Network Query Protocol) elements. It matches these against its profile and connects automatically. Purple acts as the cloud RADIUS server, processing the credential and returning a RADIUS Access-Accept message. Crucially, this message includes VLAN assignment attributes (such as Tunnel-Private-Group-ID). A loyalty member might be assigned to VLAN 20, while a staff member using the same SSID is assigned to VLAN 30. This dynamic VLAN assignment enables policy enforcement per identity rather than per SSID.

3. xPSK (IoT and BYOD)

The third SSID consolidates all other use cases - card terminals, digital signage, printers, contractors, and BYOD - using xPSK (iPSK, PPSK, DPSK, or MPSK). Instead of a single shared password, every device or group receives a unique pre-shared key.

When a device connects, the access point sends the device's MAC address and the specific PSK used to the Purple RADIUS server. Purple validates the key and returns the corresponding VLAN assignment. A card terminal lands on VLAN 40 (PCI-scoped), while a digital signage player lands on VLAN 50. If a contractor's key is revoked, their access is terminated immediately without affecting any other device. This eliminates the need for MAC authentication bypass (MAB) lists and shared passwords.

Implementation Guide

Deploying this architecture requires strict sequencing. Do not configure the wireless controllers until the underlying wired network is prepared.

Step 1: Switch and Firewall Configuration

Define your VLANs at the switch layer first. Create discrete VLANs for each device class (e.g., VLAN 10 Guest, VLAN 20 Secure, VLAN 30 IoT, VLAN 40 PCI). Configure inter-VLAN routing policies on your firewall to enforce strict isolation. Guest and IoT VLANs should typically only have outbound internet access. Ensure that all access point uplink ports are configured as trunks carrying all required VLANs.

Step 2: RADIUS Server Integration

Navigate to the Purple portal and generate your RADIUS credentials. Note the primary and secondary IP addresses, the authentication port (typically 1812), the accounting port (1813), and the shared secret. Enter these details into your wireless controller's AAA configuration. Set the RADIUS timeout to at least two seconds to accommodate cloud latency.

Step 3: SSID Configuration

Configure the three SSIDs according to your vendor's specific implementation:

Guest SSID: Set security to Open. Enable captive portal redirect and point it to your Purple portal URL. Configure the walled garden to allow access to Purple's domains, your DNS resolver, and OS captive portal detection endpoints (e.g., captivedetect.apple.com).

Passpoint SSID: Enable 802.11u/Hotspot 2.0. Configure the ANQP elements, ensuring the NAI Realm matches the profile deployed by the Purple app exactly. Set security to WPA2-Enterprise or WPA3-Enterprise and point authentication to the Purple RADIUS servers.

xPSK SSID: Enable the vendor-specific xPSK feature (e.g., iPSK on Cisco Meraki, MPSK on HPE Aruba). Point the MAC authentication to the Purple RADIUS servers and enable dynamic VLAN assignment.

Best Practices

Limit SSID Count: Never broadcast more than four SSIDs per access point. Excessive SSIDs increase beacon overhead, which degrades overall network performance. The three-SSID design optimises airtime utilisation.
Walled Garden Accuracy: Keep your walled garden as tight as possible. Only include domains essential for the portal flow and OS detection. Broad IP ranges create security loopholes.
Key Lifecycle Management: Establish a strict lifecycle for xPSK keys. Set expiry dates for contractor keys at the time of provisioning. Review and rotate IoT keys annually.

Troubleshooting & Risk Mitigation

RADIUS Timeouts: If devices fail to connect to the Passpoint or xPSK networks, check the RADIUS timeout settings on the controller. Cloud RADIUS requires a slightly longer timeout than local servers. Ensure both primary and secondary Purple RADIUS IPs are configured.
VLAN Tagging Failures: If a device authenticates successfully but fails to obtain an IP address, the issue is almost always a missing VLAN tag on the access point's switch port. Verify the trunk configuration.
Passpoint Discovery Issues: If devices ignore the Passpoint SSID, verify the ANQP NAI Realm configuration. Even a minor typo will cause the device to silently reject the network.

ROI & Business Impact

Implementing the three-SSID design delivers measurable business value. By consolidating SSIDs, venues reduce RF interference and improve client performance. Dynamic VLAN assignment via Passpoint and xPSK significantly reduces IT support tickets related to password resets and MAC address whitelisting. Furthermore, the robust segmentation ensures compliance with PCI DSS and GDPR, mitigating the financial risk of data breaches while maximising the collection of first-party data through the Guest WiFi portal.

Key Definitions

Passpoint (Hotspot 2.0)

An IEEE 802.11u standard that enables mobile devices to automatically discover and securely connect to WiFi networks without user interaction.

Crucial for delivering cellular-like roaming experiences and secure, encrypted access for returning visitors and staff.

xPSK

An umbrella term for vendor-specific implementations (iPSK, PPSK, DPSK, MPSK) that allow multiple unique pre-shared keys on a single SSID, with each key mapping to a specific VLAN.

Used to secure headless IoT devices, printers, and card terminals that cannot support 802.1X enterprise authentication.

Captive Portal

A web page that users are forced to view and interact with before access is granted to a public WiFi network.

The primary mechanism for capturing first-party data and ensuring GDPR compliance via explicit consent.

VLAN Segmentation

The practice of dividing a physical network into multiple logical networks to isolate traffic and enforce security policies.

Essential for isolating untrusted guest traffic from sensitive internal systems and PCI-scoped payment devices.

RADIUS

Remote Authentication Dial-In User Service; a networking protocol that provides centralised Authentication, Authorization, and Accounting (AAA) management.

The engine that powers Passpoint and xPSK, validating credentials and instructing the access point which VLAN to assign.

ANQP

Access Network Query Protocol; a protocol used by devices to discover network information (like roaming consortiums and authentication types) before associating with an access point.

The mechanism Passpoint uses to determine if a device has the correct profile to connect automatically.

Walled Garden

A limited environment that controls the user's access to web content before they have fully authenticated.

Must be configured correctly to allow devices to reach the captive portal and OS detection endpoints.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security; an authentication framework that uses certificates for both client and server validation.

The highly secure authentication method typically used by Passpoint profiles to ensure encrypted connections.

Worked Examples

A 350-room hotel needs to secure its card terminals while simultaneously capturing guest data for its loyalty programme. Currently, all devices share a single WPA2-Personal SSID.

Deploy the three-SSID architecture. Create VLAN 10 for guests, VLAN 20 for loyalty members, and VLAN 40 for payment terminals. Configure the Guest SSID as open with a Purple captive portal for data capture. Configure the Passpoint SSID for loyalty members using the Purple app. Configure the xPSK SSID for the card terminals. In the Purple dashboard, generate unique PSKs for each terminal and map them to VLAN 40. On the firewall, restrict VLAN 40 to only allow outbound HTTPS traffic to the payment processor's IP addresses.

Examiner's Commentary: This approach immediately resolves the PCI compliance failure by isolating the cardholder data environment. It also modernises the guest experience, moving frequent visitors to frictionless Passpoint access while capturing valuable first-party data from new guests.

A retail chain with 80 stores is experiencing severe WiFi performance issues due to broadcasting five SSIDs per store (Guest, Staff, POS, Signage, Scanners).

Consolidate the networks using the three-SSID design. Retain the Guest SSID with a captive portal. Deploy a Passpoint SSID for staff, authenticating against Microsoft Entra ID via Purple's RADIUS integration, mapping them to a staff VLAN. Combine POS, Signage, and Scanners onto a single xPSK SSID. Assign unique keys to each device category, mapping POS to VLAN 40, Signage to VLAN 50, and Scanners to VLAN 60.

Examiner's Commentary: Reducing the SSID count from five to three significantly decreases management frame overhead, immediately improving available airtime and client throughput. The IT team gains granular control over headless devices without the administrative burden of maintaining MAB lists.

Practice Questions

Q1. A stadium IT director wants to deploy Passpoint for fans using the official team app, but is concerned about the RADIUS timeout settings causing connection failures during high-density events. What is the recommended approach?

Hint: Consider the latency of cloud-based authentication versus local controllers.

View model answer

Configure the RADIUS timeout on the wireless controllers to a minimum of two to three seconds. In high-density environments, cloud RADIUS responses may take slightly longer than local servers. Additionally, ensure both primary and secondary Purple RADIUS IP addresses are configured to provide failover redundancy.

Q2. You are configuring the xPSK SSID for a fleet of new wireless barcode scanners. The scanners connect to the SSID successfully, but they cannot reach the inventory server. What is the most likely cause?

Hint: Think about the path between the access point and the core switch.

View model answer

The most likely cause is a missing VLAN tag on the access point's switch port. While Purple RADIUS is correctly assigning the scanner to the inventory VLAN, if that VLAN is not allowed on the trunk port connecting the access point to the switch, the traffic will be dropped.

Q3. A hotel needs to allow guests to access its direct booking engine before they authenticate through the captive portal. How should this be configured?

Hint: This involves controlling pre-authentication traffic.

View model answer

The IT team must add the domains and IP addresses of the booking engine to the walled garden configuration on the wireless controller. This permits pre-authentication traffic to reach those specific destinations while blocking all other internet access until the captive portal flow is complete.

Continue reading in this series

Enterprise WiFi authentication without Active Directory or an on-prem server

This guide explains how to deploy secure WPA2/3-Enterprise WiFi authentication without an on-premises Active Directory, Windows NPS, or RADIUS server. It covers the protocol mismatch between cloud identity providers and 802.1X, the case for EAP-TLS over PEAP-MSCHAPv2, and how to deploy cloud RADIUS with MDM-issued certificates against Microsoft Entra ID, Okta, or Google Workspace. Written for IT leads at cloud-first and Mac/Chromebook-heavy organisations that are ready to retire on-premises infrastructure.

Enterprise WiFi authentication without Active Directory or an on-prem server

How to revoke WiFi access when an employee leaves

This guide details how to revoke WiFi access when an employee leaves, replacing insecure shared passwords with per-user 802.1X certificates or iPSK. It covers automated deprovisioning via SCIM to meet ISO 27001 and SOC 2 audit requirements.