Zyxel Nebula Cloud and USG Integration with Purple WiFi

Executive summary

Zyxel Nebula Cloud and USG Flex Firewalls are deployed across thousands of enterprise venues, from hotel chains to retail estates. When you integrate this hardware with Purple, you add a compliant, data-capturing guest authentication layer that transforms a standard wireless network into a first-party data asset. This guide covers four deployment scenarios: guest captive portal redirection via an external splash page, RADIUS-based authentication and accounting, secure Staff WiFi using IEEE 802.1X, and multi-tenant network segmentation using Zyxel Dynamic Personal Pre-Shared Keys (DPPSK). Purple operates across 80,000+ live venues and processed 440 million logins in 2024 (Purple internal data). It holds ISO 27001, GDPR, CCPA, and Cyber Essentials certifications. The integration architecture described here is hardware-agnostic at the platform level, but the specific configuration paths and parameters in this guide apply to Zyxel Nebula Control Center (NCC) and USG Flex Firewalls running current firmware.

For a broader view of enterprise WiFi security architecture, see our Enterprise WiFi Security: A Complete Guide for 2026 .

Technical deep-dive

Integration architecture

The Zyxel and Purple integration relies on three standard protocols working in sequence: HTTP redirect (captive portal detection), RADIUS Authentication (UDP 1812), and RADIUS Accounting (UDP 1813). When a guest device connects to the Guest WiFi SSID, the Zyxel access point intercepts the first HTTP request and issues an HTTP 302 redirect to the Purple external captive portal URL. The guest authenticates on the Purple splash page - via email, social login, or SMS - and Purple sends a RADIUS Access-Accept message back to the Zyxel controller. The controller grants internet access and begins sending RADIUS Accounting Start packets to record session data.

The Zyxel USG Flex Firewall sits between the wireless segments and the WAN. It enforces zone-based security policies that isolate Guest, Staff, and Multi-Tenant VLANs from each other and from the corporate LAN. Nebula Control Center manages the access points and SSID configurations centrally via HTTPS on port 443 to the Nebula cloud.

RADIUS parameters

The following table summarises the RADIUS configuration parameters you will need from your Purple admin console.

Always configure both primary and secondary RADIUS servers. A single RADIUS endpoint is a single point of failure that will lock guests out if the server is unreachable.

Walled Garden configuration

The Walled Garden (also called the whitelist) defines the domains and IP ranges a device can reach before completing authentication. In Zyxel Nebula, you configure this under Site-wide > Configure > Access points > Captive portal customisation > Captive portal advance setting.

You must include the following categories of entries:

• The Purple portal domain and all subdomains (use wildcard format: *.purple.ai)
• CDN domains serving the portal's CSS, JavaScript, and image assets
• Social login provider domains if you enable Facebook, Google, or Microsoft sign-in
• Apple captive portal detection: captive.apple.com
• Google connectivity check: connectivitycheck.gstatic.com
• Microsoft NCSI: www.msftconnecttest.com

Missing any of these entries will cause the splash page to fail to render on specific device types. iOS devices in particular will display a blank mini-browser if the Apple CNA endpoint is not handled correctly.

Secure Staff WiFi using IEEE 802.1X

For staff networks, you should not use a shared PSK. IEEE 802.1X (defined in the IEEE 802.1X-2020 standard) provides port-based network access control using individual credentials per user. In Nebula, you configure this by setting the SSID security to WPA2-Enterprise and pointing the authentication to either the Nebula Cloud Authentication Server (NCAS) or an external RADIUS server such as Microsoft Entra ID or Okta via a RADIUS proxy.

For WPA3-Enterprise deployments, the configuration path is identical but you select WPA3 in the security options. WPA3 mandates Protected Management Frames (PMF) and uses Simultaneous Authentication of Equals (SAE) for improved resistance to offline dictionary attacks.

PPSK and dynamic VLAN assignment for multi-tenant venues

Zyxel DPPSK (Dynamic Personal Pre-Shared Key) allows a single SSID to serve multiple isolated network segments. Each user or device receives a unique passphrase. When they authenticate, the Nebula controller maps that passphrase to a VLAN ID defined in the DPPSK database. This is the correct approach for coworking spaces, student accommodation, build-to-rent (BTR) developments, and multi-dwelling units (MDUs) where you need tenant isolation without broadcasting dozens of SSIDs.

DPPSK requires the Nebula Pro Pack licence and access point firmware version 6.00 or later. You configure the DPPSK database under Configure > Cloud authentication > DPPSK in Nebula Control Center. Each entry includes the passphrase, an optional expiry date, an email address for delivery, and the target VLAN ID.

The maximum number of simultaneously authorised DPPSK entries is 2,048. For deployments with more than 2,048 concurrent users, you will need to manage expiry dates carefully to ensure active credentials remain within this limit.

Implementation guide

Step 1: Prepare the network infrastructure

Before touching the Nebula Control Center, configure your VLANs on the USG Flex Firewall and downstream switches.

1. Create a Guest VLAN (example: VLAN 10) with a dedicated subnet (example: 192.168.10.0/24). Configure a DHCP server on this interface.
2. Create a Staff VLAN (example: VLAN 20) with a dedicated subnet (example: 192.168.20.0/24).
3. For multi-tenant deployments, create additional VLANs per tenant (example: VLAN 30, 40, 50).
4. On the USG Flex, create a Guest Zone mapped to VLAN 10. Create a security policy allowing traffic from the Guest Zone to the WAN zone. Create a deny-all policy blocking traffic from the Guest Zone to the LAN zone.
5. Ensure switch ports connecting Zyxel APs are configured as 802.1Q trunks carrying all required VLAN tags.

Step 2: Configure the guest SSID in Nebula Control Center

1. Log in to Nebula Control Center at ncc.nebula.zyxel.com.
2. Navigate to Site-wide > Configure > Access points > SSID settings.
3. Enable the guest SSID and toggle Advanced mode.
4. Enable Guest network to activate Layer 2 client isolation. This prevents guest devices from communicating directly with each other on the same SSID.
5. Save.

Step 3: Configure the external captive portal

1. Navigate to Site-wide > Configure > Access points > SSID advanced settings.
2. Select your guest SSID from the dropdown.
3. Under Sign-in method, select Click-to-continue for the initial redirect, or select My RADIUS server if you are using Purple's RADIUS-based MAC authentication.
4. Navigate to Site-wide > Configure > Access points > Captive portal customisation.
5. Under External captive portal URL, enter the Purple redirect URL from your Purple admin console. The format is https://[your-purple-domain]/[venue-id].
6. Under Captive portal advance setting, enter all required Walled Garden domains.
7. Set Strict policy to Block all access until sign-on to prevent guests from bypassing the portal.
8. Set Reauth time to match your venue's session policy (typically 24 hours for hospitality, 30 days for retail loyalty programmes).
9. Save.

Step 4: Configure RADIUS in Nebula

1. In SSID advanced settings, under Network access, select My RADIUS server.
2. Enter the Primary RADIUS server IP from your Purple admin console.
3. Set Authentication port to 1812.
4. Enter the Shared secret.
5. Repeat for the secondary RADIUS server.
6. Enable RADIUS accounting and set the accounting port to 1813.
7. Save.

Step 5: Configure DPPSK for multi-tenant segmentation

1. Navigate to Configure > Access points > SSID advanced settings.
2. Select the multi-tenant SSID and set Network access to Dynamic personal PSK.
3. Navigate to Configure > Cloud authentication > DPPSK.
4. Click Add and select Batch create DPPSK.
5. Set the number of credentials, the expiry date, and the target VLAN ID for each tenant group.
6. Enter the email address to receive the credential batch.
7. Save and distribute credentials to tenants.

Step 6: Validate the deployment

1. Connect a test device to the Guest WiFi SSID.
2. Confirm the device is redirected to the Purple splash page.
3. Complete authentication and confirm internet access is granted.
4. In the Purple admin console, verify the session appears in the analytics dashboard.
5. In Nebula, navigate to Access point > Monitor > Clients to confirm the client is associated and assigned to the correct VLAN.
6. Test DPPSK by connecting with a tenant credential and confirming the correct VLAN assignment.

Best practices

Segment every traffic type. Guest, Staff, and IoT traffic must each occupy a dedicated VLAN. This is not optional if your venue processes card payments on the same physical infrastructure - PCI DSS v4.0 requires network segmentation between cardholder data environments and guest networks.

Use RADIUS redundancy. Configure both primary and secondary Purple RADIUS IPs in Nebula. A single RADIUS server failure will prevent all guest authentication until resolved.

Audit the Walled Garden regularly. Portal vendors update their CDN configurations. A domain that worked at deployment may break six months later if the vendor migrates assets to a new CDN. Schedule a quarterly review of your Walled Garden entries.

Enable RADIUS accounting. Without accounting, Purple cannot track session duration, data usage, or enforce time-based access limits. Accounting data also feeds the WiFi Analytics dashboard.

Apply WPA3 where hardware supports it. Zyxel access points released from 2021 onwards support WPA3. For Staff WiFi, WPA3-Enterprise with 192-bit security mode aligns with NIST SP 800-187 recommendations for enterprise wireless security.

Test the CNA behaviour before go-live. On iOS, the Captive Network Assistant (CNA) mini-browser has limited functionality compared to a full browser. Test your Purple splash page in the CNA environment - particularly social login flows and custom JavaScript - before deploying to guests.

For hospitality deployments, see also our guidance on segmenting guest and back-of-house networks. For retail environments, the same PPSK approach applies to isolating point-of-sale systems from shopper WiFi.

Troubleshooting & risk mitigation

Splash page fails to load

Symptom: Guest connects to the SSID but sees a blank page or a browser error in the CNA.

Cause: One or more domains required by the splash page are not in the Walled Garden.

Resolution: Connect a test device to the Guest SSID. Open a browser (not the CNA) and navigate to any HTTP URL. When redirected to the portal, open the browser's developer tools and inspect the Network tab. Identify any requests returning 403 or connection-refused errors. Add these domains to the Nebula Walled Garden.

Guests authenticate but do not get internet access

Symptom: Guest completes the portal form and sees a success page, but internet browsing fails.

Cause: The Zyxel controller is not receiving the RADIUS Access-Accept from Purple, or the USG Flex firewall is blocking the RADIUS response.

Resolution: Verify that outbound UDP ports 1812 and 1813 are permitted from the Zyxel AP management IP to the Purple RADIUS server IP. Check the USG Flex security policy logs for blocked traffic.

RADIUS accounting data missing from Purple dashboard

Symptom: Sessions appear in Nebula but the Purple analytics dashboard shows no session duration data.

Cause: RADIUS Accounting is not enabled in the Nebula SSID configuration, or UDP port 1813 is blocked.

Resolution: Confirm RADIUS accounting is enabled in the SSID advanced settings. Verify the accounting port is set to 1813 and the shared secret matches the Purple configuration.

DPPSK users assigned to wrong VLAN

Symptom: A tenant connects with their PPSK but is placed on the wrong network segment.

Cause: The VLAN ID in the DPPSK database entry does not match the VLAN configured on the switch trunk or the USG Flex interface.

Resolution: Cross-reference the VLAN ID in the Nebula DPPSK database with the VLAN configuration on the upstream switch and USG Flex. Ensure the AP switch port is a trunk carrying all tenant VLANs.

ROI & business impact

Integrating Zyxel infrastructure with Purple converts a cost-centre wireless network into a revenue-generating data asset. For a 200-room hotel, capturing guest email addresses and marketing consent at WiFi login builds a CRM database that drives direct booking campaigns - reducing dependence on OTA commissions. For a retail chain, Purple's Guest WiFi platform provides foot traffic analytics, dwell time data, and repeat visit rates that inform staffing and merchandising decisions.

For multi-tenant operators - BTR developments, student accommodation, coworking spaces - deploying Zyxel DPPSK with Purple eliminates the operational overhead of managing separate SSIDs and credentials per tenant. A single SSID with dynamic VLAN assignment reduces RF interference, simplifies onboarding, and scales to hundreds of residents without additional infrastructure.

Purple's 99.999% uptime SLA ensures the authentication layer does not become a bottleneck for guest access. With 29 billion data points collected across the platform (Purple internal data), the analytics delivered through the Purple admin console provide venue operators with actionable intelligence that justifies the integration investment within the first quarter of deployment.

For healthcare and transport environments where visitor WiFi is a regulated service, the GDPR-compliant data capture and consent management built into Purple's captive portal removes the compliance risk associated with unmanaged open networks.

See also: Arista Cognitive Wi-Fi Integration with Purple WiFi for a comparable integration pattern on a different hardware platform.