Zyxel Nebula and guest WiFi: captive portal setup with Purple

Welcome to the Purple Technical Briefing Series. I am your host, and today we are covering a crucial deployment scenario for IT managers and network architects: integrating Zyxel Nebula Cloud and USG Flex Firewalls with Purple WiFi. If you are deploying guest WiFi across a hotel chain, a retail estate, or a multi-tenant environment, this episode is for you. Let us get straight into the architecture. First, why this integration? Zyxel provides robust hardware, and Nebula offers centralised cloud management. But when you deploy WiFi at scale - say, across 50 retail branches or a 200-room hotel - you need more than basic connectivity. You need a structured authentication flow, compliant data capture, and dynamic network segmentation. That is where Purple comes in. We integrate with Zyxel via RADIUS and external captive portal redirection to deliver Identity-Based Networks. Let us walk through the core configuration on Zyxel Nebula. The process starts with your SSID settings. You navigate to Site-wide, Configure, Access points, and then SSID advanced settings. Here, you enable the external captive portal URL. You will input the specific Purple redirect URL provided in your Purple portal. But redirection alone is not enough; you must configure the Walled Garden. The Walled Garden defines which domains a guest device can reach before authentication. This is a common pitfall. You must whitelist the Purple portal domains, any asset CDNs, and the standard OS captive portal detection endpoints. In Nebula, you add these domains line by line. If you miss a domain, the splash page will fail to load properly, and your guests will be stuck. Next, we configure the RADIUS server. In the SSID advanced settings, you select WPA2-Enterprise with My RADIUS server, or configure MAC-based authentication depending on your flow. You enter the Purple RADIUS IP address, set the authentication port to 1812, the accounting port to 1813, and input the shared secret. Always configure the backup RADIUS server to ensure high availability. Now, let us discuss a more advanced scenario: Multi-Tenant segmentation using Zyxel Private Pre-Shared Keys, or PPSK. In environments like student accommodation or coworking spaces, you want a single SSID, but you need to isolate traffic per tenant. Zyxel PPSK allows you to issue a unique WiFi password to each user. When they connect, the Nebula controller dynamically assigns them to a specific VLAN based on that password. You configure this under Cloud Authentication by selecting DPPSK and assigning the corresponding VLAN ID. It reduces SSID overhead and significantly improves security. What about the USG Flex firewall? If you are running the gateway on-premise, you must ensure your firewall rules and zone policies align with your wireless segments. You typically create dedicated zones for Guest, Staff, and Multi-Tenant traffic. The Guest zone must only have outbound internet access, with strict rules blocking access to the LAN or DMZ zones. Let us move to implementation recommendations and common pitfalls. The most frequent issue we see is walled garden misconfiguration. If a guest connects and sees a blank page, check your whitelist. Use browser developer tools to identify blocked CDN requests. The second issue is RADIUS timeouts. Ensure your upstream firewalls allow UDP ports 1812 and 1813 outbound to the Purple cloud platform. Time for a rapid-fire Q and A. Question one: Do I need a dedicated VLAN for Guest WiFi? Answer: Yes. Always isolate guest traffic on a dedicated VLAN. This is mandatory for PCI DSS compliance if your venue processes payments on the same physical infrastructure. Question two: Can I use Purple with Zyxel standalone APs without Nebula? Answer: Yes, but managing the RADIUS and portal settings per AP is inefficient. We strongly recommend using Nebula Control Center for centralised management. Question three: How does Purple handle MAC address randomisation? Answer: Purple relies on the MAC address provided by the Zyxel controller via RADIUS accounting. While devices randomise MACs per network, they keep the same MAC for your specific SSID, allowing session persistence during their visit. To summarise: Integrating Zyxel Nebula with Purple requires precise configuration of the external captive portal URL, a comprehensive Walled Garden, and accurate RADIUS settings. For multi-tenant venues, leverage Zyxel PPSK for dynamic VLAN steering. Get these elements right, and you deliver a secure, scalable WiFi experience that captures valuable first-party data. If you are planning a deployment, review the full technical guide for step-by-step instructions and architecture diagrams. Thank you for listening, and we will see you on the next technical briefing.