Stop running FreeRADIUS, NPS, or Cisco ISE. Purple's cloud RADIUS authenticates guest, staff, and multi-tenant WiFi against your existing identity provider — EAP-TLS, PEAP, and iPSK — with multi-region failover and a 99.9% uptime SLA. Live on your access points in under an hour.
RADIUS-as-a-Service (sometimes written RADIUSaaS or cloud RADIUS) is a fully managed RADIUS authentication service delivered as a SaaS. You point your access points at a hostname; Purple validates every join request against your identity provider and tells the access point which VLAN to drop the device onto.
The service handles EAP over RADIUS exactly the same way a FreeRADIUS cluster, Microsoft NPS farm, or Cisco ISE appliance does — so your clients (laptops, phones, IoT, BYOD) do not need reconfiguration. What you stop doing is running the servers: no OS patching, no certificate chain maintenance on the auth plane, no designing for high availability, no capacity planning for office reopening days.
Three forces have converged to make cloud the default RADIUS posture for new deployments.
Your primary identity is now Entra ID, Okta, or Google Workspace — not on-prem Active Directory. On-prem RADIUS forces an AD-sync or hybrid bridge that cloud RADIUS removes entirely. SCIM provisioning means an offboarded employee loses WiFi access at the same second they lose email.
WPA3-Enterprise and modern IT hygiene both push toward EAP-TLS with machine-issued certificates. Running your own CA on top of on-prem RADIUS is an operational burden most teams no longer want. Purple pairs RADIUS-as-a-Service with managed certificate issuance where needed.
On-prem RADIUS HA means two boxes, a replication topology, and a quarterly failover test. Cloud RADIUS gives you active-active multi-region from day one. Access points are configured with two or three endpoints; failover happens in seconds with no operator involvement.
Every join request follows the same path. The client (laptop, phone, IoT) attempts to associate to an SSID configured for 802.1X. The access point, acting as the authenticator, wraps the client's EAP traffic inside a RADIUS packet and forwards it to Purple. Purple, acting as the authentication server, validates the credential against your IdP and returns Access-Accept along with the VLAN and policy to apply. The access point enforces the decision. Total latency: tens of milliseconds.
Access-Accept with VLAN, ACL, and policy attributes.| Method | Credential | Best for |
|---|---|---|
| EAP-TLS | X.509 client certificate | Managed fleets. Gold standard — no password, no phishing surface. |
| PEAP-MSCHAPv2 | Username + password | Legacy devices and transitional deployments. |
| EAP-TTLS | Username + password inside a TLS tunnel | Non-AD directories and mixed-client venues. |
| EAP-FAST | Protected Access Credential | Cisco-heavy networks with existing EAP-FAST policy. |
| iPSK | Unique per-device pre-shared key | BYOD, IoT, and multi-tenant WiFi where certificates are impractical. |
Purple RADIUS-as-a-Service authenticates against whatever identity provider already holds the truth about your users. SCIM provisioning keeps membership in sync without a nightly batch job.
RADIUS-as-a-Service runs on any enterprise-grade access point that speaks standard RADIUS. No hardware swap, no controller upgrade.
Verified with: Cisco Meraki, Cisco Catalyst, Aruba (HPE), Ruckus (CommScope), Juniper Mist, Ubiquiti UniFi, Cambium Networks, Extreme Networks, Fortinet FortiAP, and more. If your access point can be configured with a RADIUS server IP or hostname, Purple is compatible.
| Cloud RADIUS (Purple) | On-premise (FreeRADIUS / NPS / ISE) | |
|---|---|---|
| Time to live | Under an hour | Days to weeks |
| High availability | Multi-region active-active, default | DIY — two boxes plus replication |
| OS patching | Vendor-managed | Your ops team |
| Identity integration | Native Entra ID, Okta, Google Workspace | AD-first, cloud IdP via bridges |
| Certificate management | Managed PKI option | Self-hosted PKI required |
| Scalability | Elastic, per-AP billing | Capacity planning exercise |
| Total cost of ownership | Predictable per-AP subscription | License + hardware + ops + downtime |
RADIUS-as-a-Service is a cloud-hosted RADIUS authentication service that replaces on-premise FreeRADIUS, Microsoft NPS, or Cisco ISE servers. Your access points forward authentication requests to the cloud; credentials are validated against your identity provider (Entra ID, Okta, Google Workspace) and devices are admitted to the correct VLAN. You run no servers, patch no OS, and inherit multi-region high availability by default.
On-premise RADIUS (FreeRADIUS, NPS, Cisco ISE) requires servers, patching, certificate management, and a high-availability design. Cloud RADIUS removes all of that — you point your access points at a hostname, and the provider handles uptime, scaling, and updates. The authentication flow is identical (EAP over RADIUS), so client devices do not know the difference.
EAP-TLS (certificate-based, the gold standard), PEAP-MSCHAPv2 (username/password for legacy devices), EAP-TTLS, and EAP-FAST. Most production deployments use EAP-TLS for managed devices and fall back to PEAP for a transition period. iPSK is offered alongside for BYOD and multi-tenant use cases where certificate provisioning is impractical.
Microsoft Entra ID (Azure AD), Okta, Google Workspace, OneLogin, JumpCloud, Active Directory (via LDAP bind or secure tunnel), and any SAML 2.0 or SCIM-compliant IdP. SCIM provisioning ensures an employee who leaves your company loses WiFi access at the same moment they lose email access — no orphaned credentials.
Purple operates RADIUS authentication endpoints in multiple regions with active-active failover. Access points are configured with two or three authentication targets; if the primary endpoint fails health checks, traffic moves to the next region within seconds. The service is backed by a 99.9% uptime SLA.
No. Any enterprise-grade access point that speaks RADIUS (Cisco, Aruba, Ruckus, Juniper Mist, Meraki, Ubiquiti UniFi, Cambium, Extreme) can forward authentication to Purple. You change the RADIUS server address on each SSID and the AP does the rest.
Per access point per month, with volume discounts at scale. There is no per-authentication or per-user meter, so you can enable 802.1X across your full device fleet without a surprise invoice. Pricing is published on the Purple pricing calculator.
Yes. Typical migration is a weekend for a mid-sized deployment: stand up Purple alongside the existing RADIUS, add Purple as a secondary auth target on the access points, move SSIDs across one at a time, and decommission the legacy server once traffic is drained. Purple professional services run the cutover for enterprise customers.
See Purple RADIUS-as-a-Service running alongside your existing Cisco, Aruba, Ruckus, Juniper Mist, Meraki, or Ubiquiti deployment. Live in an afternoon.
