Mandatory server-certificate validation
Clients must verify the RADIUS server's certificate before sending credentials. Closes the evil-twin attack that plagued mis-configured WPA2-Enterprise deployments.
WPA2 & WPA3-Enterprise. Secure WiFi, without the shared password.
Deploy WPA2-Enterprise or WPA3-Enterprise with 802.1X on your existing access points. Every user authenticates against your identity provider, every device gets a unique session key, and access can be revoked per-device in a single click. Purple operates the RADIUS and certificate infrastructure as a cloud service — you keep the hardware you already own.
Personal vs. Enterprise — pick the right mode
The WPA standard has two modes. WPA-Personal (WPA2-PSK, WPA3-SAE) uses a single password shared across everyone who joins the SSID. Good enough for a home. WPA-Enterprise authenticates each user or device individually via 802.1X against a RADIUS server. Required for any venue that cares about revocation, audit, or compliance.
| WPA-Personal (PSK / SAE) | WPA-Enterprise (802.1X) | |
|---|---|---|
| Credential | Shared passphrase | Per-user certificate, password, or iPSK |
| Infrastructure | Just the access points | APs + RADIUS server (or RADIUS-as-a-Service) |
| Revocation | Rotate the network-wide passphrase | Disable one user in the IdP |
| Audit trail | None — all devices look identical | Per-user session logs |
| Right for | Homes, tiny single-trust venues | Offices, hotels, campuses, stadiums, anything regulated |
WPA3-Enterprise vs WPA2-Enterprise
WPA3 is not just a bigger WPA2. Four changes matter for enterprise deployments.
Protected management frames (PMF)
Deauthentication and disassociation frames are cryptographically signed, so attackers can no longer knock clients off the network with spoofed frames.
192-bit Suite B mode
Optional high-security mode for government, defence, and critical infrastructure. Suite B cryptography throughout — key exchange, encryption, and MAC.
Backwards compatibility
WPA3-Enterprise can run in transition mode on the same SSID as WPA2, so you do not need a hard cutover. Newer clients negotiate WPA3; older ones fall back to WPA2-Enterprise.
The 802.1X authentication flow
Three actors, one handshake. The sequence is the same whether you use EAP-TLS, PEAP, or EAP-TTLS.
- The supplicant (client laptop, phone, IoT) attempts to associate.
- The authenticator (access point) holds the client in an 802.1X uncontrolled port, only relaying EAP frames.
- The supplicant presents its credential — a certificate (EAP-TLS), a username + password (PEAP), or an iPSK.
- The authentication server (RADIUS) validates the credential against the identity provider.
- RADIUS replies
Access-Acceptwith VLAN and policy; the AP opens the controlled port to the correct segment. - The session key is derived from the 802.1X handshake — unique to this device, this session.
How Purple deploys WPA-Enterprise
Purple operates the RADIUS and (optionally) the certificate authority as cloud services. You keep your existing access points.
- Day 0: Connect your IdP (Entra ID, Okta, Google Workspace). Choose EAP method — EAP-TLS for managed fleets, PEAP for transitional deployments, iPSK for BYOD.
- Day 1: Point the access points' RADIUS setting at Purple. Configure the SSID for WPA2 or WPA3-Enterprise. Push the onboarding profile via MDM.
- Ongoing: Users are provisioned and de-provisioned via SCIM — no manual WiFi password rotations. Certificates auto-renew. SIEM receives the full auth log via webhook.
Coverage across Purple products
- Staff WiFi: WPA2/3-Enterprise with EAP-TLS for managed laptops and PEAP for legacy devices.
- Multi-Tenant WiFi: iPSK on a single SSID, with each tenant isolated in a Private Area Network.
- Guest WiFi: OpenRoaming/Passpoint on the public SSID, with WPA3-Enhanced Open as a fallback where appropriate.
- Passwordless WiFi: the broader hub covering EAP-TLS, iPSK, Passpoint, and SAML.
- RADIUS-as-a-Service: the cloud RADIUS engine that authenticates every join request.
Frequently asked
What is WPA-Enterprise?
WPA-Enterprise is the IEEE 802.11 security mode designed for organisations. Instead of a single shared password (WPA-Personal), each user or device authenticates individually against a RADIUS server via 802.1X, typically with a certificate (EAP-TLS) or username and password (PEAP). Every session gets a unique encryption key, and access can be revoked per-device without disrupting the rest of the network.
What is the difference between WPA2-Enterprise and WPA3-Enterprise?
WPA3-Enterprise fixes known weaknesses in WPA2-Enterprise. The most important changes: server-certificate validation is now mandatory (closes the evil-twin attack vector that plagued WPA2), management frames are protected, and the optional 192-bit Suite B mode offers defence-grade cryptography. WPA3-Enterprise is backwards-compatible with WPA2-Enterprise in a transition mode, so you can upgrade gradually.
How does 802.1X authentication work?
Three parties are involved. The supplicant (client device) asks to join. The authenticator (access point) holds the client in a quarantine state and forwards its EAP messages to an authentication server (RADIUS). The RADIUS server validates the credential — certificate, password, or token — and tells the access point to admit or reject. Each successful session gets a unique encryption key derived from the authentication, so one compromised device cannot decrypt another.
What is EAP-TLS and why is it the gold standard?
EAP-TLS uses a TLS handshake with mutual certificate authentication. The client proves its identity with a device certificate, the server proves its identity with a server certificate, and the session key is negotiated inside the encrypted tunnel. There is no password to phish or steal — you would have to extract the private key from the device itself. For managed fleets with an MDM, EAP-TLS is the right default.
Can I deploy WPA3-Enterprise on my existing access points?
Most enterprise-grade access points released from 2020 onwards support WPA3-Enterprise in firmware. You typically enable WPA3-Enterprise on the SSID and keep WPA2 as a fallback during the transition. Older APs may only support WPA2-Enterprise — those are still secure when paired with cloud RADIUS and EAP-TLS, so a forklift upgrade is rarely needed.
Do I need to run a RADIUS server to use WPA-Enterprise?
Yes — WPA-Enterprise is defined around an external authentication server, which in practice means RADIUS. You can run it on-premise (FreeRADIUS, Microsoft NPS, Cisco ISE) or consume it as a service. Purple RADIUS-as-a-Service is the cloud-hosted option most customers pick when they do not want to operate servers.
Is WPA2-Enterprise still safe to deploy?
Yes, when deployed correctly. The known attacks on WPA2-Enterprise all require either a mis-configured client (no server-certificate validation, which is what WPA3 makes mandatory) or physical access to a device. Enforcing server-certificate validation via MDM and using EAP-TLS closes the practical risks. WPA3-Enterprise is still preferred going forward, but there is no reason to panic-migrate a working WPA2-Enterprise deployment.
How do I handle devices that do not support 802.1X?
Two good options. First, iPSK (Identity PSK) gives each device a unique pre-shared key on a single SSID — the user experience of WPA-Personal, the per-device revocation of WPA-Enterprise. Second, MAC Authentication Bypass (MAB) admits known-good MAC addresses to a constrained VLAN. Purple supports both alongside WPA2/3-Enterprise on the same network.
Secure WiFi, on the access points you already own
Purple layers WPA2/3-Enterprise, cloud RADIUS, and managed certificates on top of Cisco, Aruba, Ruckus, Juniper Mist, Meraki, or Ubiquiti. Live in days.
