Saltar al contenido principal
Español

Asistente de configuración de RADIUS y guía de 802.1X

Configure redes inalámbricas seguras WPA2 y WPA3 Enterprise integradas con proveedores de identidad en la nube.

Configura tu configuración de RADIUS

1. Select your technology stack

PEAP-MSCHAPv2 requires users to input their active email and directory password. Easy to set up, but susceptible to credential harvesting.

RADIUS Server Specifications

Configure these cloud authentication servers on your wireless access point controllers.

Primary Server185.101.99.1Host: radius1.purple.ai
Secondary Server185.101.99.2Host: radius2.purple.ai
PortsAuth: 1812 | Acct: 1813Standard UDP ports
Shared Secret KeypUrpLeReSeArCh8021x

Access point controller settings

  1. Log in to the Meraki Dashboard and navigate to Wireless > SSIDs.
  2. Rename SSID to your secure network name and set Association to WPA2-Enterprise with 802.1X or WPA3-Enterprise.
  3. Set IP assignment to Bridge mode to handle dynamic client VLANs.
  4. Under RADIUS servers, click "Add a server" and enter the Primary IP (185.101.99.1) and Secondary IP (185.101.99.2), Port 1812, and your Shared Secret.
  5. Enable RADIUS Accounting, pointing to the same server IPs with Port 1813.
  6. Set RADIUS CoA (Change of Authorization) to Enabled. This is required for session termination and security policies.

Identity directory mapping

  1. Open the Microsoft Entra admin center (Azure Portal).
  2. Navigate to App registrations and register a new enterprise app for Purple WiFi.
  3. Configure API permissions to allow User.Read.All and GroupMember.Read.All.
  4. Set up SCIM provisioning pointing to https://api.purple.ai/scim/v2 using your tenant token to sync user status.
  5. Create security groups (e.g. "WiFi-Users") and assign users to control who can authenticate to the network.

Client device onboarding profiles

Client devices need configuration parameters to trust the RADIUS server certificate silently without displaying security warnings.

Apple macOS & iOS Configuration Profile (.mobileconfig)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Enterprise WiFi Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.purple.wifi.profile</string>
      <key>PayloadType</key>
      <string>com.apple.wifi.managed</string>
      <key>PayloadUUID</key>
      <string>A5E81A22-38D4-4903-BB1A-A6C18644A152</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>SSID_STR</key>
      <string>Enterprise-Secure</string>
      <key>HIDDEN</key>
      <false/>
      <key>EncryptionType</key>
      <string>WPA2</string>
      <key>EAPClientConfiguration</key>
      <dict>
        <key>AcceptEAPTypes</key>
        <array>
          <integer>25</integer> <!-- 25 = PEAP, 13 = TLS -->
        </array>
        <key>TLSTrustedServerNames</key>
        <array>
          <string>radius.purple.ai</string>
        </array>
      </dict>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Enterprise WiFi Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.purple.wifi</string>
  <key>PayloadUUID</key>
  <string>F2B8D432-84E3-40B1-B590-F28B020B0421</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>
Windows clients (Group Policy)Create a Group Policy Object (GPO) under Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (802.11) Policies. Configure SSID properties to connect automatically to Enterprise-Secure using WPA2-Enterprise or WPA3-Enterprise, EAP-PEAP, specify trust for Root CA certificate, and lock down trusted server domains to radius.purple.ai.
Android 11+ clients (CA trust)Android 11 and later versions enforce CA certificate validation. When connecting manually to Enterprise-Secure, users cannot select "Do not validate". They must: Select Use system certificates, set Domain validation to radius.purple.ai, and configure EAP method to PEAP or TLS.

Asistente de configuración de seguridad empresarial

La implementación de la autenticación empresarial 802.1X requiere alinear los proveedores de identidad, los servidores RADIUS y los puntos de acceso inalámbricos. Este asistente proporciona las direcciones IP, los puertos y los ajustes de perfil del SO del cliente necesarios para una configuración segura.

Parámetros de configuración admitidos

  • Integraciones de proveedores de identidad en la nube con Microsoft Entra ID y Okta.
  • Detalles de configuración del servidor RADIUS para autenticación y contabilidad.
  • Parámetros de perfil de cliente para certificados seguros y onboarding silencioso.

Need a Cloud RADIUS?

Deploying 802.1X enterprise authentication doesn't require complex on-premises hardware. Purple's integrated Cloud RADIUS syncs directly with Entra ID, Okta, and Google Workspace.

Talk to a WiFi expert