Guía de integración de MikroTik RouterOS Captive Portal y Purple WiFi

Esta guía técnica proporciona instrucciones paso a paso para integrar MikroTik RouterOS con la plataforma WiFi de Purple. Cubre la configuración del Captive Portal de Guest WiFi, la autenticación 802.1X de Staff WiFi y WiFi multiinquilino mediante PSK privadas para la segmentación dinámica de VLAN.

📖 4 min de lectura📝 872 palabras🔧 2 ejemplos resueltos❓ 3 preguntas de práctica📚 8 definiciones clave

Escucha esta guía

Ver transcripción del podcast

MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide - Podcast Script

[INTRO - approximately 1 minute]

Welcome. If you're managing WiFi infrastructure at a hotel, a retail chain, a stadium, or a conference centre, and you're running MikroTik RouterOS, this episode is for you.

I'm going to walk you through exactly how to integrate MikroTik's Hotspot Gateway with Purple's guest WiFi platform - covering three distinct use cases: guest WiFi with a captive portal and walled garden, secure staff WiFi using 802.1X, and multi-tenant network segregation using MikroTik's Private Pre-Shared Key feature.

This isn't a theoretical overview. By the end of this, you'll have the specific CLI commands, RADIUS attributes, and configuration logic you need to deploy or audit these setups yourself.

Let's get into it.

[TECHNICAL DEEP-DIVE - approximately 5 minutes]

Part one: Guest WiFi and the MikroTik captive portal.

MikroTik's Hotspot Gateway is the engine behind guest WiFi redirection on RouterOS. When a visitor connects to your guest SSID, the Hotspot Gateway intercepts their HTTP traffic and redirects them to a splash page - that's your captive portal. Purple hosts that splash page. Your MikroTik router acts as the Hotspot Gateway and RADIUS client. Purple's platform acts as the RADIUS server.

Here's how you set it up. First, run the Hotspot Setup wizard from the IP menu in Winbox or via the CLI. You'll assign it to your guest-facing interface - typically a VLAN interface or a bridge port. Set your local address pool, configure your DNS servers, and give the hotspot a DNS name. That DNS name is what guests see in their browser before they authenticate.

Once the wizard completes, you need to point the hotspot profile at Purple's RADIUS server. In the CLI, that looks like this:

/radius add service=hotspot address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET authentication-port=1812 accounting-port=1813

Then enable RADIUS on the hotspot profile:

/ip hotspot profile set default use-radius=yes

Purple will provide you with the RADIUS IP address, the shared secret, and the splash page URL when you set up your venue in the Purple dashboard.

Now, the walled garden. This is critical. Before a guest authenticates, their device needs to be able to reach Purple's splash page and any OAuth providers you're using - Google, Facebook, and so on. Without walled garden entries, the redirect loop breaks and guests can't log in.

In RouterOS, you add walled garden entries under IP, Hotspot, Walled Garden. You need to add Purple's splash page domain, any social login domains, and any CDN hosts that serve the login page assets. Purple's documentation lists the exact domains for your region. Add them as IP entries or hostname entries - hostname entries are more resilient when IP addresses change.

The key RADIUS attributes Purple returns on a successful authentication include the session timeout, which controls how long a guest stays connected before being prompted again, and optionally a bandwidth rate limit using the Mikrotik-Rate-Limit vendor-specific attribute. This lets you enforce fair-use policies per guest session directly from the Purple dashboard without touching the router config.

Part two: Secure Staff WiFi with 802.1X.

This is where you move away from shared passwords entirely. IEEE 802.1X is the standard for port-based network access control. On a MikroTik wireless interface, you enable WPA2-Enterprise or WPA3-Enterprise authentication, which means the access point becomes an authenticator - it passes EAP credentials from the staff device to a RADIUS server, which validates them and returns an Access-Accept or Access-Reject.

Purple's Staff WiFi product integrates with Microsoft Entra ID, Okta, and Google Workspace as identity providers. When a staff member's device connects, it presents a certificate or username and password via PEAP-MSCHAPv2. Purple's RADIUS server validates that credential against your identity provider in real time.

On the MikroTik side, you configure the wireless security profile with authentication-types set to wpa2-eap, and you point the RADIUS client at Purple's server with service=wireless. In CAPsMAN - that's MikroTik's centralised access point management system - you set this at the security configuration level so it applies across all your managed access points consistently.

The RADIUS server can return the Mikrotik-Wireless-VLANID attribute to place authenticated staff on a specific VLAN. This is how you enforce network segmentation - finance staff land on VLAN 10, operations on VLAN 20, and so on - all from a single SSID, all driven by identity.

For automatic revocation - when a staff member leaves - Purple's integration with your identity provider means that when you disable the account in Entra ID or Okta, the next re-authentication attempt fails and the device is disconnected. No manual router config changes required.

Part three: Multi-Tenant WiFi with Private Pre-Shared Keys.

This is the most architecturally interesting of the three. Private PSK - sometimes called PPSK or iPSK - lets you run a single SSID where each tenant, resident, or device group connects with a unique passphrase, and each passphrase maps to a different VLAN.

On MikroTik, this works through MAC-based RADIUS authentication on the wireless interface. When a device connects, the access point sends the device's MAC address to the RADIUS server as the username. The RADIUS server - either MikroTik's own User Manager in RouterOS 7, or FreeRADIUS - looks up that MAC address and returns two vendor-specific attributes: Mikrotik-Wireless-Psk, which is the per-device passphrase, and Mikrotik-Wireless-VLANID, which places the device on the correct VLAN.

The wireless security profile needs radius-mac-authentication set to yes, and the RADIUS client needs service=wireless.

In practice, for a build-to-rent property with 200 apartments, you'd pre-register each resident's device MAC addresses in Purple's platform when they move in. Purple maps each MAC to a unique PSK and a VLAN corresponding to that apartment's network segment. The resident connects using their apartment passphrase. Their devices land on an isolated VLAN. Their neighbour's devices are on a completely separate VLAN. Neither can see the other's traffic.

For devices that don't support 802.1X - smart TVs, games consoles, IoT devices - this approach is the practical alternative. The device just needs to support WPA2-PSK, which everything does.

[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - approximately 2 minutes]

Let me give you the four things that most commonly go wrong in these deployments.

First: walled garden gaps. If Purple's splash page fails to load, check your walled garden entries. The most common culprit is a missing CDN domain or a social login redirect that isn't whitelisted. Use the MikroTik torch tool or packet sniffer to watch what DNS queries are being blocked before authentication.

Second: RADIUS timeout mismatches. MikroTik's default RADIUS timeout is 1,100 milliseconds. If Purple's RADIUS server is geographically distant or the network path has latency, you'll see intermittent authentication failures. Increase the timeout to 3,000 milliseconds and configure a backup RADIUS server for resilience.

Third: VLAN filtering not enabled on the bridge. Dynamic VLAN assignment via RADIUS only works if bridge VLAN filtering is enabled. This is a RouterOS requirement. If you're seeing all clients land on the default VLAN regardless of what RADIUS returns, check that vlan-filtering=yes is set on your bridge interface.

Fourth: CAPsMAN version mismatch. If you're running a mix of CAPsMAN version 2 and version 3 managed access points, VLAN tagging behaviour can differ. Standardise on RouterOS 7 with CAPsMAN version 3 across your AP estate before deploying dynamic VLAN features.

One architectural recommendation: run your guest, staff, and management traffic on separate VLANs from day one, even if you're not using all three Purple use cases immediately. Retrofitting VLAN segmentation onto a flat network is significantly more disruptive than building it in from the start.

[RAPID-FIRE Q AND A - approximately 1 minute]

Can I use MikroTik's built-in User Manager instead of an external RADIUS server?

Yes, for smaller deployments. User Manager in RouterOS 7 supports PEAP-MSCHAPv2 for wireless 802.1X and can return the Mikrotik-Wireless-VLANID attribute. For production deployments with Purple, you'll use Purple's hosted RADIUS infrastructure, which handles the identity provider integration and session management for you.

Does Purple support MikroTik CAPsMAN?

Yes. Purple is hardware-agnostic. The integration works at the RADIUS and hotspot redirect level, so it's compatible with standalone MikroTik access points and CAPsMAN-managed deployments equally.

What RouterOS version do I need?

RouterOS 7.x is recommended for all three use cases covered in this guide. Dynamic VLAN assignment via wireless RADIUS and the updated User Manager are RouterOS 7 features. RouterOS 6.x supports hotspot and basic RADIUS authentication but lacks some of the wireless VLAN capabilities.

[SUMMARY AND NEXT STEPS - approximately 1 minute]

To summarise: MikroTik RouterOS gives you three distinct integration points with Purple. The Hotspot Gateway handles guest WiFi redirection and captive portal authentication. The wireless 802.1X configuration with RADIUS handles secure staff WiFi with identity-based access. And MAC-based RADIUS authentication with Private PSK handles multi-tenant network segregation for residential and mixed-use properties.

The common thread across all three is RADIUS. Get your RADIUS client configuration right - correct IP, correct shared secret, correct service type, correct timeout - and the rest follows.

Your next steps: log into your Purple dashboard, navigate to the venue configuration, and grab your RADIUS credentials. Then follow the CLI commands in the written guide to configure your hotspot profile, your wireless security profile, and your walled garden entries. Test with a single access point before rolling out to your full estate.

If you're deploying this at scale - multiple sites, hundreds of access points - Purple's Professional Services team can support the rollout. Purple runs across 80,000 live venues globally, with 99.999% uptime, and is certified to ISO 27001, GDPR, and Cyber Essentials.

Thanks for listening. The full written guide with all CLI commands, RADIUS attribute tables, and worked examples is linked in the show notes.

Resumen ejecutivo

La integración de MikroTik RouterOS con Purple crea una red unificada e impulsada por la identidad en entornos de invitados, personal y multiinquilino. Esta guía ofrece la lógica de configuración específica requerida para implementar la superposición en la nube de Purple en el hardware de MikroTik. Aprenderá a configurar el Hotspot Gateway de RouterOS para la redirección de Guest WiFi , implementar IEEE 802.1X para un Staff WiFi seguro y desplegar claves precompartidas privadas (PPSK) para aislar el tráfico de WiFi multiinquilino.

Al seguir estos modelos de implementación, segmentará su red de forma segura mientras recopila datos de primera mano para WiFi Analytics . Purple procesó 440 millones de inicios de sesión en 2024 con un tiempo de actividad del 99.999%, lo que hace que esta arquitectura sea adecuada para entornos de alta densidad en Retail , Hospitalidad y Transporte .

Análisis técnico detallado

Guest WiFi: Captive Portal y Walled Garden

El Hotspot Gateway de MikroTik intercepta el tráfico HTTP no autenticado y lo redirige al Captive Portal alojado de Purple. Purple actúa como el servidor RADIUS, gestionando la autenticación y la administración de sesiones.

Para garantizar que el Captive Portal se cargue correctamente, debe configurar un Walled Garden. Esto permite el acceso previo a la autenticación a los dominios de la página de inicio de Purple, redes de distribución de contenido (CDN) y proveedores de OAuth (como Google Workspace y Microsoft Entra ID). Sin estas entradas, el bucle de redirección se rompe.

Tras una autenticación exitosa, el servidor RADIUS de Purple devuelve atributos estándar, incluido Session-Timeout para aplicar límites de conexión y, opcionalmente, Mikrotik-Rate-Limit para aplicar restricciones de ancho de banda directamente desde el panel de control de Purple.

Staff WiFi: Autenticación 802.1X

Para Staff WiFi, se eliminan las contraseñas compartidas al implementar IEEE 802.1X. El punto de acceso de MikroTik actúa como el autenticador, pasando las credenciales EAP al servidor RADIUS de Purple. Purple se integra de forma nativa con Microsoft Entra ID, Okta y Google Workspace, validando las credenciales a través de PEAP-MSCHAPv2 o EAP-TLS.

Cuando un miembro del personal se conecta, el servidor RADIUS de Purple puede devolver el atributo Mikrotik-Wireless-VLANID. Esto le indica al router MikroTik que coloque el dispositivo autenticado en una VLAN específica, lo que permite la segmentación de red basada en roles desde un único SSID. Para obtener una visión más amplia de los estándares de seguridad, consulte Seguridad WiFi empresarial: Una guía completa para 2026 .

WiFi multiinquilino: PSK privada (PPSK)

Los entornos multiinquilino requieren un aislamiento seguro sin la complejidad de 802.1X, ya que muchos dispositivos de consumo (como Smart TV y consolas de videojuegos) no lo admiten. MikroTik admite PSK privada (PPSK) a través de la autenticación RADIUS basada en MAC.

Cuando un dispositivo se conecta al SSID, el router MikroTik envía la dirección MAC del dispositivo a Purple. Purple devuelve el atributo Mikrotik-Wireless-Psk (la frase de contraseña única para ese inquilino) y el atributo Mikrotik-Wireless-VLANID. Esta arquitectura permite que cientos de inquilinos compartan un único SSID mientras permanecen en burbujas de red completamente aisladas.

Guía de implementación

1. Configuración del cliente RADIUS

Primero, defina a Purple como el servidor RADIUS en RouterOS. Esto se aplica a los tres casos de uso.

/radius
add address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET service=hotspot,wireless authentication-port=1812 accounting-port=1813 timeout=3000ms

2. Configuración del Hotspot de Guest WiFi

Ejecute el asistente de configuración de Hotspot en su interfaz VLAN de invitados, luego habilite la autenticación RADIUS en el perfil resultante.

/ip hotspot profile
set [ find default=yes ] use-radius=yes radius-accounting=yes

Configure el Walled Garden para permitir el acceso a la infraestructura de Purple.

/ip hotspot walled-garden
add action=allow dst-host=*purple.ai
add action=allow dst-host=*purpleportal.net

3. Configuración de Staff WiFi 802.1X

Configure el perfil de seguridad inalámbrica para usar WPA2-Enterprise y apúntelo al servidor RADIUS.

/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=passthrough mode=dynamic-keys name=staff-8021x radius-mac-authentication=no

Asegúrese de que el filtrado de VLAN de puente esté habilitado para admitir la asignación dinámica de VLAN.

/interface bridge
set bridge1 vlan-filtering=yes

4. Configuración de PPSK multiinquilino

Para PPSK, habilite la autenticación MAC en el perfil de seguridad inalámbrica y configure el formato de la dirección MAC.

/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=multi-tenant-ppsk radius-mac-authentication=yes radius-mac-format=XX:XX:XX:XX:XX:XX

Mejores prácticas

Estandarice en RouterOS 7: La asignación dinámica de VLAN a través de RADIUS inalámbrico es significativamente más sólida en RouterOS 7 en comparación con RouterOS 6.
Aumente los tiempos de espera de RADIUS: El tiempo de espera predeterminado de RADIUS en MikroTik es de 1100 ms. Auméntelo a 3000 ms para evitar fallas de autenticación intermitentes causadas por la latencia de la red.
Use entradas de Walled Garden por nombre de host: Utilice siempre dst-host en lugar de dst-address para las entradas de Walled Garden, ya que las direcciones IP de la infraestructura en la nube cambcon frecuencia.
Habilitar Bridge VLAN Filtering: La asignación dinámica de VLAN a través de RADIUS (Mikrotik-Wireless-VLANID) requiere vlan-filtering=yes en la interfaz bridge.

Resolución de problemas y mitigación de riesgos

Si el Captive Portal no se carga, es casi seguro que el walled garden esté incompleto. Utilice la herramienta MikroTik Torch para monitorear las consultas DNS descartadas de clientes no autenticados en la VLAN de invitados. Agregue los dominios faltantes al walled garden.

Si los clientes 802.1X no se autentican, verifique el secreto compartido y asegúrese de que el cliente RADIUS esté configurado con service=wireless. Revise los registros del panel de control de Purple para confirmar si el Access-Reject se origina en Purple o en su proveedor de identidad.

Si los clientes se autentican pero reciben la dirección IP incorrecta, confirme que el filtrado de VLAN en el puente (bridge VLAN filtering) esté habilitado y que el servidor DHCP esté correctamente vinculado a la interfaz VLAN asignada dinámicamente.

ROI e impacto comercial

Implementar Purple en su infraestructura MikroTik transforma un centro de costos en un generador de ingresos. Al capturar datos de primera mano, los establecimientos pueden crear perfiles digitales detallados y automatizar campañas de marketing. Por ejemplo, Avanti West Coast obtuvo un retorno de inversión del 463% al capitalizar en viajeros recurrentes y oportunidades de venta adicional.

Además, las redes basadas en la identidad reducen los costos operativos de TI. Automatizar el onboarding y offboarding para el WiFi del personal a través de Entra ID elimina la gestión manual de contraseñas, mientras que PPSK para WiFi multiinquilino permite a los administradores de propiedades aprovisionar redes aisladas sin necesidad de implementar hardware dedicado por unidad.

Definiciones clave

Hotspot Gateway

A RouterOS feature that intercepts unauthenticated HTTP traffic and redirects it to a captive portal splash page.

Used to capture guest data and enforce terms of service before granting internet access.

Walled Garden

A list of allowed destinations that unauthenticated users can access.

Critical for allowing guests to reach the Purple splash page, CDNs, and OAuth providers (like Google) to complete the login process.

802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Used for secure Staff WiFi, allowing authentication via Entra ID or Okta instead of a shared password.

Private PSK (PPSK)

A security architecture where multiple unique Pre-Shared Keys are used on a single SSID, often tied to specific MAC addresses and VLANs.

Ideal for Multi-Tenant WiFi, providing isolated network bubbles for residents and their consumer devices.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorization, and Accounting (AAA) management.

The core protocol linking MikroTik hardware to Purple's cloud platform for identity validation.

VLAN Filtering

A RouterOS bridge setting that enforces VLAN tagging and untagging rules on bridge ports.

Must be enabled for dynamic VLAN assignment via RADIUS to function correctly.

CAPsMAN

Controlled Access Point system Manager. MikroTik's centralised wireless management system.

Used to deploy consistent wireless security profiles and RADIUS settings across multiple access points.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security. A highly secure authentication method requiring client-side certificates.

Supported by Purple for zero-trust Staff WiFi deployments where passwordless authentication is required.

Ejemplos resueltos

A 200-room hotel needs to deploy secure Staff WiFi across their MikroTik access points. They want finance staff on VLAN 10 and operations staff on VLAN 20, using their existing Microsoft Entra ID credentials.

Integrate Purple with Microsoft Entra ID in the Purple dashboard.
Configure the MikroTik RADIUS client to point to Purple with service=wireless.
Create a MikroTik wireless security profile with authentication-types=wpa2-eap.
Enable vlan-filtering=yes on the MikroTik bridge.
In Purple, map the Entra ID 'Finance' group to return Mikrotik-Wireless-VLANID=10 and the 'Operations' group to return Mikrotik-Wireless-VLANID=20.

Comentario del examinador: This approach uses IEEE 802.1X for secure, passwordless authentication. By relying on Entra ID groups and RADIUS attributes, the network dynamically segments traffic at the edge, reducing the attack surface and eliminating manual VLAN configuration on the router.

A build-to-rent property manager needs to provide isolated WiFi networks for 50 apartments using a single SSID broadcast from MikroTik CAPsMAN.

Configure the MikroTik wireless security profile for the SSID with authentication-types=wpa2-psk and radius-mac-authentication=yes.
Ensure the RADIUS client is configured with service=wireless pointing to Purple.
In the Purple dashboard, register the MAC addresses of the residents' devices.
Assign a unique PSK and VLAN ID to each apartment in Purple.
When a device connects, Purple returns the Mikrotik-Wireless-Psk and Mikrotik-Wireless-VLANID attributes, placing the device in its isolated network bubble.

Comentario del examinador: This Private PSK (PPSK) architecture provides enterprise-grade isolation while supporting consumer devices that lack 802.1X capabilities. It scales efficiently and allows centralised management via Purple.

Preguntas de práctica

Q1. You have configured the MikroTik Hotspot Gateway and pointed it to Purple's RADIUS server. Guests connect to the SSID, but their browsers display a timeout error instead of the Purple splash page. What is the most likely configuration error?

Sugerencia: Consider what must happen before the guest authenticates.

Ver respuesta modelo

The walled garden is misconfigured or missing entries. Without allowing access to Purple's splash page domains and associated CDNs in the /ip hotspot walled-garden, the unauthenticated guest cannot load the login page, resulting in a timeout.

Q2. A retail chain wants to deploy Staff WiFi using 802.1X and Entra ID. They configure `authentication-types=wpa2-eap` and set up the RADIUS client. However, authentication fails. You check the RADIUS client configuration and see `service=hotspot`. How do you resolve this?

Sugerencia: Different wireless authentication methods require different RADIUS service types in RouterOS.

Ver respuesta modelo

Change the RADIUS client configuration to include service=wireless. The hotspot service type is only used for captive portal authentication. 802.1X and MAC authentication require the wireless service type.

Q3. You are deploying Multi-Tenant WiFi using Private PSKs. Purple successfully returns the `Mikrotik-Wireless-Psk` and `Mikrotik-Wireless-VLANID` attributes, and the device connects. However, the device receives an IP address from the default management subnet, not the isolated tenant subnet. What RouterOS setting is missing?

Sugerencia: Dynamic VLAN assignment requires the bridge to process VLAN tags.

Ver respuesta modelo

Bridge VLAN filtering is disabled. You must set vlan-filtering=yes on the bridge interface. Without this, the bridge ignores the dynamic VLAN tag assigned by RADIUS, and the traffic falls back to the default untagged PVID.

Continúe leyendo esta serie

Integración de Zyxel Nebula Cloud y USG con Purple WiFi

Esta guía de referencia técnica cubre la integración de extremo a extremo de Zyxel Nebula Cloud y los firewalls USG Flex con la plataforma Purple WiFi. Proporciona instrucciones de configuración paso a paso para la redirección del Captive Portal de invitados, autenticación RADIUS, configuración de Walled Garden, WiFi seguro para el personal mediante 802.1X y segmentación de red multiinquilino utilizando claves precompartidas privadas (PPSK) de Zyxel con asignación dinámica de VLAN. Los gerentes de TI, MSP y arquitectos de red que implementan WiFi en entornos de hospitalidad, retail y complejos multiinquilino encontrarán orientación práctica basada en estándares de la industria, incluidos PCI DSS, IEEE 802.1X y GDPR.

Integración de NETGEAR Insight y puntos de acceso empresariales con Purple WiFi

Esta guía proporciona a los gerentes de TI una hoja de ruta técnica definitiva para integrar NETGEAR Insight y los puntos de acceso empresariales WAX con Purple WiFi. Cubre configuraciones esenciales, incluidos Captive Portals para invitados, redes de personal 802.1X y segmentación multiinquilino mediante PPSK y asignación dinámica de VLAN.

Integración de Alcatel-Lucent Enterprise (ALE) OmniAccess con Purple WiFi

Esta guía detalla la integración técnica entre los puntos de acceso Alcatel-Lucent Enterprise (ALE) OmniAccess Stellar y Purple WiFi. Cubre la redirección de Captive Portal, la autenticación RADIUS, la configuración de Walled Garden, WiFi seguro para el personal mediante 802.1X y la segmentación de WiFi multiinquilino mediante claves precompartidas privadas (PPSK) con direccionamiento dinámico de VLAN, lo que brinda a los administradores de TI y arquitectos de redes una referencia completa y práctica para implementar redes basadas en identidad en hardware de ALE.