Grandstream GWN Access Points Integration with Purple WiFi

Esta guía de referencia técnica autorizada detalla cómo integrar los puntos de acceso Grandstream GWN con la plataforma de análisis y Guest WiFi de Purple. Cubre la configuración del Captive Portal de Grandstream, los ajustes de RADIUS AAA, la configuración de walled garden, la autenticación segura 802.1X para el personal con direccionamiento dinámico de VLAN y la segmentación PPSK multi-tenant, proporcionando orientación práctica paso a paso para MSP y equipos de TI que implementan WiFi para invitados y personal a escala.

📖 9 min de lectura📝 2,079 palabras🔧 2 ejemplos resueltos❓ 4 preguntas de práctica📚 10 definiciones clave

Escucha esta guía

Ver transcripción del podcast

Welcome to the Purple Technical Briefing Series. I'm your host, and today we're covering a deployment pattern that's becoming increasingly common across hospitality, retail, and multi-tenant properties: integrating Grandstream GWN access points with Purple's guest WiFi platform.

If you're an MSP, an in-house IT team, or a network architect who's been handed a Grandstream GWN deployment and asked to bolt on a branded captive portal with analytics, this episode is for you. We'll cover the full stack: guest splash page redirection, walled garden configuration, secure staff WiFi using 802.1X, and multi-tenant segmentation using Grandstream's Private Pre-Shared Key feature. Let's get into it.

---

First, some context. Grandstream's GWN series is a solid mid-market access point range. You've got the GWN7600 and GWN7630 for indoor deployments, the GWN7660 and GWN7664 for Wi-Fi 6 environments, and the GWN7610 as a ceiling-mount option for higher-density spaces. They're managed either through GWN Manager, which is an on-premise controller you install on a Linux or Windows server, or through GWN dot Cloud, which is Grandstream's cloud-hosted management platform, now rebranded as GDMS Networking.

The good news for MSPs is that both management platforms support captive portal configuration natively. You can build the portal policy, customise the splash page, and associate it with an SSID entirely within GWN Manager or GWN dot Cloud. But for enterprise deployments where you need GDPR-compliant data capture, marketing automation, and real-time analytics, you're going to replace that native portal with an external platform. That's where Purple comes in.

Purple operates as a cloud overlay. It sits above your hardware and provides the captive portal, the RADIUS authentication layer, the analytics engine, and the marketing tools. Purple supports 80,000 live venues and has processed 440 million logins in 2024 alone, so the platform is well-proven at scale. The integration with Grandstream GWN follows the same standards-based approach Purple uses across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi.

---

Let's get into the technical architecture. The guest WiFi flow on Grandstream GWN with Purple works like this.

A guest connects to your guest SSID. Their device sends an HTTP request to any website. The GWN access point intercepts that request and issues an HTTP 302 redirect to the Purple portal URL. The guest lands on your branded splash page, hosted by Purple. They authenticate, whether that's via email, social login, SMS verification, or a custom form. Purple's platform validates that authentication, records the consent and data in line with GDPR, and then sends a RADIUS Access-Accept back to the GWN access point. The AP grants internet access. The whole flow takes around three to five seconds from connection to internet access.

Now, the key configuration components on the Grandstream side are: the captive portal policy, the splash page settings, the walled garden, and the SSID association. Let me walk through each one.

---

Step one: configure the captive portal policy in GWN Manager or GWN dot Cloud.

Navigate to Captive Portal, then Policy List, and create a new policy. Give it a descriptive name, something like "Purple-Guest-Portal". Set the Authentication Type to RADIUS Server. You'll then see fields for RADIUS Server Address, RADIUS Server Port, and RADIUS Server Secret. Enter Purple's RADIUS server IP address and port 1812 for authentication. Your shared secret comes from the Purple portal admin console, under the venue's hardware configuration section. Set the RADIUS Authentication Method to PAP, which is what Purple's captive portal flow uses.

Under Landing Page, set this to Redirect to External Page, and enter your Purple portal redirect URL. This is the URL that guests will be sent to when they first connect. Again, this comes from your Purple admin console.

Set the Expiration time to match your venue's session policy. For a hotel, 24 hours is typical. For a conference venue, you might set this to the duration of the event. For a retail environment, two to four hours is common.

Enable Failsafe Mode. This is important. If the GWN access point can't reach Purple's RADIUS server, failsafe mode grants internet access anyway rather than blocking all guests. For most hospitality and retail deployments, a brief RADIUS outage should not result in all guests losing connectivity.

---

Step two: configure the walled garden.

The walled garden is the list of domains and IP addresses that guests can access before they've authenticated through the portal. If you get this wrong, guests will see a blank page or a broken portal, and they'll blame the WiFi.

In GWN Manager, the walled garden is configured under the captive portal policy as Pre-Authentication Rules. Add the following domains as allow rules: the Purple portal domain, which is portal dot purple dot ai; any CDN domains that Purple's splash page loads assets from, including cloudfront dot net using a wildcard entry; Apple's captive portal detection endpoint, captive dot apple dot com; and Google's connectivity check endpoint, connectivitycheck dot gstatic dot com.

Purple's support portal has a dynamic walled garden generator at support dot purple dot ai. Select Grandstream from the hardware list, choose your authentication methods, and it generates the exact domain list you need. Use that list. Don't try to build it manually from scratch.

One decision you need to make: do you include captive dot apple dot com in the walled garden or not? If you include it, iOS devices will not show the Captive Network Assistant mini-browser automatically. Guests will need to open a browser manually to reach the portal. If you exclude it, iOS fires the mini-browser automatically when the device connects. For most hospitality deployments, you want the mini-browser to appear, so leave captive dot apple dot com out of the walled garden.

---

Step three: configure the SSID.

In GWN Manager, navigate to SSID and edit your guest SSID. Enable Captive Portal and select the policy you just created. Set the SSID to WPA2-Personal with a simple open password, or configure it as an open SSID if your venue prefers that approach. The security in this flow comes from the portal authentication, not the WiFi password.

Enable Client Isolation. This prevents guests from seeing each other's devices on the network. It's a basic security requirement and a PCI DSS consideration if your venue processes card payments on the same infrastructure.

Assign the SSID to your guest VLAN. VLAN 10 is a common convention for guest traffic. Make sure your upstream switch and router are configured to route that VLAN to the internet with appropriate firewall rules.

---

Now let's talk about Staff WiFi using 802.1X.

IEEE 802.1X is the standard for port-based network access control. For staff WiFi, it replaces the shared pre-shared key with per-user credentials, validated against an identity provider. When a staff member connects, the GWN access point acts as the authenticator, their device is the supplicant, and Purple's RADIUS server is the authentication server.

In GWN Manager, create a separate SSID for staff. Set the Security Mode to WPA2-Enterprise, which enables 802.1X. Configure the RADIUS server settings with Purple's RADIUS IP, port 1812, and your shared secret. Enable RADIUS Accounting on port 1813 so you get a full audit trail of who connected, when, and for how long. This audit trail is what you need for GDPR compliance and for responding to any security incidents.

For the EAP method, you have two main options. EAP-TLS uses digital certificates on both the server and the client device. It's the most secure option, but it requires a Mobile Device Management platform to push certificates to staff devices. If you have Microsoft Intune or Jamf, EAP-TLS is the right choice.

PEAP, which stands for Protected EAP, uses a username and password inside an encrypted TLS tunnel. It's easier to deploy, particularly for BYOD environments, but you must ensure staff are trained not to accept certificate warnings. A rogue access point can harvest PEAP credentials if users click through certificate errors.

Enable Dynamic VLAN assignment in the SSID settings. When this is on, the RADIUS server can return a VLAN ID in the Access-Accept packet, and the GWN AP will place the connecting device on that VLAN. This means you can have a single staff SSID but automatically segment IT staff onto VLAN 20, management onto VLAN 21, and point-of-sale devices onto VLAN 40, all based on the user's identity in Purple's directory.

The RADIUS attributes for dynamic VLAN are: Tunnel-Type set to VLAN, which is attribute value 13; Tunnel-Medium-Type set to IEEE-802, which is attribute value 6; and Tunnel-Private-Group-ID set to the VLAN number as a string. These three attributes in the Access-Accept packet are all the GWN AP needs to steer the device to the correct VLAN.

---

Now for the feature that's particularly relevant for multi-tenant properties: Grandstream Private Pre-Shared Keys, or PPSK.

PPSK is a mechanism that allows a single SSID to support multiple unique passwords, each mapped to a different VLAN or network policy. Think of a build-to-rent apartment block, a co-working space, or a serviced office building. You want one SSID visible to everyone, but each tenant gets their own password that puts them on their own isolated network segment.

In GWN Manager, PPSK is configured under the SSID settings. Set the Security Mode to WPA2-Personal, then enable PPSK. You can then create individual PSK entries, each with a unique password and an associated VLAN ID. When a device connects using Tenant A's password, the AP places it on VLAN 31. When a device uses Tenant B's password, it lands on VLAN 32. The tenants share the same SSID but are completely isolated from each other at the network layer.

For larger deployments, Grandstream also supports PPSK with RADIUS backend. In this mode, the AP sends the PSK as a RADIUS attribute to the authentication server, which validates it and returns the appropriate VLAN assignment. This is where Purple's Identity-Based Networks feature integrates directly. Purple can manage the PPSK database, validate keys against its directory, and return dynamic VLAN assignments, giving you centralised management of hundreds of tenant credentials from a single platform.

The RADIUS attribute used for PPSK validation is typically the Tunnel-Password attribute, or a vendor-specific attribute depending on firmware version. Check Grandstream's release notes for your specific firmware, as the attribute mapping has evolved across GWN Manager versions.

---

Let me cover the two most common failure modes I see in Grandstream deployments with external portals.

The first is the redirect not firing. A guest connects to the SSID, opens a browser, and gets a "site can't be reached" error instead of the portal page. The most likely cause is a walled garden misconfiguration. The portal page itself is being blocked pre-authentication. Open your browser developer tools on a test device connected to the guest SSID, look at the network tab, and identify which requests are failing. Add those domains to your pre-authentication rules.

The second failure mode is RADIUS timeout. The AP sends an Access-Request to Purple's RADIUS server and gets no response. This usually means a firewall is blocking UDP port 1812 outbound from the AP's management VLAN to Purple's RADIUS IP range. Check your firewall rules. Purple's RADIUS IP addresses are documented in the Purple admin console under venue settings. Make sure both the primary and secondary RADIUS IPs are permitted.

A third one worth mentioning: Dynamic VLAN not working. Staff connect and land on the wrong VLAN. The most common cause is that Enable Dynamic VLAN is not checked in the SSID settings in GWN Manager. It's a single checkbox that's easy to miss. The second cause is a shared secret mismatch. If the shared secret on the AP doesn't match the one configured in Purple, the AP silently drops the RADIUS response and falls back to the default VLAN.

---

Let me give you two real-world scenarios to make this concrete.

Scenario one: a 120-room hotel. The hotel runs GWN7660 access points managed through GWN dot Cloud. They need a branded guest portal for guests, a secure staff network for front desk and housekeeping, and a separate management VLAN for the property management system.

The configuration uses three SSIDs: Guest WiFi on VLAN 10 with the Purple captive portal policy; Staff WiFi on VLAN 20 with WPA2-Enterprise and PEAP authentication against Purple's RADIUS; and a hidden Management SSID on VLAN 30 for PMS terminals. Dynamic VLAN assignment on the staff SSID means housekeeping devices land on VLAN 21 with restricted internet access, while front desk devices land on VLAN 20 with full access. Purple's analytics dashboard shows the hotel operator daily guest counts, session durations, and opt-in rates for marketing, giving the marketing team the data they need to run targeted campaigns.

Scenario two: a 40-unit build-to-rent apartment block. The operator runs GWN7630 access points with GWN Manager on-premise. Each apartment needs its own isolated network. The operator uses PPSK with RADIUS backend. Purple manages 40 unique tenant credentials, each mapped to a dedicated VLAN. Residents connect to the single "BuildingConnect" SSID using their unit's password. Purple's portal handles the initial onboarding flow, captures resident consent, and provides the operator with occupancy analytics and engagement data. When a resident moves out, the operator revokes their PPSK credential in Purple's admin console, and access is immediately terminated. No need to change the SSID password or reconfigure the APs.

---

Rapid fire. Three questions I get asked constantly on Grandstream deployments.

Question one: Can I use GWN dot Cloud instead of GWN Manager for the Purple integration? Yes. The captive portal configuration in GWN dot Cloud is functionally identical to GWN Manager. The menu paths are the same. The RADIUS and walled garden settings are in the same locations. GWN dot Cloud is the better choice for MSPs managing multiple sites, since you get a single pane of glass across all deployments.

Question two: Does Purple support Grandstream's native analytics alongside its own? Purple replaces the native captive portal analytics with its own, more detailed dataset. You get session counts, dwell times, opt-in rates, demographic data from form fields, and integration with marketing platforms. The native GWN analytics for RF performance, AP health, and client counts remain available in GWN Manager or GWN dot Cloud alongside Purple's portal analytics.

Question three: What firmware version do I need on the GWN APs for PPSK with RADIUS? PPSK with RADIUS backend requires GWN firmware 1.0.19 or higher on the GWN76xx series. Check Grandstream's release notes before deployment. Running outdated firmware is the single most common cause of unexpected behaviour in PPSK deployments.

---

To wrap up. Integrating Grandstream GWN access points with Purple is a straightforward deployment when you follow the right sequence. Configure your RADIUS server settings in the captive portal policy first. Build your walled garden using Purple's domain generator tool. Associate the policy with your guest SSID and enable client isolation. For staff WiFi, enable WPA2-Enterprise with dynamic VLAN assignment. For multi-tenant properties, use PPSK with RADIUS backend and manage credentials centrally through Purple.

The five things to get right: RADIUS on UDP 1812 with a matching shared secret; the walled garden covering all portal asset domains; client isolation enabled on the guest SSID; dynamic VLAN enabled in the SSID settings; and PPSK firmware at version 1.0.19 or higher.

Get those five right, and you have a solid, scalable deployment that will serve your venue for years. Purple's onboarding team can validate your configuration before go-live, and the platform's 99.999% uptime means you're not going to be explaining portal outages to hotel guests at two in the morning.

Thanks for listening. For more technical guides on enterprise WiFi integrations, visit purple dot ai. Next episode, we'll be covering dynamic VLAN assignment with Microsoft Entra ID and Purple's SecurePass feature. Until then.

Puntos clave

✓Grandstream GWN access points integrate with Purple via RADIUS (UDP 1812/1813) and HTTP 302 redirection to deliver secure, branded captive portals for guest WiFi.
✓The walled garden (Pre-Authentication Rules) must include all Purple portal domains and CDN assets; use Purple's dynamic generator tool at support.purple.ai rather than building the list manually.
✓Always copy and paste the RADIUS shared secret directly from the Purple admin console - a single character mismatch causes silent packet drops that present as timeouts, not authentication errors.
✓Enable Dynamic VLAN in the SSID settings to allow Purple's RADIUS server to steer authenticated staff to the correct network segment using Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes.
✓Grandstream PPSK with RADIUS backend enables multi-tenant isolation from a single SSID; requires GWN firmware 1.0.19 or higher and centralised credential management through Purple.
✓Always enable Client Isolation on guest SSIDs to prevent lateral movement between devices and meet PCI DSS requirements for venues processing card payments.
✓Purple's 99.999% uptime and ISO 27001, GDPR, CCPA, and Cyber Essentials certifications make it a compliant choice for enterprise and public-sector deployments on Grandstream hardware.

Resumen ejecutivo

Implementar una red inalámbrica de alto rendimiento en entornos empresariales requiere un equilibrio entre una experiencia de usuario fluida y una seguridad técnica sólida. Para las organizaciones que utilizan arquitecturas Grandstream GWN, que van desde la hotelería y el comercio minorista hasta propiedades multi-tenant, el Captive Portal de Grandstream sirve como la puerta de enlace principal para la interacción del usuario y el control de acceso. Esta guía ofrece un manual paso a paso para integrar los puntos de acceso Grandstream GWN con la plataforma de Guest WiFi y WiFi Analytics de Purple.

Al ir más allá de las Pre-Shared Keys básicas hacia la autenticación respaldada por RADIUS y las redes basadas en la identidad (Identity-Based Networks), puede ofrecer un acceso seguro y segmentado para invitados, personal e inquilinos. Esta guía cubre los componentes críticos de configuración: ajustes de RADIUS AAA, redirección HTTP 302, excepciones de walled garden, direccionamiento dinámico de VLAN y aislamiento multi-tenant de clave precompartida privada (PPSK). Purple opera en más de 80,000 establecimientos activos y procesó 440 millones de inicios de sesión en 2024 (datos internos de Purple), lo que demuestra la solidez de la plataforma a escala.

Análisis técnico detallado

La arquitectura de integración

La integración entre el hardware Grandstream GWN y Purple se basa en los protocolos de redirección HTTP y RADIUS estándar de la industria. Cuando un usuario se conecta al SSID de invitados, el punto de acceso GWN intercepta su solicitud HTTP inicial y emite una redirección HTTP 302 a la URL del Captive Portal alojado por Purple. Después de que el usuario se autentica (a través de correo electrónico, inicio de sesión social, SMS o un formulario personalizado), Purple valida la sesión y envía un paquete RADIUS Access-Accept de vuelta al punto de acceso en el puerto UDP 1812, otorgando acceso a la red. RADIUS Accounting se ejecuta en el puerto UDP 1813, lo que proporciona un registro de auditoría de sesión completo para el cumplimiento de GDPR y PCI DSS.

Los puntos de acceso Grandstream GWN se gestionan a través de una de dos plataformas. GWN Manager es un controlador local (on-premise) instalado en un servidor Linux o Windows, adecuado para implementaciones en un solo sitio y organizaciones con requisitos de soberanía de datos. GDMS Networking (anteriormente GWN.Cloud) es la plataforma de gestión alojada en la nube de Grandstream, preferida por los MSP que gestionan múltiples sitios desde un único panel de control. Ambas plataformas exponen opciones idénticas de configuración de SSID y Captive Portal.

Para las redes del personal y de los inquilinos, la arquitectura cambia a IEEE 802.1X y PPSK. En una implementación 802.1X, el punto de acceso actúa como el autenticador, realizando el proxy de los mensajes del Protocolo de Autenticación Extensible (EAP) entre el dispositivo de conexión y el servidor RADIUS de Purple. Purple valida las credenciales contra su directorio y puede devolver atributos específicos del proveedor (VSA) para direccionar dinámicamente el dispositivo a una VLAN específica. Esto es la red basada en la identidad (Identity-Based Networking) en la práctica: un SSID, múltiples segmentos de red, todo impulsado por quién es el usuario.

Para entornos multi-tenant, la función PPSK de Grandstream permite que un solo SSID admita múltiples contraseñas únicas. Cuando se integra con un backend de RADIUS, el punto de acceso envía la PSK ingresada a Purple para su validación, lo que permite la gestión centralizada de credenciales y la segmentación dinámica de la red sin transmitir docenas de SSIDs. PPSK con backend de RADIUS requiere la versión de firmware GWN 1.0.19 o superior en la serie GWN76xx.

Atributos de RADIUS para el direccionamiento dinámico de VLAN

La asignación dinámica de VLAN se controla mediante tres atributos RADIUS estándar de la IETF que se devuelven en el paquete Access-Accept. Estos deben configurarse en los perfiles de usuario RADIUS de Purple para cada rol o inquilino:

Atributo	Valor	Descripción
Tunnel-Type (64)	13 (VLAN)	Especifica el tipo de túnel como VLAN
Tunnel-Medium-Type (65)	6 (IEEE-802)	Especifica el medio como IEEE 802
Tunnel-Private-Group-ID (81)	ej., "20"	El ID de la VLAN de destino como una cadena de texto

Los tres atributos deben estar presentes en la respuesta Access-Accept. Si falta alguno de ellos, el punto de acceso GWN ignorará la instrucción de direccionamiento de VLAN y colocará el dispositivo en la VLAN predeterminada.

Guía de implementación

Paso 1: Configurar la política del Captive Portal

Ya sea que utilice GWN Manager o GDMS Networking, navegue a Captive Portal > Policy List y cree una nueva política. La siguiente tabla resume los ajustes requeridos para una integración con Purple:

Campo	Valor	Notas
Policy Name	Purple-Guest-Portal	Use un nombre descriptivo
Authentication Type	RADIUS Server	Habilita el flujo de autenticación RADIUS
RADIUS Server Address	[Desde la consola de administración de Purple]	IP primaria de RADIUS
RADIUS Server Port	1812	Puerto de autenticación RADIUS estándar
RADIUS Server Secret	[Desde la consola de administración de Purple]	Copiar y pegar exactamente
RADIUS Auth Method	PAP	Requerido para el Captive Portal de Purple
Landing Page	Redirect to External Page	Habilita la redirección a un portal externo
Redirect URL	[Desde la consola de administración de Purple]	Su URL única del portal
Expiration	24h (hotelería) / 4h (comercio minorista)	Debe coincidir con su política de sesión
Failsafe Mode	Enabled	Otorga acceso si RADIUS no está disponible

Habilite el Failsafe Mode. Si el punto de acceso GWN no puede comunicarse con el servidor RADIUS de Purple, el modo a prueba de fallas (failsafe) otorga acceso a Internet en lugar de bloquear a todos los invitados. Para implementaciones en hotelería y comercio minorista, una breve interrupción de RADIUS deno debería provocar que todos los invitados pierdan la conectividad.

Paso 2: Configurar el walled garden

El walled garden define a qué dominios puede acceder un dispositivo antes de autenticarse. Un walled garden incompleto es la causa más común de fallas en la carga del portal. En GWN Manager, el walled garden se configura bajo la política de Captive Portal como Pre-Authentication Rules.

Como mínimo, debe incluir: el dominio del portal de Purple (portal.purple.ai), los dominios de recursos de CDN (*.cloudfront.net) y el endpoint de verificación de conectividad de Google (connectivitycheck.gstatic.com). Para el inicio de sesión con redes sociales, agregue los dominios de las plataformas sociales correspondientes.

La decisión sobre captive.apple.com es deliberada. Exclúyalo para activar automáticamente el mini-navegador Captive Network Assistant (CNA) de iOS cuando un dispositivo se conecte. Inclúyalo si prefiere que los invitados abran un navegador manualmente. Para la mayoría de las implementaciones en el sector de hospitalidad , excluirlo ofrece una mejor experiencia para los invitados.

Utilice el generador dinámico de walled garden de Purple en support.purple.ai. Seleccione Grandstream de la lista de hardware, elija sus métodos de autenticación y la herramienta generará la lista exacta de dominios que necesita. No cree la lista manualmente.

Paso 3: Asociar el Captive Portal con el SSID de invitados

Vaya a la configuración de SSID y edite su red de invitados. Habilite la función Captive Portal y seleccione la política que creó. Asigne el SSID a su VLAN de invitados designada (la VLAN 10 es la convención común). Habilite Client Isolation para evitar que los dispositivos de los invitados se comuniquen entre sí; este es un requisito de seguridad básico y una consideración de PCI DSS para cualquier establecimiento que procese pagos con tarjeta.

Paso 4: Configurar WiFi seguro para el personal con 802.1X

Cree un SSID independiente para el personal. Establezca el Modo de seguridad en WPA2-Enterprise para habilitar IEEE 802.1X. Configure el servidor RADIUS para que apunte a Purple en el puerto 1812 y habilite RADIUS Accounting en el puerto 1813. Estos datos de contabilidad proporcionan la pista de auditoría requerida para el cumplimiento de GDPR y la respuesta a incidentes de seguridad.

Para el método EAP, elija según su capacidad de gestión de dispositivos. EAP-TLS utiliza autenticación de certificado mutuo, la opción más segura, que elimina por completo el robo de credenciales, pero requiere una plataforma de gestión de dispositivos móviles (Mobile Device Management, como Microsoft Intune o Jamf) para enviar los certificados a los dispositivos. PEAP utiliza un nombre de usuario y contraseña dentro de un túnel TLS cifrado, lo que es más fácil de implementar para entornos BYOD, pero requiere capacitar al personal sobre las advertencias de certificados.

Habilite Dynamic VLAN en la configuración de SSID. El servidor RADIUS de Purple devolverá los tres atributos de túnel para dirigir cada dispositivo autenticado a su VLAN designada. El personal de TI se asigna a la VLAN 20, la administración a la VLAN 21 y las terminales de punto de venta a la VLAN 40; todo desde un solo SSID, todo impulsado por la identidad.

Para obtener más orientación sobre las políticas de red del personal, consulte Términos y condiciones de WiFi para el personal: Aspectos legales y de cumplimiento esenciales .

Paso 5: Configurar PPSK multiinquilino

Para entornos multiinquilino, cree un SSID con seguridad WPA2-Personal y habilite PPSK. Para utilizar Purple como backend de RADIUS para la validación de PPSK, configure los ajustes del servidor RADIUS en la sección PPSK del SSID. Purple gestiona la base de datos de PSK, valida cada clave y devuelve la asignación de VLAN correspondiente.

Cada inquilino recibe una contraseña única. Cuando se conectan, el AP envía la PSK a Purple, que devuelve el ID de VLAN correcto. El inquilino A se asigna a la VLAN 31, el inquilino B a la VLAN 32. Comparten el mismo SSID pero están completamente aislados en la capa de red. Cuando un inquilino se mude, revoque su credencial en la consola de administración de Purple. El acceso se interrumpe de inmediato. No se requiere reconfigurar el AP.

Para comprender mejor la arquitectura de seguridad WiFi empresarial, consulte Seguridad WiFi empresarial: Una guía completa para 2026 .

Mejores prácticas

Configure siempre RADIUS Accounting. Habilite la contabilidad en el puerto 1813 tanto para el SSID de invitados como para el del personal. Los datos de contabilidad alimentan el panel de analíticas de Purple con la duración de las sesiones y la frecuencia de las visitas, y proporcionan la pista de auditoría requerida por el GDPR. Sin la contabilidad, tendrá registros de autenticación pero no registros de sesión.

Copie y pegue el secreto compartido. Un secreto compartido de RADIUS que no coincida hace que el punto de acceso descarte los paquetes de forma silenciosa. El AP detecta un tiempo de espera agotado en lugar de una falla de autenticación. Esta es la configuración incorrecta más común en las nuevas implementaciones. Copie el secreto directamente desde la consola de administración de Purple.

Utilice el generador de walled garden de Purple. Las páginas de portal modernas cargan recursos de múltiples dominios de CDN, SDK de inicio de sesión social y scripts de analíticas. Crear el walled garden de forma manual no es confiable. El generador en support.purple.ai tiene en cuenta todos los dominios requeridos según sus métodos de autenticación.

Aísle el tráfico de invitados en el punto de acceso. Client Isolation es una línea base no negociable para cualquier SSID de invitados. Evita el movimiento lateral entre los dispositivos de los invitados y es un requisito de PCI DSS para los establecimientos que procesan pagos con tarjeta en la misma infraestructura de red.

Valide el firmware antes de implementar PPSK con RADIUS. PPSK con backend de RADIUS requiere el firmware GWN 1.0.19 o superior. Ejecutar un firmware desactualizado es la causa más común de comportamientos inesperados en las implementaciones de PPSK. Verifique la versión del firmware antes de la implementación, no después.

Para implementaciones en el sector de comercio minorista , asegúrese de que la VLAN del SSID de invitados esté protegida por un firewall de cualquier segmento de red de pago. Para entornos de atención médica , asegúrese de que el WiFi de pacientes o visitantes esté aislado de los sistemas clínicos. Para centros de transporte , considere políticas de vencimiento de sesión alineadas con los tiempos de permanencia promedio.

Resolución de problemas y mitigación de riesgos

Síntoma: La página de inicio (splash page) no se carga y devuelve el error 'no se puede acceder al sitio'. El walled garden está bloqueando los recursos de la página del portal. Conecte un dispositivo de prueba, abra las herramientas de desarrollo del navegador, inspeccione la pestaña de red e identifique las solicitudes bloqueadas. Agregue los dominios con fallas a las Reglas de Preautenticación en la política de captive portal.

Síntoma: Los invitados se autentican pero el punto de acceso agota el tiempo de espera y deniega el acceso a internet. O bien un firewall está bloqueando la salida de UDP 1812 desde la VLAN de administración del AP hacia el rango de IP de RADIUS de Purple, o el secreto compartido no coincide. Primero verifique las reglas del firewall. Luego, verifique que el secreto compartido coincida exactamente en ambos lados.

Síntoma: Los dispositivos del personal terminan en la VLAN predeterminada en lugar de su VLAN asignada. La casilla de verificación Habilitar VLAN dinámica (Enable Dynamic VLAN) no está marcada en la configuración de SSID. Es una sola casilla de verificación y es fácil de pasar por alto. La segunda causa es una discrepancia en el secreto compartido que hace que el AP ignore silenciosamente la respuesta de RADIUS.

Síntoma: Los dispositivos iOS no muestran el mini-navegador del captive portal. El dominio captive.apple.com está en el walled garden. iOS sondea este dominio al conectarse. Si recibe una respuesta 200, asume que el acceso a internet está disponible y no activa el CNA. Elimínelo del walled garden para restaurar el comportamiento automático del CNA.

Síntoma: Los inquilinos de PPSK terminan en la VLAN incorrecta. Verifique que el firmware de GWN esté en la versión 1.0.19 o superior. Confirme que el backend de RADIUS de PPSK esté habilitado y que el secreto compartido coincida. Verifique que el perfil de usuario de RADIUS de Purple para la PSK esté devolviendo el atributo Tunnel-Private-Group-ID correcto.

ROI e impacto comercial

La integración del hardware Grandstream GWN con Purple transforma el WiFi de un costo hundido en un activo comercial medible. Al reemplazar las redes abiertas genéricas con captive portals autenticados, los establecimientos capturan datos de primera mano e impulsan el crecimiento de los programas de fidelización. Purple ha recopilado 29 mil millones de puntos de datos en toda su red (datos internos de Purple), lo que brinda a los operadores los puntos de referencia para medir su propio rendimiento.

En entornos de hotelería , los análisis de Purple brindan visibilidad sobre la frecuencia de visitas de los huéspedes, los tiempos de permanencia y las tasas de suscripción. Un operador de hotel que utiliza el plan Engage de Purple puede segmentar a los huéspedes recurrentes para campañas dirigidas, lo que impulsa las reservas directas y reduce la dependencia de las OTA. En entornos de comercio minorista , los análisis de afluencia a partir de los datos de WiFi permiten a los gerentes de tienda correlacionar los patrones de tráfico con el rendimiento de las ventas.

La implementación de 802.1X y PPSK reduce la carga de trabajo del soporte técnico de TI al automatizar el control de acceso a la red. Eliminar las contraseñas compartidas elimina el costo operativo de la rotación de contraseñas y el riesgo de seguridad de compartir credenciales. Para los operadores multi-inquilino, PPSK con la gestión centralizada de Purple significa que incorporar a un nuevo inquilino toma minutos, no horas.

El tiempo de actividad del 99.999% de Purple (datos internos de Purple) y las certificaciones ISO 27001, GDPR, CCPA y Cyber Essentials significan que la plataforma cumple con los requisitos de cumplimiento de los operadores empresariales y del sector público más exigentes. Para obtener una visión completa de las capacidades de análisis de WiFi para invitados, consulte Análisis de WiFi .

Definiciones clave

Captive portal

A web page that intercepts unauthenticated HTTP traffic from a connected device, forcing the user to interact or authenticate before granting internet access. The Grandstream captive portal uses HTTP 302 redirection to send users to an external portal URL.

The primary mechanism for guest data capture, terms of service acceptance, and access control in public venues.

RADIUS

Remote Authentication Dial-In User Service; a networking protocol operating over UDP that provides centralised Authentication, Authorization, and Accounting (AAA) management. Authentication runs on port 1812, accounting on port 1813.

The backend engine that validates credentials for both captive portals and 802.1X enterprise networks. Purple operates RADIUS servers that GWN access points communicate with directly.

Walled garden

A predefined list of IP addresses and domains that a device can access before completing the captive portal authentication process. Configured as Pre-Authentication Rules in GWN Manager.

Essential for allowing devices to load the portal page assets, CDN resources, social login endpoints, and OS captive portal detection probes.

IEEE 802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism for devices connecting to a LAN or WLAN. Uses EAP to exchange credentials between the device (supplicant) and the RADIUS server (authentication server) via the access point (authenticator).

Replaces shared passwords with per-user credentials for secure staff and corporate WiFi access. Required for GDPR and PCI DSS compliant staff networks.

PPSK

Private Pre-Shared Key; a feature that allows a single SSID to support multiple unique passwords, each tied to specific network policies or VLANs. Grandstream GWN supports PPSK with local storage or RADIUS backend validation.

Used in multi-tenant environments like apartments, coworking spaces, and serviced offices to isolate users without broadcasting multiple SSIDs.

Dynamic VLAN assignment

The process where a RADIUS server returns three specific attributes in the Access-Accept packet (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) to steer an authenticated device to a designated VLAN. Must be explicitly enabled in GWN SSID settings.

Allows IT teams to consolidate SSIDs while maintaining strict network segmentation for different user groups, departments, or tenants.

Client isolation

A wireless security feature that prevents devices connected to the same access point from communicating directly with each other at Layer 2.

A mandatory configuration for guest networks to protect users from peer-to-peer attacks and meet PCI DSS requirements for venues processing card payments.

EAP-PEAP

Protected Extensible Authentication Protocol; an 802.1X EAP method that encapsulates the authentication exchange within an encrypted TLS tunnel using a username and password. The outer TLS tunnel protects the inner credentials from interception.

Commonly used for BYOD staff networks where deploying client certificates (EAP-TLS) is not operationally feasible. Requires staff training on certificate validation to prevent rogue AP attacks.

Failsafe mode

A GWN captive portal setting that grants internet access to connecting devices if the access point cannot reach the configured RADIUS server. Prevents a RADIUS outage from blocking all guest access.

Recommended for hospitality and retail deployments where guest connectivity is business-critical and a brief RADIUS interruption should not result in a complete service outage.

GWN Manager

Grandstream's on-premise, enterprise-grade management platform for GWN series access points. Installed on a local Linux or Windows server, it provides full captive portal, SSID, RADIUS, and PPSK configuration.

Preferred for single-site deployments and organisations with data sovereignty requirements. GDMS Networking is the cloud-hosted equivalent for multi-site MSP deployments.

Ejemplos resueltos

A 120-room hotel needs to deploy a branded guest portal for guests, a secure staff network with department-level VLAN segmentation for housekeeping and front desk, and a separate management VLAN for the property management system. The hotel runs Grandstream GWN7660 access points managed through GDMS Networking.

Configure three SSIDs in GDMS Networking. First, create 'Guest WiFi' assigned to VLAN 10. Create a captive portal policy with Authentication Type set to RADIUS Server, pointing to Purple's RADIUS IP on port 1812 with the shared secret from the Purple admin console. Set the Landing Page to Redirect to External Page with the Purple portal URL. Enable Failsafe Mode and Client Isolation. Second, create 'Staff WiFi' with WPA2-Enterprise (802.1X) security. Configure RADIUS on port 1812 and Accounting on port 1813. Enable Dynamic VLAN. In Purple's directory, configure housekeeping accounts to return Tunnel-Private-Group-ID = 21 and front desk accounts to return VLAN 20. Third, create a hidden 'Management' SSID on VLAN 30 with WPA2-Personal for PMS terminals. Build the walled garden using Purple's generator tool, excluding captive.apple.com to trigger the iOS CNA.

Comentario del examinador: This architecture effectively segments three distinct user groups while minimising SSID overhead. Using dynamic VLAN steering for staff eliminates the need to broadcast separate SSIDs for each department, reducing RF interference and simplifying the wireless environment. Purple's analytics dashboard provides the hotel operator with daily guest counts, session durations, and marketing opt-in rates, giving the marketing team actionable data without any additional infrastructure.

A 40-unit build-to-rent apartment block requires isolated network access for each tenant, with the ability to instantly revoke access when a tenant moves out. The operator runs GWN7630 access points with GWN Manager on-premise and wants to minimise the number of visible SSIDs in the building.

Deploy a single SSID named 'BuildingConnect' with WPA2-Personal security and enable PPSK with RADIUS backend. Ensure GWN firmware is at version 1.0.19 or higher. Configure the RADIUS server settings in the PPSK section to point to Purple. In Purple's admin console, create 40 unique PSK credentials, each mapped to a VLAN (e.g., VLAN 101 for Unit 101, VLAN 102 for Unit 102). When a resident connects using their unit's password, the GWN AP sends the PSK to Purple, which validates it and returns Tunnel-Private-Group-ID = 101. The resident lands on their isolated VLAN. When a resident moves out, revoke the credential in Purple's admin console. Access terminates immediately without any AP reconfiguration.

Comentario del examinador: PPSK with a RADIUS backend is the optimal solution for multi-tenant environments. It provides the simplicity of a standard WiFi password for residents while delivering enterprise-grade isolation. Centralised credential management in Purple means the operator can scale to hundreds of units without managing individual SSID configurations. The instant revocation capability is a significant operational advantage over traditional PSK deployments, where changing a shared password would disrupt all connected residents.

Preguntas de práctica

Q1. You have configured the captive portal policy in GWN Manager with the correct Purple RADIUS IP and shared secret, but guests are reporting a 'site cannot be reached' error when their browser opens after connecting to the SSID. What is the most likely cause and how do you diagnose it?

Sugerencia: Consider what controls which domains a device can access before it has authenticated through the portal.

Ver respuesta modelo

The walled garden (Pre-Authentication Rules) is incomplete or misconfigured. The access point is blocking the device from reaching the Purple portal domain or the CDN assets the portal page loads. To diagnose: connect a test device to the guest SSID, open browser developer tools, navigate to the network tab, and attempt to load the portal URL. Identify which requests return connection errors. Add those domains to the Pre-Authentication Rules. Use Purple's walled garden generator at support.purple.ai to generate the complete domain list for Grandstream hardware.

Q2. Your hotel wants iOS guests to automatically see the captive portal mini-browser as soon as they connect to the guest WiFi, without needing to open a browser manually. How do you configure the walled garden to achieve this?

Sugerencia: Consider how iOS determines whether a network has internet access when it first connects.

Ver respuesta modelo

You must exclude captive.apple.com from the walled garden. When an iOS device connects to a network, it probes captive.apple.com. If the probe receives a 200 OK response (meaning the domain is accessible), iOS assumes the network has internet access and does not trigger the Captive Network Assistant mini-browser. If the probe is blocked or redirected, iOS recognises the network as captive and automatically opens the CNA. By keeping captive.apple.com out of the walled garden, the probe is intercepted and redirected, triggering the CNA automatically.

Q3. A staff member connects to the 802.1X SSID using their credentials. Purple's authentication logs show a successful Access-Accept response with the correct VLAN 20 attributes. However, the staff member is placed on VLAN 1 (the default). What GWN Manager setting needs to be checked?

Sugerencia: The RADIUS server is correctly authorising the user and returning the VLAN attributes. The issue is on the access point side.

Ver respuesta modelo

The 'Enable Dynamic VLAN' checkbox in the SSID settings within GWN Manager is not ticked. Even when Purple returns the correct Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-ID attributes in the Access-Accept packet, the GWN access point will ignore them unless Dynamic VLAN is explicitly enabled. Navigate to the SSID configuration, locate the Dynamic VLAN setting, enable it, and save. The staff member should then be placed on the correct VLAN on their next connection.

Q4. A build-to-rent operator wants to deploy PPSK with Purple as the RADIUS backend on their Grandstream GWN7630 access points running firmware 1.0.17. A tenant reports they can connect to the SSID but are placed on the wrong VLAN. What should you check first?

Sugerencia: There are two potential causes here: one is a firmware version issue, the other is a configuration issue.

Ver respuesta modelo

The first thing to check is the firmware version. PPSK with RADIUS backend requires GWN firmware 1.0.19 or higher on the GWN76xx series. Firmware 1.0.17 may not correctly support the RADIUS-backed PPSK VLAN assignment. Upgrade the firmware to 1.0.19 or higher before further troubleshooting. If the firmware is correct, verify that the PPSK RADIUS backend is enabled in the SSID settings, the shared secret matches Purple's configuration, and that Purple's RADIUS user profile for the specific PSK is returning the correct Tunnel-Private-Group-ID attribute.

Continúe leyendo esta serie

Integración de CommScope Ruckus con Purple WiFi: Guía de instalación y configuración

Esta guía de referencia técnica proporciona un manual de configuración definitivo para integrar arquitecturas de CommScope Ruckus con Purple WiFi. Detalla implementaciones paso a paso para Captive Portals de Guest WiFi, WiFi seguro para el personal a través de 802.1X y aislamiento de red multi-inquilino mediante Dynamic PSK de Ruckus.

Allied Telesis Access Points Integration with Purple WiFi

Esta guía proporciona un manual de configuración completo para integrar los puntos de acceso de la serie TQ de Allied Telesis con Purple WiFi. Cubre la redirección externa de Captive Portal, la autenticación RADIUS 802.1X y el direccionamiento dinámico de VLAN mediante claves precompartidas privadas (PPSK) para implementaciones multiinquilino seguras.

Integración de firmware personalizado OpenWrt con Purple WiFi

Esta guía proporciona el manual de integración completo para implementar el firmware personalizado OpenWrt con Purple WiFi. Cubre la configuración del Captive Portal CoovaChilli, la gestión de walled garden con iptables, WiFi seguro para el personal con 802.1X mediante hostapd y la segmentación PPSK multiinquilino con asignación dinámica de VLAN, lo que brinda a los equipos de TI los pasos de configuración exactos necesarios para crear una red basada en la identidad en cualquier hardware compatible con OpenWrt.