Skip to main content
English (UK)

Captive Portal for Ruckus

This technical reference guide provides an authoritative integration playbook for deploying external captive portals on CommScope Ruckus SmartZone and Unleashed architectures. It guides network engineers through step-by-step configurations for Guest WLANs, WISPr redirection, RADIUS AAA server settings, and Walled Garden exceptions to deliver a secure, high-density guest WiFi solution.

📖 14 min read📝 3,327 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
Welcome to the Purple Technical Briefing Series. I'm your host, and today we're covering something that comes up on almost every enterprise WiFi deployment we see — setting up a captive portal on Ruckus SmartZone and Ruckus Unleashed controllers. Whether you're an MSP deploying guest WiFi across a hotel chain, a hospitality IT lead rolling out a new property, or a wireless engineer integrating Purple's platform with a Ruckus infrastructure, this episode is for you. Let's get into it. --- So, first — why does the Ruckus captive portal integration matter? Ruckus, now under CommScope, is one of the dominant enterprise WiFi platforms globally. SmartZone in particular is the controller of choice for high-density environments — stadiums, convention centres, large hotels, and retail chains. When you're deploying guest WiFi at that scale, you need more than just an open SSID. You need a structured authentication flow, GDPR-compliant data capture, and the ability to push that guest data into your marketing stack. That's exactly where an external captive portal platform like Purple comes in. The architecture here is a WISPr-based hotspot flow. WISPr stands for Wireless Internet Service Provider roaming — it's an industry standard that defines how a wireless controller intercepts unauthenticated HTTP traffic and redirects it to an external portal. The guest connects to your SSID, their device sends an HTTP request, the SmartZone controller intercepts it and issues an HTTP 302 redirect to your external portal URL. The guest authenticates — whether that's via social login, email, SMS, or a custom form — and then the portal communicates back to the controller via the Northbound Interface, or NBI, to grant access. Clean, standards-based, and highly reliable when configured correctly. --- Now let's get into the technical configuration. I'll walk through SmartZone first, then cover the differences for Unleashed. On SmartZone — and this applies to both physical SZ300 and virtual vSZ deployments — the configuration has four main components: the RADIUS authentication server profile, the RADIUS accounting server profile, the Hotspot WISPr portal profile, and the WLAN itself. Start with your RADIUS servers. Navigate to Services and Profiles, then Authentication. Create a new AAA server profile. Set the Service Protocol to RADIUS. Your primary server IP and shared secret will be provided by your portal vendor — in Purple's case, these are documented in the Purple portal admin console. Port 1812 for authentication. Always configure a backup RADIUS server for resilience — port 1812 on the secondary as well. Then do the same for accounting under Services and Profiles, Accounting — port 1813, same shared secret. Next, the Hotspot WISPr profile. Go to Services and Profiles, Hotspots and Portals, and select the Hotspot WISPr tab. Create a new profile. Set the Login URL to External, and enter your portal redirect URL — this is the URL your guests will be sent to before they authenticate. Set the Start Page to redirect to a post-authentication URL, typically a success page or your venue's homepage. Now, the Walled Garden. This is where a lot of engineers trip up. The Walled Garden defines which domains and IP addresses a guest can reach before they've authenticated. You need to include your portal domain, any CDN or asset domains your portal loads from, and standard OS captive portal detection endpoints. In SmartZone, wildcards are supported using the asterisk-dot format — so for example, star-dot-purple-dot-ai. That single entry covers all subdomains. You also need to include Apple's captive portal detection domains — captive.apple.com — and Google's connectivity check endpoints to prevent the CNA mini-browser from misbehaving on iOS and Android devices. One critical step that's easy to miss: by default, SmartZone encrypts the MAC address and IP address it passes to the external portal in the redirect URL. Your portal vendor needs to see the actual client MAC address to perform MAC-based session management. You must disable this via the CLI. SSH into your SmartZone, enter config mode, and run: no encrypt-mac-ip. That's it — one command, but it's a blocker if you skip it. The Northbound Interface is the other piece. This is the API that allows your portal platform to communicate back to the SmartZone to grant or deny access after authentication. Enable it under Administration, External Services, WISPr Northbound Interface. Set a username and password, and provide those credentials to your portal vendor. The NBI runs on TCP port 9080 for HTTP and 9443 for HTTPS — make sure your firewall allows inbound connections from your portal platform's IP range to these ports. Finally, create your WLAN. Set the Authentication Type to Hotspot WISPr, select your portal profile, and assign your RADIUS authentication and accounting services. Set the NAS ID to User-defined if your portal vendor requires a specific value, set Called Station ID to AP MAC, and enable Single Session ID. That last setting ensures that a guest's session is tied to a single controller session record, which matters for accurate accounting. --- Now for Unleashed. The architecture is fundamentally different — Unleashed is a distributed, controller-less model where one AP acts as the master. The configuration lives at Admin and Services, Services, Hotspot Services. The steps are broadly similar — create a Hotspot service, configure your external portal URL, set up your AAA authentication server, add your Walled Garden entries — but there are key differences. First, there's no Northbound Interface requirement in Unleashed. The portal communication model is simpler. Second, MAC address encryption is not applied by default in Unleashed, so you don't need the CLI command. Third, Unleashed's walled garden accepts domain-level entries rather than the full wildcard syntax — so you'd enter purple.ai rather than star-dot-purple.ai. Check your vendor's documentation for the exact format they require. Unleashed scales to around 50 access points, making it appropriate for mid-size hotels, retail branches, and SMB deployments. For anything larger — multi-property hotel groups, stadiums, large retail estates — SmartZone is the right platform. --- Let me cover the two most common failure modes I see in the field. The first is walled garden misconfiguration. If your portal page fails to load after redirect, the first thing to check is whether all the domains your portal page references are in the walled garden. Modern portal pages load assets from multiple CDN domains, analytics scripts, social login SDKs. If any of those are blocked pre-authentication, the page will either fail to load or load broken. Use your browser's developer tools on a test device connected to the guest SSID to identify which requests are being blocked. The second is the NBI connectivity issue. If guests can see the portal and authenticate, but never get internet access, the likely cause is that the SmartZone can't receive the NBI callback from your portal platform. Check that ports 9080 and 9443 are open inbound to the SmartZone's management IP from your portal vendor's IP range. Also verify that the NBI credentials you've configured match what your portal vendor has on file. A third one worth mentioning — Apple CNA, the Captive Network Assistant. On iOS, when a device connects to a network, it fires a probe to captive.apple.com. If that probe gets a non-200 response, iOS pops the mini-browser. If captive.apple.com is in your walled garden, the probe succeeds, iOS thinks there's internet, and the CNA doesn't appear. That sounds like a good thing, but it means your guests won't automatically see the portal. You need to decide: do you want the CNA to appear, or do you want guests to open a browser manually? Most hospitality deployments keep captive.apple.com out of the walled garden to trigger the CNA. --- Rapid fire. Three questions I get asked constantly. Do I need a VLAN for my guest WLAN? Yes. Always isolate guest traffic on a dedicated VLAN. This is both a security requirement and a PCI DSS compliance consideration if your venue processes card payments on the same network. Can I use Purple with Ruckus Cloud instead of SmartZone? Yes, but the configuration path is different — it's under WiFi Networks, Guest Access settings. The walled garden and RADIUS configuration principles are the same. Does Purple support SmartZone multi-zone deployments? Yes. Purple's integration handles multi-zone SmartZone environments, and you can scope portal configurations to individual zones for different venues or floors. --- To wrap up. The Ruckus SmartZone captive portal integration with Purple is a mature, well-documented deployment pattern that delivers reliable guest authentication at scale. The key configuration points are: RADIUS on ports 1812 and 1813 with a backup server, the Hotspot WISPr profile with an external login URL, a correctly scoped walled garden using wildcard entries, the no encrypt-mac-ip CLI command, and the Northbound Interface enabled with the correct credentials. Get those five things right, and you have a solid foundation. For Unleashed deployments, the same principles apply with a simpler configuration model and no NBI requirement. If you're deploying Purple on Ruckus and want to validate your configuration before go-live, Purple's technical onboarding team can walk you through a pre-launch checklist. The Purple platform also provides real-time analytics on portal load times, authentication success rates, and session data — giving you the visibility to catch issues before your guests do. Thanks for listening. Next episode we'll be covering 802.1X authentication with Cloud RADIUS — another integration that pairs well with Ruckus SmartZone for corporate guest access. Until then.

📚 Part of our core series: Multi-Tenant WiFi

header_image.png

Executive Summary

Deploying a high-performance guest wireless network in enterprise venues requires a delicate balance between seamless user experience and robust technical security. For organizations utilizing CommScope Ruckus architectures—ranging from high-density stadiums and convention centres to expansive retail estates and hospitality groups—the captive portal serves as the primary gateway for user onboarding, compliance enforcement, and first-party data capture.

This guide delivers an authoritative, step-by-step playbook for integrating external captive portals with Ruckus SmartZone and Ruckus Unleashed controllers. By leveraging industry-standard Wireless Internet Service Provider roaming (WISPr) protocols, network engineers can implement reliable redirection, secure Remote Authentication Dial-In User Service (RADIUS) authentication, and granular Walled Garden configurations.

When paired with Purple's Guest WiFi and WiFi Analytics platform, this integration allows venue operators to capture critical visitor demographics, comply with international data regulations (such as GDPR and PCI DSS), and unlock powerful marketing automation. Whether deploying centralized Virtual SmartZone (vSZ) architectures in Hospitality and Transport hubs, or distributed AP-based Unleashed networks in Retail environments, this technical reference ensures a resilient, high-throughput deployment.

Technical Deep-Dive

To deploy a highly scalable guest network, engineers must understand the underlying communication standards that govern the captive portal flow. Ruckus architectures utilize the WISPr 2.0 standard to negotiate client redirection and authentication. WISPr defines how a wireless access point (AP) or controller intercepts unauthenticated HTTP/HTTPS traffic and redirects the client browser to an external portal web server.

The WISPr Authentication Flow

The external captive portal redirection process follows a strict sequence of network transactions. Understanding this flow is essential for troubleshooting and configuring upstream firewall policies:

  1. Association: The guest client associates with the open, unencrypted Guest SSID. The AP assigns an IP address to the client via DHCP.
  2. HTTP Probe: The client operating system fires an HTTP probe (e.g., Apple's Captive Network Assistant probe to captive.apple.com or Android's connectivity check to connectivitycheck.gstatic.com) to verify internet access.
  3. HTTP 302 Redirect: The Ruckus AP or SmartZone controller intercepts this unauthenticated HTTP request. It responds with an HTTP 302 Redirect, forwarding the client's browser to the external portal URL (e.g., Purple's login page). This redirect URL is appended with critical query parameters, including the client's MAC address (client_mac), IP address (client_ip), AP MAC address (ap_mac), and the controller's Northbound Interface IP (nbiIP).
  4. Portal Rendering: The client browser loads the external portal page. Unauthenticated traffic to the portal domain and its associated assets is permitted by the controller's Walled Garden policy.
  5. User Authentication: The user completes the login requirements (e.g., social sign-on, SMS registration, form submission) on the portal.
  6. RADIUS Access-Request: The external portal platform, acting as a RADIUS client, sends an Access-Request to the configured RADIUS Authentication Server (such as Purple's Cloud RADIUS infrastructure).
  7. RADIUS Access-Accept: The RADIUS server validates the credentials and returns an Access-Accept packet containing session parameters (e.g., session timeout, bandwidth limits) to the Ruckus controller.
  8. NBI Callback: The external portal makes an API call to the Ruckus controller's Northbound Interface (NBI) using WISPr credentials, instructing the controller to authorize the client's MAC address.
  9. Internet Access: The controller transitions the client's state to "Authenticated", permitting full internet access subject to configured session policies.

architecture_overview.png

Core Architecture Comparison

Depending on the scale of the venue, organizations deploy either CommScope Ruckus SmartZone (enterprise-scale, controller-based) or Ruckus Unleashed (distributed, controller-less) architectures. While both support WISPr-based external captive portals, their underlying configuration paths and capabilities differ significantly:

Technical Feature Ruckus SmartZone (vSZ / SZ144 / SZ300) Ruckus Unleashed (Distributed AP)
Controller Architecture Centralized physical or virtual appliance managing up to 10,000 APs. Distributed master-member AP architecture managing up to 50 APs.
Configuration Path Services > Hotspots & Portals > Hotspot (WISPr) Admin & Services > Services > Hotspot Services
API Callback Method Northbound Interface (NBI) via TCP Ports 9080/9443. Direct RADIUS/Local authentication without external API callbacks.
MAC Address Encryption Enabled by default; must be disabled via CLI (no encrypt-mac-ip). Disabled by default; MAC addresses are passed in plain text.
Walled Garden Wildcards Supports full wildcard formatting (e.g., *.purple.ai). Supports domain-level entries (e.g., purple.ai).
RADIUS Proxy Support Supported via "Proxy (SZ Authenticator)" or direct AAA. Supported via direct AAA Server configuration.
Target Deployments Stadiums, large hotels, Transport hubs, Healthcare campuses. Mid-market hotels, Retail stores, Schools .

Implementation Guide

This step-by-step implementation guide walks network engineers through configuring an external captive portal on Ruckus SmartZone and Ruckus Unleashed controllers.

Part A: Ruckus SmartZone Configuration

Step 1: Configure RADIUS AAA Servers

To authenticate guest users against an external database, you must first define the RADIUS Authentication and Accounting servers.

  1. Navigate to Services & Profiles > Authentication and select the Proxy (SZ Authenticator) tab.
  2. Select your target Zone and click Create.
  3. Configure the following parameters:
    • Name: Purple_RADIUS_Auth
    • Service Protocol: RADIUS
    • Primary Server IP: Enter the IP address provided in your Purple Admin Console.
    • Port: 1812
    • Shared Secret: Enter your Purple RADIUS Shared Secret.
    • Backup RADIUS: Enabled (Configure the secondary IP, Port 1812, and the same shared secret for high availability).
  4. Click OK to save.
  5. Navigate to Services & Profiles > Accounting and click Create under the Proxy (SZ Authenticator) tab.
  6. Configure the following parameters:
    • Name: Purple_RADIUS_Acct
    • Service Protocol: RADIUS Accounting
    • Primary Server IP: Enter the IP address provided in your Purple Admin Console.
    • Port: 1813
    • Shared Secret: Enter your Purple RADIUS Shared Secret.
    • Backup RADIUS: Enabled (Configure the secondary IP, Port 1813, and the same shared secret).
  7. Click OK to save.

Step 2: Configure the Hotspot WISPr Portal Profile

The Hotspot WISPr profile defines the redirection behavior and Walled Garden rules.

  1. Navigate to Services & Profiles > Hotspots & Portals > Hotspot (WISPr).
  2. Select your target Zone and click Create.
  3. In the General Options section, configure:
    • Portal Name: Purple_WISPr_Portal
    • WISPr Smart Client Support: None
    • Login URL: Select External and enter the primary redirect URL provided by Purple (e.g., https://login.purple.ai/start).
    • Redirect MAC Format: AA:BB:CC:DD:EE:FF (This format is critical for Purple's database parsing).
  4. In the Start Page section, configure:
    • Select Redirect to the following URL and enter: https://login.purple.ai/success.php
  5. In the Session Options section, configure:
    • Session Timeout: 1440 minutes (24 hours, or match your corporate policy).
    • Grace Period: 60 minutes (allows users to reconnect within 1 hour without re-authenticating).
  6. Click OK to save the profile.

Step 3: Define Walled Garden Exceptions

The Walled Garden allows unauthenticated clients to resolve DNS and download assets from specific domains required to load the splash page and authenticate.

  1. Edit your newly created Purple_WISPr_Portal profile.
  2. Scroll down and click the + sign to expand the Walled Garden section.
  3. Add the following mandatory domains. Note that Ruckus SmartZone requires the wildcard format *.domain.com:
    • *.purple.ai (Core portal and redirection domain)
    • *.cloudfront.net (CDN for loading stylesheet and JavaScript assets)
    • *.apple.com and captive.apple.com (To manage Apple Captive Network Assistant behavior)
    • *.googleapis.com and *.gstatic.com (For Google API and asset delivery)
  4. Add any social media domains if you enable social login (e.g., *.facebook.com, *.facebook.net for Facebook login).
  5. Click OK to save.

Step 4: Configure the Guest Wireless LAN (WLAN)

Now, bind the RADIUS servers and Hotspot profile to a new SSID.

  1. Navigate to Wireless LANs and select your target Zone.
  2. Click Create to build a new WLAN.
  3. Configure the General Options:
    • Name: Guest_WiFi
    • SSID: !Free_Venue_WiFi
  4. Configure the Security Options:
    • Authentication Type: Hotspot (WISPr)
    • Method: Open
    • Encryption Options: None
  5. Expand the Hotspot Portal section:
    • Hotspot (WISPr) Portal: Select Purple_WISPr_Portal.
    • Authentication Service: Select Purple_RADIUS_Auth.
    • Accounting Service: Select Purple_RADIUS_Acct.
    • Send Interim Update: Set to 5 minutes (essential for real-time session tracking).
  6. Expand the RADIUS Options:
    • NAS ID: Set to User-defined and enter your Purple-assigned venue ID.
    • Called Station ID: Select AP MAC.
    • Single Session ID: ON (Prevents session duplication across APs).
  7. Click OK to deploy the WLAN.

Step 5: Enable WISPr Northbound Interface (NBI)

The NBI allows Purple to communicate back to the SmartZone to authorize clients.

  1. Navigate to Administration > External Services > WISPr Northbound Interface.
  2. Check the box to Enable Northbound Interface support.
  3. Define a Username and Password (e.g., purple_nbi / SecureNbiPassword123!).
  4. Enter these credentials into the Purple Admin Console under Integrations > Ruckus SmartZone.

Step 6: Disable MAC/IP Encryption (CRITICAL CLI STEP)

By default, SmartZone encrypts MAC addresses in the redirect URL. You must disable this so Purple can read client MACs.

  1. Open an SSH session to your SmartZone controller management IP.
  2. Log in with your administrator credentials.
  3. Execute the following commands:
    ruckus> enable
ruckus# config
ruckus(config)# no encrypt-mac-ip
ruckus(config)# end
ruckus# write memory

Part B: Ruckus Unleashed Configuration

For smaller venues utilizing a controller-less Unleashed architecture, configure the captive portal via the master AP web interface.

Step 1: Define AAA Servers

  1. Navigate to Admin & Services > Services > AAA Servers.
  2. Click Create New to add the RADIUS Authentication Server:
    • Name: Purple_Auth
    • Type: RADIUS
    • IP Address: Enter Purple's RADIUS IP.
    • Port: 1812
    • Shared Secret: Enter your Purple RADIUS Shared Secret.
  3. Click OK.
  4. Click Create New to add the RADIUS Accounting Server:
    • Name: Purple_Acct
    • Type: RADIUS Accounting
    • IP Address: Enter Purple's RADIUS IP.
    • Port: 1813
    • Shared Secret: Enter your Purple RADIUS Shared Secret.
  5. Click OK.

Step 2: Configure Hotspot Service

  1. Navigate to Admin & Services > Services > Hotspot Services.
  2. Click Create New.
  3. Under the General tab:
    • Name: Purple_Hotspot
    • Login URL: Enter your Purple redirect URL.
    • Start Page: Select Redirect to the following URL and enter https://login.purple.ai/success.php.
  4. Under the Authentication tab:
    • Authentication Server: Select Purple_Auth.
    • Accounting Server: Select Purple_Acct.
    • Interim Update: Set to 5 minutes.
  5. Under the Walled Garden tab:
    • Add domain-level entries (e.g., purple.ai, cloudfront.net, gstatic.com). Note that Unleashed does not require the asterisk wildcard prefix; standard domain-level matching is applied automatically.
  6. Click OK to save.

Step 3: Assign Hotspot Service to WLAN

  1. Navigate to Wi-Fi Networks and click Create.
  2. Set Name and SSID to your guest network name.
  3. Set Usage Type to Hotspot Service.
  4. Select Purple_Hotspot from the list of services.
  5. Click OK to publish the SSID across all Unleashed APs.

comparison_chart.png

Best Practices

To ensure maximum performance, security, and regulatory compliance, network architects should implement the following industry-standard best practices:

1. Granular Guest VLAN Segmentation

Never map guest traffic to the native or management VLAN. Always isolate guest clients on a dedicated, non-routable VLAN (e.g., VLAN 100). Implement strict Access Control Lists (ACLs) on the upstream switch or firewall to block guest traffic from reaching corporate subnets, point-of-sale (POS) systems, and IoT infrastructure. This segmentation is a core requirement for PCI DSS compliance.

2. High-Density RF Optimization

In high-density environments like stadiums, conference centres, and large retail hubs, RF tuning is critical. Disable lower legacy data rates (e.g., disable 802.11b rates below 12 Mbps) to force clients onto faster rates, reducing airtime contention. Enable Band Steering to direct dual-band client devices to the 5 GHz and 6 GHz spectrum, preserving the highly congested 2.4 GHz band for legacy devices.

3. Dynamic Walled Garden Management

Keep your Walled Garden as lean as possible. Overly permissive walled gardens (such as adding large IP subnets like 172.217.0.0/16) can allow unauthenticated users to bypass the captive portal and access external services (like Google Search or YouTube) without logging in. Regularly audit your walled garden domains, especially after enabling new social login providers.

4. Secure Session Management

Set reasonable session timeouts (e.g., 1440 minutes / 24 hours) and grace periods (e.g., 60 minutes). A well-configured grace period prevents "portal fatigue" by allowing users who temporarily lose WiFi coverage (e.g., stepping outside a hotel lobby) to reconnect seamlessly without being forced to re-authenticate.

5. Regulatory Compliance and Security

Deploying public guest WiFi exposes venues to legal risks. Ensure your captive portal integration complies with local regulations:

  • GDPR / CCPA: Ensure the splash page displays clear terms of service and privacy policies, requiring active opt-in consent for marketing communications.
  • WPA3-Transition Mode: While guest networks are typically open, consider enabling WPA3-Transition mode with Opportunistic Wireless Encryption (OWE) to encrypt wireless traffic between the client and the AP without requiring a pre-shared key, protecting guests from passive eavesdropping.
  • Web Content Filtering: Upstream DNS servers (such as Cisco Umbrella or Cloudflare Families) should be configured to block malicious domains, adult content, and illegal file-sharing traffic on the guest VLAN.

Troubleshooting & Risk Mitigation

When deploying external captive portals on Ruckus hardware, engineers commonly encounter a predictable set of configuration and network path issues. Use this structured troubleshooting framework to resolve deployment bottlenecks.

Common Failure Modes and Resolution Paths

Issue 1: Guest devices are not redirected to the captive portal page.

  • Root Cause A: DNS Resolution Failure. Unauthenticated clients must be able to resolve DNS queries before redirection. If the client cannot resolve login.purple.ai, the redirect will fail.
    • Resolution: Verify that the DHCP scope assigned to the guest VLAN provides valid, public DNS servers (e.g., 1.1.1.1 or 8.8.8.8). Ensure the upstream firewall permits UDP port 53 traffic from the guest subnet to the internet pre-authentication.
  • Root Cause B: Firewall blocking Port 9080/9443. SmartZone requires specific ports open to load the splash page.
    • Resolution: Ensure that TCP port 9080 (HTTP) or 9443 (HTTPS) is permitted through any local firewalls.
  • Root Cause C: Walled Garden misconfiguration. The redirect URL itself might be blocked.
    • Resolution: Ensure *.purple.ai is explicitly defined in the Hotspot WISPr Walled Garden.

Issue 2: Guests can view and complete the login page, but cannot access the internet after clicking "Connect".

  • Root Cause A: NBI Communication Failure. The external portal cannot send the authorization API call back to the SmartZone controller.
    • Resolution: Verify that the SmartZone's Northbound Interface (NBI) is enabled and that the credentials entered in the Purple Admin Console match the controller configuration. Ensure your edge firewall permits inbound TCP port 9080 (or 9443) traffic from Purple's public IP range to the SmartZone management IP.
  • Root Cause B: RADIUS Authentication Failure. The controller is rejecting the RADIUS Access-Accept or has not received it.
    • Resolution: Navigate to Services & Profiles > Authentication on the SmartZone, select your RADIUS server, and click Test AAA. Enter test credentials to verify connectivity. If the test fails, verify the RADIUS IP, port 1812, and the Shared Secret. Ensure UDP ports 1812 and 1813 are permitted outbound on your edge firewall.

Issue 3: Apple iOS devices do not display the Captive Network Assistant (CNA) mini-browser automatically.

  • Root Cause: Apple CNA Bypass Enabled or Walled Garden too permissive. If Apple's test domain is allowed in the walled garden, iOS assumes it has direct internet access and suppresses the CNA.
    • Resolution: Ensure that captive.apple.com is NOT fully bypassed in your walled garden if you want to force the CNA to appear. Conversely, if your policy is to bypass the CNA and force users to open a standard browser, ensure Bypass CNA is turned ON in the WLAN configuration.

Network Port and Protocol Requirements

To ensure seamless communication between the Ruckus controller, client devices, and the external portal, verify that the following ports are permitted on your network firewalls:

Source Destination Protocol Port Purpose
Guest Subnet Public DNS UDP 53 Pre-authentication DNS resolution.
Guest Subnet SmartZone Controller TCP 9080 / 9443 Captive portal redirection and WISPr web auth.
SmartZone Controller Purple RADIUS Servers UDP 1812 RADIUS Authentication traffic.
SmartZone Controller Purple RADIUS Servers UDP 1813 RADIUS Accounting / Session tracking.
Purple Portal Cloud SmartZone Controller TCP 9080 / 9443 Inbound Northbound Interface (NBI) API callbacks.

ROI & Business Impact

While network engineers focus on packet flows and port configurations, IT directors and CTOs must justify the investment in enterprise guest WiFi. Integrating Ruckus high-density hardware with Purple's WiFi Analytics platform transforms a cost-centre network into a high-value business asset, delivering measurable return on investment (ROI).

1. First-Party Data Capture at Scale

In industries like Retail and Hospitality , understanding customer demographics is a primary driver of business growth. A standard open SSID captures zero visitor data. By implementing Purple's captive portal, venues achieve average login completion rates of 25% to 40%. This allows operators to legally capture verified email addresses, phone numbers, and social profiles.

2. Hyper-Localized Marketing and Engagement

By pairing Ruckus's precise location services with Purple's marketing engine, venues can trigger automated, real-time campaigns based on physical presence. For example, a retail brand can trigger a targeted SMS coupon to a guest who has been browsing a specific department for more than 15 minutes, or a hotel can send a welcome email with a link to book spa services immediately after the guest connects to the lobby WiFi.

3. Operational Efficiency and Venue Insights

Integrating captive portals with location analytics delivers powerful operational intelligence. Venue directors can monitor:

  • Footfall and Dwell Time: Measure the exact number of visitors, how long they stay, and their pathing through the physical space.
  • Loyalty and Return Rates: Identify new vs. returning visitors to evaluate the impact of marketing campaigns and operational changes.
  • Staff Optimization: Align staffing levels with real-time visitor density maps, reducing overhead during off-peak hours and improving customer service during peak times.

Business Impact Matrix

The table below outlines typical business outcomes across core verticals following the deployment of a Ruckus and Purple integrated guest WiFi network:

Venue Vertical Primary Business Challenge Ruckus + Purple Solution Measurable Business Impact
Hospitality (Hotels, Resorts) High guest onboarding friction; low direct booking rates; poor review volume. Seamless WISPr onboarding; automated post-stay email triggers linked to TripAdvisor. 20% increase in direct bookings; 35% increase in positive online review volume.
Retail (Malls, Flagship Stores) Inability to track physical visitor journeys; low loyalty program enrollment. Capture demographic data via splash page; track physical pathing and dwell times. 15% growth in loyalty database; 10% increase in average basket size via targeted SMS.
Transport (Airports, Train Stations) High congestion; complex multi-language passenger onboarding. High-density Ruckus AP performance; multi-language captive portal with flight tracking. 40% reduction in connection-related support tickets; 25% increase in retail concession spend.
Healthcare (Hospitals, Clinics) Strict security compliance; high administrative overhead for guest access. Isolated Guest VLAN; secure self-registration portal; integration with NAC solutions . 100% compliance with HIPAA and PCI DSS; 30% reduction in IT helpdesk ticket volume.

By aligning technical excellence in wireless engineering with strategic business goals, the Ruckus and Purple integration delivers a secure, compliant, and highly profitable enterprise network infrastructure.

References

Key Definitions

WISPr (Wireless Internet Service Provider roaming)

A draft protocol developed by the Wi-Fi Alliance that enables smart clients and web browsers to automatically authenticate against a wireless hotspot using standardized XML or HTTP 302 redirection.

Used as the core redirection protocol in Ruckus controllers to forward unauthenticated guest devices to external captive portal platforms.

Northbound Interface (NBI)

An API exposed by the Ruckus SmartZone controller that allows external web portals to send authorization callbacks, instructing the controller to grant internet access to a specific client MAC address.

Must be enabled on TCP port 9080 (HTTP) or 9443 (HTTPS) to allow Purple to authorize guest sessions after successful login.

Walled Garden

A list of IP addresses, subnets, or domain names that unauthenticated guest clients are permitted to access pre-authentication.

Must be configured with the portal's domain, CDNs, and operating system captive portal detection endpoints to ensure the splash page loads correctly.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol operating on UDP ports 1812 (Authentication) and 1813 (Accounting) that provides centralized Authentication, Authorization, and Accounting (AAA) management for users.

Ruckus controllers forward client session data to Purple's RADIUS servers to validate credentials and track session durations.

CNA (Captive Network Assistant)

A lightweight, limited browser built into operating systems (like Apple iOS/macOS and Android) that automatically launches when an open network with an active captive portal is detected.

Can be bypassed in the WLAN settings if engineers want to force guests to open a full browser manually to complete authentication.

Interim Accounting Update

A periodic RADIUS message sent by the wireless controller to the RADIUS server to update the active session status, bandwidth consumption, and connection time.

Must be set to 5 minutes in the Ruckus WLAN configuration to ensure Purple's dashboard displays accurate, real-time analytics.

Client Isolation

A security feature configured on the wireless controller that prevents wireless clients connected to the same AP or WLAN from communicating directly with each other.

Essential for guest WiFi networks to protect users from local ARP spoofing, man-in-the-middle attacks, and unauthorized device scanning.

WPA3-Transition Mode

A security configuration that allows older WPA2-compatible devices and newer WPA3-compatible devices to connect to the same SSID simultaneously.

Can be deployed on guest networks with Opportunistic Wireless Encryption (OWE) to provide over-the-air encryption for open SSIDs without requiring a password.

Worked Examples

A high-density conference centre deploying Ruckus SmartZone (vSZ) needs to implement a guest WiFi network using Purple's captive portal. The network must handle up to 5,000 concurrent sessions, isolate guest traffic from corporate subnets, and support social login authentication.

  1. Configure dedicated Guest VLAN 200 on core switches and map it to the Ruckus AP Zone. Define a DHCP scope with public DNS servers (e.g., 1.1.1.1, 8.8.8.8) and a short lease time (2 hours) to accommodate high rotation.
  2. In SmartZone, navigate to Services & Profiles > Authentication > Proxy (SZ Authenticator) and create primary/backup RADIUS servers pointing to Purple's Cloud RADIUS IPs on Port 1812 with the provided shared secret.
  3. Create RADIUS Accounting servers pointing to Purple's Accounting IPs on Port 1813. Set the interim update interval to 5 minutes to track active sessions accurately.
  4. Create a Hotspot WISPr Portal Profile. Set Login URL to 'External' with the Purple redirection URL. Add walled garden wildcard exceptions for '.purple.ai', '.cloudfront.net', and social media domains (e.g., '*.facebook.com').
  5. Create the Guest WLAN. Set Authentication Type to Hotspot (WISPr), select the newly created Hotspot profile, and bind the RADIUS authentication and accounting services. Set Called Station ID to 'AP MAC' and enable 'Single Session ID'.
  6. Access the SmartZone CLI via SSH and execute 'no encrypt-mac-ip' to pass raw MAC addresses to the portal. Enable the WISPr Northbound Interface (NBI) on the controller and input the credentials in the Purple portal admin console to enable NBI authorization callbacks.
Examiner's Commentary: This architecture is highly resilient and compliant. Using a dedicated VLAN 200 satisfies PCI DSS segmentation requirements. The short DHCP lease time of 2 hours prevents IP address exhaustion in high-density scenarios. Enabling RADIUS accounting with a 5-minute interim update ensures that the venue has real-time session tracking, allowing Purple to accurately monitor bandwidth usage. Disabling MAC address encryption via CLI is a critical step; without it, the portal would receive hashed MACs and fail to correlate sessions. The NBI callback configuration is the only secure way to authorize clients on Ruckus SmartZone without creating local authentication loops.

A mid-sized boutique hotel with 45 rooms wants to deploy guest WiFi with an external splash page using Ruckus Unleashed APs. They require a lightweight, controller-less setup that does not require CLI management or a public-facing NBI API port.

  1. Log in to the master Unleashed AP web interface. Go to Admin & Services > Services > AAA Servers and create RADIUS Authentication (Port 1812) and Accounting (Port 1813) server entries pointing to Purple's Cloud RADIUS infrastructure.
  2. Navigate to Admin & Services > Services > Hotspot Services and click Create New. Name the service 'Purple_Hotel_Hotspot'.
  3. Under the General tab, set the Login URL to the Purple portal redirection URL. Set the Start Page to redirect to ' https://login.purple.ai/success.php '.
  4. Under the Authentication tab, select the newly created RADIUS servers. Set the interim accounting update interval to 5 minutes.
  5. Under the Walled Garden tab, add the required domains as domain-level entries (e.g., 'purple.ai', 'cloudfront.net', 'gstatic.com'). Note that Unleashed does not require or support the asterisk wildcard prefix (*.domain.com).
  6. Go to Wi-Fi Networks, click Create, and set the SSID name (e.g., 'Hotel_Guest_WiFi'). Set the Usage Type to 'Hotspot Service' and select 'Purple_Hotel_Hotspot' from the drop-down list. Save the configuration to automatically sync the SSID across all 45 Unleashed APs.
Examiner's Commentary: For SMB and mid-market deployments under 50 APs, Ruckus Unleashed offers a highly cost-effective distributed architecture. Because Unleashed does not apply MAC address encryption by default, the CLI step required in SmartZone is bypassed. Furthermore, Unleashed does not require a Northbound Interface (NBI) callback for authorization; instead, client authorization is negotiated directly via standard RADIUS transactions between the master AP and the RADIUS server. This simplifies the firewall configuration as no inbound ports (like 9080/9443) need to be opened to the controller from the internet.

Practice Questions

Q1. An engineer has configured a Ruckus SmartZone captive portal integration. When users connect to the guest WiFi, they are redirected to the login page. However, after entering their credentials and clicking 'Connect', they are immediately redirected back to the login page in an infinite loop. What is the most likely cause of this issue, and how should it be resolved?

Hint: Focus on the communication between the portal cloud and the SmartZone controller after authentication is completed.

View model answer

The most likely cause is a failure in the WISPr Northbound Interface (NBI) callback or a RADIUS authentication mismatch. When the user clicks 'Connect', the portal authenticates the user and attempts to send an NBI callback to the SmartZone controller on TCP port 9080 or 9443 to authorize the client's MAC address. If the edge firewall blocks this inbound port, or if the NBI credentials entered in the portal console do not match the controller's settings, the controller never authorizes the client. Consequently, when the client attempts to access the internet again, the controller intercepts the traffic and redirects them back to the portal. To resolve this: 1) Verify that TCP port 9443 (or 9080) is open inbound on the edge firewall from the portal's IP range to the SmartZone's management IP. 2) Check the SmartZone's NBI configuration under Administration > WISPr Northbound Interface and confirm that the username and password match what is configured in the portal admin console. 3) Test RADIUS connectivity on the SmartZone under Services & Profiles > Authentication > Test AAA to ensure the shared secret is correct.

Q2. During the deployment of a guest WiFi network on a Ruckus Unleashed cluster, several guests report that the splash page loads with broken images and styling, and the social login options fail to function. Other guests on different devices cannot load the splash page at all. What is the most likely configuration error?

Hint: Analyze the difference between the domains that load successfully and those that fail pre-authentication.

View model answer

The most likely cause is a misconfigured or incomplete Walled Garden. Unauthenticated clients are blocked from accessing any internet destinations except those explicitly defined in the Walled Garden. If the splash page loads with broken styling and images, it means the browser is blocked from downloading those assets from external CDNs. If social login options fail, it means the social provider's authentication endpoints (e.g., Facebook or Google OAuth URLs) are blocked. To resolve this: 1) Audit the Walled Garden entries in the Unleashed Hotspot Service configuration. 2) Ensure that all CDN domains used by the portal (such as '.cloudfront.net') and core portal domains (such as 'purple.ai') are added. 3) If social login is enabled, add the specific social provider domains (e.g., '.facebook.com', '.facebook.net', '.google.com'). 4) Note that Unleashed uses domain-level matching, so do not include the asterisk wildcard prefix (e.g., use 'purple.ai' instead of '*.purple.ai').

Q3. A wireless engineer is migrating a guest WiFi network from Ruckus Unleashed to a centralized Virtual SmartZone (vSZ) controller. They copy the Walled Garden list exactly as it was configured in Unleashed: 'purple.ai', 'cloudfront.net', 'apple.com'. However, after the migration, clients on the vSZ network cannot load the splash page. What is the syntax difference that caused this failure?

Hint: Review the specific wildcard formatting rules for Ruckus SmartZone compared to Ruckus Unleashed.

View model answer

The failure is caused by a syntax difference in how the two platforms parse Walled Garden entries. Ruckus Unleashed applies automatic domain-level matching, meaning that entering 'purple.ai' automatically covers all subdomains (such as 'login.purple.ai' or 'assets.purple.ai'). However, Ruckus SmartZone does not apply automatic subdomain matching; it requires explicit wildcard formatting using the asterisk prefix (e.g., '.purple.ai'). If the engineer entered 'purple.ai' in SmartZone, the controller would permit traffic only to the root domain, blocking the client from loading the actual login page at 'login.purple.ai'. To resolve this, the engineer must edit the Hotspot WISPr profile in SmartZone and update the Walled Garden entries to use the correct format: '.purple.ai', '.cloudfront.net', and '.apple.com'.

Continue reading in this series

Captive Portal for Aruba

An authoritative technical reference guide for configuring Aruba Instant (IAP) and Aruba Central managed access points to redirect guest users to Purple's high-converting, secure external captive portal. This guide covers step-by-step guest SSID setup, external captive portal redirection, RADIUS server authentication and accounting parameters, walled garden exception lists, and WISPr support.

Read the guide →

Captive Portal for Cisco Meraki

An authoritative, intermediate-level technical reference guide for integrating Cisco Meraki MR access points with Purple's cloud captive portal. Covers step-by-step Meraki Dashboard configurations, RADIUS server settings (ports 1812/1813), walled garden wildcard domain exceptions, and session timeout parameters for high-performance guest WiFi deployments.

Read the guide →

Captive Portal for Cisco Meraki

An authoritative, intermediate-level technical reference guide for integrating Cisco Meraki MR access points with Purple's cloud captive portal. Covers step-by-step Meraki Dashboard configurations, RADIUS server settings (ports 1812/1813), walled garden wildcard domain exceptions, and session timeout parameters for high-performance guest WiFi deployments.

Read the guide →