Passer au contenu principal
Français

Assistant de configuration RADIUS et guide 802.1X

Configurez des réseaux sans fil sécurisés WPA2 et WPA3 Enterprise intégrés aux fournisseurs d'identité cloud.

Configurez votre configuration RADIUS

1. Select your technology stack

PEAP-MSCHAPv2 requires users to input their active email and directory password. Easy to set up, but susceptible to credential harvesting.

RADIUS Server Specifications

Configure these cloud authentication servers on your wireless access point controllers.

Primary Server185.101.99.1Host: radius1.purple.ai
Secondary Server185.101.99.2Host: radius2.purple.ai
PortsAuth: 1812 | Acct: 1813Standard UDP ports
Shared Secret KeypUrpLeReSeArCh8021x

Access point controller settings

  1. Log in to the Meraki Dashboard and navigate to Wireless > SSIDs.
  2. Rename SSID to your secure network name and set Association to WPA2-Enterprise with 802.1X or WPA3-Enterprise.
  3. Set IP assignment to Bridge mode to handle dynamic client VLANs.
  4. Under RADIUS servers, click "Add a server" and enter the Primary IP (185.101.99.1) and Secondary IP (185.101.99.2), Port 1812, and your Shared Secret.
  5. Enable RADIUS Accounting, pointing to the same server IPs with Port 1813.
  6. Set RADIUS CoA (Change of Authorization) to Enabled. This is required for session termination and security policies.

Identity directory mapping

  1. Open the Microsoft Entra admin center (Azure Portal).
  2. Navigate to App registrations and register a new enterprise app for Purple WiFi.
  3. Configure API permissions to allow User.Read.All and GroupMember.Read.All.
  4. Set up SCIM provisioning pointing to https://api.purple.ai/scim/v2 using your tenant token to sync user status.
  5. Create security groups (e.g. "WiFi-Users") and assign users to control who can authenticate to the network.

Client device onboarding profiles

Client devices need configuration parameters to trust the RADIUS server certificate silently without displaying security warnings.

Apple macOS & iOS Configuration Profile (.mobileconfig)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Enterprise WiFi Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.purple.wifi.profile</string>
      <key>PayloadType</key>
      <string>com.apple.wifi.managed</string>
      <key>PayloadUUID</key>
      <string>A5E81A22-38D4-4903-BB1A-A6C18644A152</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>SSID_STR</key>
      <string>Enterprise-Secure</string>
      <key>HIDDEN</key>
      <false/>
      <key>EncryptionType</key>
      <string>WPA2</string>
      <key>EAPClientConfiguration</key>
      <dict>
        <key>AcceptEAPTypes</key>
        <array>
          <integer>25</integer> <!-- 25 = PEAP, 13 = TLS -->
        </array>
        <key>TLSTrustedServerNames</key>
        <array>
          <string>radius.purple.ai</string>
        </array>
      </dict>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Enterprise WiFi Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.purple.wifi</string>
  <key>PayloadUUID</key>
  <string>F2B8D432-84E3-40B1-B590-F28B020B0421</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>
Windows clients (Group Policy)Create a Group Policy Object (GPO) under Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (802.11) Policies. Configure SSID properties to connect automatically to Enterprise-Secure using WPA2-Enterprise or WPA3-Enterprise, EAP-PEAP, specify trust for Root CA certificate, and lock down trusted server domains to radius.purple.ai.
Android 11+ clients (CA trust)Android 11 and later versions enforce CA certificate validation. When connecting manually to Enterprise-Secure, users cannot select "Do not validate". They must: Select Use system certificates, set Domain validation to radius.purple.ai, and configure EAP method to PEAP or TLS.

Assistant de configuration de la sécurité d'entreprise

Le déploiement de l'authentification d'entreprise 802.1X nécessite d'aligner les fournisseurs d'identité, les serveurs RADIUS et les points d'accès sans fil. Cet assistant fournit les adresses IP, les ports et les paramètres de profil d'OS client requis pour une configuration sécurisée.

Paramètres de configuration pris en charge

  • Intégrations des fournisseurs d'identité cloud avec Microsoft Entra ID et Okta.
  • Détails de configuration du serveur RADIUS pour l'authentification et la comptabilisation.
  • Paramètres de profil client pour les certificats sécurisés et l'onboarding silencieux.

Need a Cloud RADIUS?

Deploying 802.1X enterprise authentication doesn't require complex on-premises hardware. Purple's integrated Cloud RADIUS syncs directly with Entra ID, Okta, and Google Workspace.

Talk to a WiFi expert