Skip to main content
English (UK)

Step-by-Step Guide: Configuring Ruijie Wireless Controllers for Guest WiFi Captive Portals

This guide provides a complete technical walkthrough for configuring Ruijie wireless controllers and gateways to deploy enterprise-grade guest WiFi captive portals. It covers VLAN segmentation, external RADIUS authentication via WISPr protocol, walled garden configuration, and seamless integration with Purple's Identity-Based Networks platform to capture first-party data and drive measurable business value across hospitality, retail, and public-sector environments.

📖 8 min read📝 1,834 words🔧 2 worked examples4 practice questions📚 9 key definitions

Listen to this guide

View podcast transcript
Welcome to the Purple technical briefing series. Today we are covering one of the most frequently searched topics in enterprise wireless: how to configure Ruijie wireless controllers for secure guest WiFi captive portals. I am your host, and this is a ten-minute briefing designed for IT managers, network architects, and venue operations directors who need to get this right, first time. Let us start with context. If you manage IT for a hotel, a retail chain, a conference centre, or a large public venue, guest WiFi is no longer just an amenity. It is a fundamental operational requirement. Guests expect it. Regulators require you to handle their data responsibly. And your marketing team wants the first-party data it generates. The challenge is deploying it securely across a distributed estate, at scale, without creating a compliance headache. Ruijie Networks is one of the world's largest enterprise networking vendors, with a significant installed base across hospitality, retail, and public sector environments. Their RG-WS series wireless controllers and RG-EG series gateways are capable platforms for enterprise guest WiFi, but the captive portal configuration requires precise execution. Get it wrong, and you end up with either a security gap or a portal that simply does not work. Now let us get into the technical architecture. The absolute foundation of any secure guest network is traffic isolation. You cannot have guest devices sitting on the same network segment as your payment terminals, your staff laptops, or your back-office servers. The mechanism for this is VLAN segmentation. In a Ruijie environment, you create a dedicated guest VLAN on your core switch, assign it a separate IP subnet, and trunk it through to your access points. A typical deployment might use VLAN ten for corporate, VLAN twenty for voice, VLAN thirty for guest, and VLAN ninety-nine for management. This is non-negotiable. If you skip this step, you have convenient WiFi, not secure WiFi. Once the network is correctly segmented, we move to authentication. A shared pre-shared key is not enterprise security. It offers no accountability, no individual session tracking, and no way to revoke access for a single user without changing the password for everyone. Instead, we use an external captive portal with RADIUS authentication. Here is how the flow works. A guest connects to the open SSID broadcast by the Ruijie access point. The Ruijie gateway intercepts their HTTP traffic and issues a redirect to an external splash page - in this case hosted by Purple. The guest sees a branded login page. They authenticate, perhaps via email registration, social login, or a one-click accept. Purple's servers process that authentication and send a RADIUS Accept message back to the Ruijie controller. The controller then grants the device internet access. This entire flow uses the WISPr protocol, which is the standard framework for external captive portal authentication in enterprise wireless. The business value here is significant. Every authentication event captures a consent record. Purple's platform stores that data in a GDPR and CCPA-compliant manner, builds a first-party marketing database, and feeds analytics back to your team. Harrods used this approach to promote their loyalty programme and achieved a fifty-seven times return on investment. c2c Rail achieved a hundred and twenty-one percent return on investment and saved seventy-six thousand pounds in operational costs. That is the commercial case for doing this properly. Now let us walk through the specific configuration steps in the Ruijie Cloud or local controller interface. Step one: create the guest SSID. Log in to Ruijie Cloud or your local controller. Navigate to Device Config, select Wi-Fi under Wireless, and create a new SSID. Name it something clear, like Free Guest WiFi. Set the security mode to Open, and assign it to your guest VLAN. Step two: define the captive portal policy. Navigate to Auth and Account, then select Captive Portal under Authentication. Create a new policy. Set the Policy Mode to External. Set the Authentication Device to your Ruijie gateway or access point. Select the guest SSID. In the Portal Server URL field, enter your Purple splash page URL. Enter the Purple RADIUS server IP addresses. Step three: configure the Walled Garden, which Ruijie calls the Allowlist. This is the most commonly misconfigured element in any captive portal deployment. The Walled Garden defines what traffic can pass before the user authenticates. If you do not explicitly allow the Purple domains, the splash page will not load. If you offer Facebook or Google login but do not allow their OAuth domains, the authentication will hang at the social login button. Add all required Purple infrastructure domains, and all social provider domains you intend to support. Step four: configure RADIUS. Add the primary and secondary Purple RADIUS server IP addresses. Enter the shared secret from your Purple dashboard. Ensure RADIUS accounting is enabled on port 1813. This allows Purple to track session duration and data usage accurately, which feeds directly into your analytics reports. Step five: apply QoS policies. Unrestricted guest access can saturate your internet link. Set hard bandwidth limits per user on the Ruijie gateway - typically five to ten megabits down and two to five up for a standard hospitality deployment. This protects the experience for all guests and prevents a single device from degrading the network. Now let us cover the critical implementation pitfalls. The first is the Walled Garden. I cannot overstate how often this is the root cause of a failed deployment. Test your portal from a clean device with no cached credentials. If the page does not load, check your allowlist first. The second pitfall is the Portal Escape setting. This Ruijie feature automatically releases user traffic if the access point and portal server become unreachable. It sounds helpful, but it means unauthenticated users get internet access during an outage. In an enterprise environment where consent capture is a legal requirement, you want this disabled to enforce strict authentication at all times. The third pitfall is firmware versions. Some captive portal features - particularly around bandwidth controls and dynamic VLAN assignment - require specific firmware versions on the Ruijie gateway. Check the Ruijie release notes before you deploy, and ensure your devices are running a supported firmware version. Now for rapid-fire questions. Should I handle the captive portal on the access point or the gateway? In a Ruijie enterprise deployment, handle it at the gateway. The RG-EG series gateways are designed to manage the external portal interception and enforce QoS policies. Access points focus on RF performance and SSID broadcast. Can I run multiple captive portals on different SSIDs? Yes. Ruijie supports multiple captive portal policies mapped to different SSIDs. You might have a standard guest portal on one SSID and a paid premium portal on another, each with different bandwidth limits and authentication methods. How do I handle a multi-site deployment? Use Ruijie Cloud to manage configuration centrally. You can push portal policies across all sites simultaneously, ensuring consistency and eliminating per-site configuration drift. To summarise the key takeaways. Segment your traffic with VLANs before you do anything else. Use external RADIUS authentication to capture compliant, first-party data. Configure your Walled Garden meticulously and test it from a clean device. Make a deliberate decision on Portal Escape based on your compliance requirements. Apply QoS to protect the user experience. And integrate your Ruijie infrastructure with Purple's Identity-Based Networks to turn a basic connection into a secure, data-driven, revenue-generating asset. Purple operates across more than eighty thousand live venues, has processed four hundred and forty million logins in 2024, and holds ISO 27001, GDPR, CCPA, and Cyber Essentials certifications. We are hardware-agnostic, which means your Ruijie investment is fully compatible with our cloud overlay platform. Thank you for listening. If you want to explore how Purple integrates with your Ruijie estate, visit purple dot ai slash guest dash wifi. Deploy securely, and we will see you in the next briefing.

header_image.png

Executive summary

Deploying guest WiFi across a distributed enterprise requires more than an open SSID. For IT managers and network architects, the challenge is balancing seamless access with strict security, GDPR compliance, and data capture requirements. This guide details the exact configuration steps for deploying a secure, scalable captive portal using Ruijie wireless controllers and gateways - and shows how integrating that infrastructure with Purple's Guest WiFi platform transforms a basic wireless connection into a compliant, revenue-generating asset.

We cover the technical prerequisites, VLAN segmentation strategies, external RADIUS authentication via the WISPr protocol, walled garden configuration, and the specific QoS settings required for a production-grade deployment. Whether you manage a 200-room hotel, a 50-site retail chain, or a stadium with 40,000 attendees, this guide provides the authoritative blueprint for a secure Ruijie captive portal setup. Purple operates across 80,000+ live venues and processed 440 million logins in 2024 (Purple internal data), so the integration patterns described here are proven at scale.

architecture_overview.png

Technical architecture and prerequisites

Before modifying your Ruijie controller, establish the correct network architecture. A secure guest network demands complete isolation from corporate traffic at Layer 2 - the switch level.

Network segmentation

The foundation of secure guest WiFi is VLAN isolation. You must create a dedicated guest VLAN on your Ruijie gateway or core switch. This ensures guest traffic never intersects with internal systems, payment terminals, or staff devices. A standard enterprise VLAN scheme for a Ruijie deployment looks like this:

VLAN ID Purpose Notes
10 Corporate Staff devices, internal servers
20 Voice VoIP handsets
30 Guest Captive portal, internet-only
40 IoT Printers, smart TVs, sensors
99 Management Controller, switch management

For more on why consumer-grade approaches fail here, read Why Consumer WiFi Gear Doesn't Belong on Your Guest Network .

Required components

To complete this deployment, you need:

  • A Ruijie Cloud account or a local Ruijie RG-WS Series Wireless Controller (e.g., RG-WS6008 or RG-WS7110).
  • A Ruijie RG-EG Series Gateway - required for external portal authentication via WISPr.
  • Ruijie RG-AP Series Access Points (e.g., RG-AP820-I, RG-AP850-AR).
  • A Purple Connect, Capture, or Engage licence.
  • Outbound UDP access on ports 1812 (RADIUS authentication) and 1813 (RADIUS accounting) from the gateway to Purple's servers.

Authentication protocol overview

Ruijie supports several authentication methods. Enterprise deployments should use external RADIUS authentication. This approach uses the WISPr (Wireless Internet Service Provider roaming) protocol to securely redirect unauthenticated users to Purple's splash page, process their credentials, and return a RADIUS Accept or Reject message to the Ruijie controller.

comparison_chart.png

The table above summarises the five authentication methods available on Ruijie platforms. Email registration and social login are the most common choices for hospitality and retail environments because they capture structured, GDPR-compliant first-party data. Voucher codes suit conference rooms and paid access tiers. RADIUS with 802.1X is reserved for staff networks where directory-backed identity is required.

Step-by-step implementation guide

Follow these steps within the Ruijie Cloud or local controller interface. The UI paths below apply to the Ruijie Cloud new interface (post-2024) and the Ruijie JaCS platform.

Step 1: Configure the guest SSID

Establish the wireless broadcast network.

  1. Log in to Ruijie Cloud or the local controller web interface.
  2. Navigate to Device Config and select Wi-Fi under the Wireless section.
  3. Click + to create a new SSID, or edit an existing one.
  4. Set the SSID Name (e.g., "Free Guest WiFi").
  5. Set Security Mode to Open - no pre-shared key.
  6. Assign the SSID to your dedicated guest VLAN (e.g., VLAN 30).
  7. Save the SSID configuration.

Step 2: Define the captive portal policy

Instruct the controller to intercept guest traffic and redirect it to Purple.

  1. Navigate to Auth & Account and select Captive Portal under Authentication.
  2. Create a new policy. Set a descriptive Policy Name (e.g., "Purple-Guest-Portal").
  3. Set Policy Mode to External.
  4. Set Authentication Device to your Ruijie gateway (RG-EG series) or access point.
  5. Select the guest SSID created in Step 1.
  6. In the Portal Server URL field, enter your specific Purple splash page URL (available in your Purple dashboard under Hardware Configuration).
  7. Enter the Purple RADIUS server IP addresses in the designated fields.
  8. Set Seamless Online duration to match your session timeout policy (e.g., 24 hours for hospitality, one hour for retail).
  9. Decide on Portal Escape behaviour - see the Best Practices section below.

Step 3: Configure the walled garden (allowlist)

A captive portal intercepts all traffic until the user authenticates. Certain traffic must pass through pre-authentication to allow the login page to load and process social logins. This is the most frequently misconfigured element in any captive portal deployment.

  1. Navigate to Auth & Account and select Allowlist.
  2. Add all required Purple infrastructure domains. Your Purple dashboard provides the exact list for your region.
  3. If you offer social login, add the OAuth domains for each provider:
    • For Microsoft Entra ID: *.microsoft.com, *.microsoftonline.com, login.live.com
    • For Google Workspace: *.google.com, accounts.google.com
    • For Okta: your specific Okta tenant domain
  4. Add any payment processor domains if you offer paid WiFi tiers.
  5. Save and apply the allowlist.

Step 4: Configure RADIUS authentication

Configure the secure communication channel between Ruijie and Purple.

  1. Navigate to the RADIUS server settings in your Ruijie controller or gateway.
  2. Add the primary Purple RADIUS server IP address and port 1812 for authentication.
  3. Add the secondary Purple RADIUS server IP address as a failover.
  4. Enter the Shared Secret from your Purple dashboard. This must match exactly.
  5. Add the accounting server on port 1813 and enable RADIUS accounting. This tracks session duration and data usage, feeding directly into Purple's WiFi Analytics reports.
  6. Set the NAS Identifier to a meaningful string (e.g., your venue name) to distinguish traffic in Purple's analytics.

Step 5: Apply QoS policies

Unrestricted guest access can saturate your internet link during peak periods.

  1. Navigate to the QoS or bandwidth management section of your Ruijie gateway.
  2. Set per-user download limits (e.g., 10 Mbps for hotel guests, 5 Mbps for retail shoppers).
  3. Set per-user upload limits (e.g., 2-5 Mbps).
  4. Disable Client Escape to ensure unauthenticated users cannot access the network if the portal server is temporarily unreachable.
  5. Save and push the configuration to all relevant devices.

Step 6: Test the deployment

Always test from a clean device with no cached credentials.

  1. Connect a mobile device to the guest SSID.
  2. Open a browser and navigate to a non-HTTPS URL (e.g., http://example.com). The portal should redirect.
  3. Verify the Purple splash page loads correctly.
  4. Complete the authentication flow.
  5. Confirm internet access is granted post-authentication.
  6. Check the Purple dashboard to confirm the session appears in your analytics.

Best practices for enterprise deployment

Security and compliance

Never rely on a shared PSK for guest access. Shared passwords offer no accountability and are impossible to revoke for a single user. By using Purple's captive portal with individual authentication, you enforce explicit consent for data processing, satisfying GDPR Article 7 requirements. Purple holds ISO 27001, GDPR, CCPA, and Cyber Essentials certifications, ensuring the data capture mechanism itself is auditable.

For a deeper look at the security architecture, read our Enterprise WiFi Security: A Complete Guide for 2026 and What Is Secure WiFi: Essential Guide for Business 2026 .

Portal Escape: a deliberate decision

Ruijie's Portal Escape feature automatically releases user traffic if the AP and portal server become unreachable. In a hospitality environment, you may choose to enable it - a guest locked out of WiFi during a server blip generates complaints. In a retail or healthcare environment, you may choose to disable it - unauthenticated access represents a compliance and security risk. Document your decision and the rationale in your network runbook.

Multi-site consistency

Use Ruijie Cloud to manage configuration centrally across all sites. Push portal policies simultaneously to eliminate per-site configuration drift - the most common cause of inconsistent guest experiences across a distributed estate. Purple's cloud overlay operates on the same principle: one dashboard, all venues.

Firmware management

Some Ruijie captive portal features - particularly bandwidth controls and dynamic VLAN assignment - require specific firmware versions on the gateway. Ruijie's release notes document these dependencies. Ensure your RG-EG gateways run firmware RGOS11.9(6)B17T1 or above for full QoS support on cloud-managed deployments.

Troubleshooting and risk mitigation

Portal page fails to load

If the captive portal does not appear when a device connects, verify your walled garden settings first. The device must resolve DNS and reach the Purple portal URL before authentication. Check that your Ruijie allowlist includes all necessary domains and that your DNS server is accessible from the guest VLAN.

Authentication timeouts

If users see the portal but cannot log in, the issue typically lies in the RADIUS configuration. Verify the RADIUS server IP addresses, ports (1812 for authentication, 1813 for accounting), and the shared secret. Ensure your firewall allows outbound UDP traffic on these ports from the Ruijie gateway's management IP.

Social login hangs

If users click a social login button and nothing happens, the OAuth redirect is being blocked. Add the required social provider domains to your Ruijie allowlist. Test by temporarily allowing all traffic pre-authentication to confirm the portal works, then tighten the allowlist incrementally.

Dynamic VLAN assignment failures

If you are using RADIUS to assign users to VLANs dynamically, ensure the RADIUS response includes the correct VLAN attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID). Ruijie's RG-EG310GH-E and similar gateways support dynamic VLAN assignment, but the feature requires explicit configuration on both the RADIUS server and the gateway.

ROI and business impact

Deploying a secure captive portal transforms guest WiFi from a cost centre into a strategic asset. Purple's WiFi Analytics platform, integrated with your Ruijie infrastructure, captures first-party data, builds high-intent contact lists, and delivers actionable insights into visitor behaviour across your estate.

Harrods used Purple's Guest WiFi to promote its loyalty programme, achieving a market-leading opt-in rate and a 57x ROI (Purple customer data). c2c Rail used Purple to encourage direct bookings, achieving a 121% return on investment and saving £76,000 in operational costs (Purple customer data). Pizza Express deployed Purple across 470+ restaurants to build richer customer profiles.

For hospitality operators, the data captured at login - email, demographic, visit frequency - feeds directly into CRM systems and loyalty programmes. For retail environments, repeat visit analytics identify your highest-value shoppers. For transport hubs, passenger flow data optimises staffing and commercial space planning.

Purple integrates with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet - as well as Ruijie - making it the hardware-agnostic cloud overlay that works with your existing estate rather than replacing it.

Related guides: Grandstream GWN Access Points Integration with Purple WiFi

Key Definitions

Captive portal

A web page that a user of a public access network must view and interact with before internet access is granted. It intercepts all HTTP traffic and redirects the user's browser to the portal page.

The core mechanism for enforcing authentication on guest WiFi networks. Used in hotels, retail, stadiums, and public-sector venues to control access and capture consent.

Walled garden

A pre-authentication allowlist that permits specific domains and IP addresses to bypass captive portal interception. Traffic to these destinations is allowed before the user authenticates.

Essential for allowing devices to load the splash page, reach social login providers, and process payment flows before the user is fully authenticated. Misconfiguration here is the leading cause of captive portal failures.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorisation, and Accounting management for users connecting to a network service.

The secure protocol Ruijie controllers use to communicate with Purple's servers. Authentication requests go to port 1812 (UDP); accounting records go to port 1813 (UDP).

WISPr

Wireless Internet Service Provider roaming. A protocol specification that defines how a captive portal redirects unauthenticated users to a login page and how the access controller receives the authentication result.

The specific protocol framework used by Ruijie and Purple to handle the external captive portal redirection and authentication flow. Required for external portal mode on Ruijie gateways.

VLAN isolation

The practice of separating network traffic into distinct virtual local area networks at the switch level, preventing devices on different VLANs from communicating directly.

Non-negotiable for guest networks. Ensures guest devices cannot communicate with corporate servers, staff laptops, or payment terminals, even if they are connected to the same physical infrastructure.

Portal Escape

A Ruijie feature that automatically releases user traffic if the access point and portal server become unreachable, allowing unauthenticated internet access during an outage.

A deliberate trade-off between availability and security. Hospitality operators may enable it to prevent guest complaints during outages. Healthcare and retail operators typically disable it to enforce strict authentication at all times.

SSID

Service Set Identifier. The public name of a wireless network that devices display in their available networks list.

The network name guests select on their devices, which triggers the captive portal redirection. Each SSID in a Ruijie deployment is mapped to a specific VLAN and authentication policy.

QoS

Quality of Service. A set of technologies that manage data traffic to reduce packet loss, latency, and jitter, and to ensure predictable performance for specific traffic types.

Used in guest networks to cap per-user bandwidth, preventing a single device from saturating the internet link and degrading the experience for all other connected users.

802.1X

An IEEE standard for port-based network access control, providing an authentication mechanism for devices connecting to a LAN or WLAN.

Used for staff networks requiring directory-backed identity (e.g., via Microsoft Entra ID or Okta). Not typically used for guest networks, where a captive portal with RADIUS is the appropriate pattern.

Worked Examples

A 250-room hotel uses Ruijie RG-AP820-I access points and an RG-EG310GH-E gateway. They require guests to authenticate via email to build a marketing database. Management is concerned about guests bypassing the portal and about peak-hour bandwidth saturation during conference events.

The IT team creates a dedicated guest VLAN (VLAN 40) on the core switch and trunks it to the Ruijie gateway and APs. In Ruijie Cloud, they create an open SSID mapped to VLAN 40. They configure an External Captive Portal policy pointing to the Purple splash page URL, with the Portal Server URL and RADIUS credentials from the Purple dashboard. Crucially, they configure the Walled Garden to allow traffic only to Purple's domains and disable the Portal Escape feature on the Ruijie gateway, preventing unauthenticated access during any portal outage. They apply a QoS policy limiting each client to 10 Mbps down and 3 Mbps up. For conference events, they create a separate SSID on VLAN 50 with a voucher-based portal and tighter bandwidth limits of 5 Mbps per device.

Examiner's Commentary: This approach correctly isolates guest traffic at Layer 2, enforces external RADIUS authentication for GDPR-compliant data capture, and applies bandwidth controls proportionate to the use case. Disabling Portal Escape is a deliberate security decision that prevents unauthenticated access during network disruptions. The separate conference SSID with voucher authentication is a practical pattern for venues that host both transient guests and event attendees with different access requirements.

A retail chain with 50 locations uses Ruijie WS6008 controllers. They implement social login (Facebook and Google Workspace) for shoppers accessing WiFi, but the portal page hangs when users click the social login buttons. The issue affects all 50 sites simultaneously.

The IT manager identifies that the Allowlist (Walled Garden) configuration on the Ruijie controllers is missing the OAuth domains required by Facebook and Google. While the Purple portal URL was correctly allowed, the social provider domains needed for the OAuth handshake were blocked by the captive portal interception. The team adds the required wildcard domains - specifically *.facebook.com, *.fbcdn.net, accounts.google.com, and *.googleapis.com - to the Ruijie Allowlist. They push the updated configuration to all 50 sites simultaneously via Ruijie Cloud, resolving the issue across the entire estate in a single operation.

Examiner's Commentary: Walled garden misconfiguration is the most common cause of social login failure in captive portal deployments. The captive portal must explicitly permit pre-authentication traffic to the identity providers' OAuth domains, otherwise the redirect process cannot complete. The use of Ruijie Cloud for centralised configuration push is the correct approach for a multi-site estate - manual per-site configuration at 50 locations would be error-prone and time-consuming.

Practice Questions

Q1. You have configured an external captive portal on a Ruijie RG-EG gateway. Guests connect to the SSID, but their devices report 'No Internet Connection' and the portal page never loads. What is the most likely configuration error and how do you resolve it?

Hint: Consider what network operations must succeed before the user can even see the login page.

View model answer

The walled garden (Allowlist) is misconfigured. The Ruijie gateway is blocking DNS resolution or HTTP traffic required to reach the external Purple splash page URL. Before authentication, the device must be able to resolve the portal domain and make an HTTP connection to it. Add the specific Purple domains to the pre-authentication allowlist in the Ruijie Auth & Account section. Also verify that the guest VLAN has a valid DNS server assigned via DHCP.

Q2. A stadium IT director wants to deploy Ruijie APs for fan WiFi during events. They want to collect marketing data but are concerned that RADIUS authentication will cause delays when 10,000 fans connect simultaneously during the first 30 minutes of doors opening. How should they design the authentication flow to balance data capture with user experience?

Hint: Consider the trade-off between data richness and authentication friction at scale.

View model answer

They should use Purple's One-Click Login for returning fans who have previously authenticated, which bypasses the form fill and reduces RADIUS load. For new fans, a minimal email capture form is preferable to social login, which requires additional OAuth round-trips. The Ruijie gateway must be sized to handle concurrent RADIUS requests - for 10,000 simultaneous connections, a high-capacity RG-EG series gateway is required. Enabling Seamless Online with a 30-day session duration means returning fans connect automatically at subsequent events. QoS limits should be strict (5 Mbps per device) to prevent early arrivals from saturating the link before the main crowd arrives.

Q3. During a security audit, a penetration tester accesses the corporate file server while connected to the 'Guest WiFi' SSID broadcast by a Ruijie AP. The guest network uses a correctly configured captive portal. How do you resolve this critical vulnerability?

Hint: Authentication and network segmentation are separate concerns. One does not imply the other.

View model answer

The captive portal is working correctly, but VLAN isolation is missing or misconfigured. The guest SSID is dropping authenticated users onto the corporate VLAN or native VLAN, which has routing access to internal servers. You need to: (1) create a dedicated guest VLAN (e.g., VLAN 50) on the core switch; (2) assign the Guest SSID to VLAN 50 in the Ruijie controller; (3) configure the switch ports connecting the APs as 802.1Q trunks permitting VLAN 50; (4) configure the Ruijie gateway to block routing between VLAN 50 and all corporate subnets, permitting only internet-bound traffic from the guest VLAN. Authentication and network segmentation are independent controls - both must be correctly configured.

Q4. Your Ruijie deployment has Portal Escape enabled. During a planned maintenance window on the Purple RADIUS servers, you notice that guests are accessing the internet without authenticating. Is this expected behaviour, and what are the compliance implications?

Hint: Consider the purpose of Portal Escape and your GDPR obligations.

View model answer

Yes, this is the expected behaviour of Portal Escape. When the portal server is unreachable, Ruijie automatically releases traffic to maintain connectivity. However, this creates a compliance gap: users are accessing the internet without providing consent for data processing, which may violate GDPR requirements if your terms of service or data capture are tied to the authentication event. For venues where consent capture is a legal or commercial requirement, Portal Escape should be disabled. Schedule RADIUS server maintenance during periods of minimal guest activity, and communicate the maintenance window to venue management. Consider implementing a secondary Purple RADIUS server as a failover to eliminate the scenario entirely.

Continue reading in this series

Integrating WeChat WiFi Authentication: Captive Portal Onboarding for APAC Customers

WeChat has 1.41 billion monthly active users, making it the primary digital identity for Chinese consumers globally. This guide explains how to integrate WeChat OAuth 2.0 authentication into enterprise captive portals for APAC venues, covering platform registration, scope selection, RADIUS Change of Authorisation enforcement, and dual-framework compliance with GDPR and China's PIPL. It is aimed at IT managers, network architects, and venue operations directors who need to act this quarter.

Read the guide →

Configurando Redireccionamiento de Portal Cautivo en Controladores de Red Enterprise

This authoritative guide details the technical architecture and vendor-specific configuration steps required to implement captive portal redirection on enterprise network controllers. It provides actionable guidance for IT teams on configuring walled gardens, integrating RADIUS authentication, and ensuring compliance with GDPR and PCI DSS.

Read the guide →

Configuring Captive Portal Redirection on Enterprise Network Controllers

This authoritative guide details the technical architecture and vendor-specific configuration steps required to implement captive portal redirection on enterprise network controllers. It provides actionable guidance for IT teams on configuring walled gardens, integrating RADIUS authentication, and ensuring compliance with GDPR and PCI DSS.

Read the guide →