EnGenius Cloud Access Points Integration with Purple WiFi

This technical reference details the step-by-step integration of EnGenius Cloud Access Points and ECS switches with Purple's guest WiFi platform. It covers guest captive portal redirection via an external splash page, Walled Garden configuration, secure staff WiFi using IEEE 802.1X, and multi-tenant network isolation using EnGenius MyPSK with dynamic VLAN assignment. IT installers and network architects will find actionable configuration sequences, real-world case studies, and a troubleshooting framework for deploying Purple across EnGenius hardware estates.

📖 9 min read📝 2,239 words🔧 2 worked examples❓ 3 practice questions📚 10 key definitions

Listen to this guide

View podcast transcript

PODCAST SCRIPT: EnGenius Cloud Access Points Integration with Purple WiFi
Purple WiFi Intelligence Platform - Technical Briefing Series
Duration: Approximately 10 minutes
Voice: UK English, senior consultant tone - confident, conversational, authoritative

[INTRO - 1 MINUTE]

Welcome to the Purple Technical Briefing Series. Today we are covering something that comes up regularly on enterprise deployments: integrating EnGenius Cloud access points with Purple's guest WiFi platform.

If you are running an EnGenius estate, whether that is ECW series access points in a hotel, a retail chain, or a multi-tenant office building, and you want to add a branded captive portal, collect first-party visitor data, and enforce proper network segmentation, this briefing is for you.

In the next ten minutes, I want to walk you through the four core configuration areas: guest captive portal redirection, walled garden setup, secure staff WiFi using 802.1X, and multi-tenant isolation using EnGenius MyPSK with dynamic VLAN assignment. By the end, you will have a clear picture of exactly what to configure, in what order, and where the common pitfalls are.

Let's get into it.

[TECHNICAL DEEP-DIVE - 5 MINUTES]

Let's start with the guest captive portal, the most common starting point for any venue operator.

EnGenius Cloud supports external splash pages natively. That means instead of hosting a basic login page on the access point itself, you redirect unauthenticated guests to Purple's cloud-hosted portal. This is where the branding, the data capture, the consent management, and the analytics all live.

Here is the configuration sequence in EnGenius Cloud. Log into your EnGenius Cloud dashboard and navigate to Configure, then SSID. Select your guest SSID. Under the Wireless tab, set the security type to Open or WPA2 PSK, depending on your preference. Open is standard for most guest WiFi deployments. Then switch to the Captive Portal tab. Enable the captive portal and set the Authentication Type to Custom RADIUS. This is the key setting. It tells the access point to forward authentication requests to an external RADIUS server, which in this case is Purple's cloud RADIUS endpoint.

Now enter Purple's RADIUS details. The primary RADIUS server IP is provided in your Purple dashboard under Hardware Configuration. The authentication port is UDP 1812. The accounting port is UDP 1813. Enter the shared secret. Purple generates this for you, and it should be at least 22 characters mixing upper and lower case, numbers, and symbols. Set the NAS identifier to match your venue name or a unique identifier you have defined in Purple.

Next, switch to the Splash Page tab. Select External Splash Page URL and enter the Purple portal URL. This is the URL Purple provides for your specific venue. When a guest connects to the SSID and opens a browser, the access point intercepts the request and redirects them to this URL, passing parameters including the client MAC address, the AP MAC address, and the original URL the guest was trying to reach.

Now the walled garden. This is the list of domains and IP addresses that guests can reach before they authenticate. Without it, the Purple portal itself cannot load, because the guest's browser cannot reach Purple's servers. In EnGenius Cloud, the walled garden is under Captive Portal, then Advanced Settings, then Walled Garden. You need to add the Purple portal domain, Purple's CDN endpoints, and the operating system captive portal probe endpoints. For Apple devices, that is captive.apple.com. For Android, connectivitycheck.gstatic.com. For Windows, msftconnecttest.com. Miss any of these and guests on those platforms will not see the portal at all.

If you are offering social login through Google or Facebook, you also need to whitelist the OAuth endpoints for those providers. Google requires accounts.google.com, oauth2.googleapis.com, and apis.google.com at minimum. Facebook requires www.facebook.com, graph.facebook.com, and connect.facebook.net. Purple's support documentation provides an up-to-date walled garden list for each authentication method. Use that as your reference, because these domains do change.

Now let's move to secure staff WiFi using 802.1X.

This is a separate SSID. The security type here is WPA2 Enterprise or WPA3 Enterprise. In EnGenius Cloud, under the SSID Wireless tab, select WPA2 Enterprise and then choose Custom RADIUS. Enter the same RADIUS server details. Purple's RADIUS endpoint, port 1812, and the shared secret. The difference from the guest setup is that there is no captive portal here. Staff devices authenticate silently using the IEEE 802.1X protocol. The device presents a certificate or username and password to the RADIUS server, which validates it and returns an Access-Accept message along with VLAN assignment attributes.

The RADIUS attributes that drive dynamic VLAN assignment are Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, and Tunnel-Private-Group-ID set to the VLAN number. So if your staff VLAN is VLAN 20, the RADIUS server returns Tunnel-Private-Group-ID with a value of 20. The EnGenius access point reads this attribute and places the authenticated device on VLAN 20 automatically. This means you can have a single SSID serving multiple staff roles, finance, operations, IT, contractors, each landing on a different VLAN based on their directory group membership, all without any manual VLAN configuration per device.

For the EAP method, PEAP-MSCHAPv2 is the most common choice for environments using Active Directory or Microsoft Entra ID. It requires a server-side certificate on the RADIUS server and username-password credentials on the client. EAP-TLS is more secure. It uses certificates on both sides. But it requires a PKI infrastructure and MDM deployment to push certificates to devices. For most venue operators, PEAP-MSCHAPv2 with strict certificate validation enforced via Group Policy or MDM is the practical choice.

Now for the most technically interesting part: EnGenius MyPSK and multi-tenant isolation.

MyPSK, also called PPSK or Private Pre-Shared Key, solves a specific problem in multi-tenant environments. In a build-to-rent development, a serviced office, or a student accommodation block, you want each tenant or resident to have their own unique WiFi password. But you do not want to create a separate SSID for each tenant. That creates radio frequency congestion and management overhead.

MyPSK lets you create up to 500 unique pre-shared keys per SSID. Each key is bound to a specific VLAN. When a resident connects using their unique key, the access point places them on their designated VLAN automatically. Tenant A's traffic never touches Tenant B's network segment. The encryption is also per-user. Each key generates a unique Pairwise Master Key, so one tenant cannot decrypt another tenant's over-the-air traffic even though they share the same SSID.

In EnGenius Cloud, you configure MyPSK under the SSID security settings. Select WPA2 PSK or WPA3 Personal, then enable MyPSK. You can then create PSKs individually or auto-generate batches of up to 50 at a time. For each PSK, you assign a VLAN ID and optionally set an expiration date. When a lease ends or a student graduates, you simply expire or delete their PSK. Access is revoked immediately without affecting any other tenant.

For Purple integration in a MyPSK environment, the guest-facing tenants can still be directed through a captive portal on their VLAN. Staff and operational tenants bypass the portal entirely. The VLAN segmentation ensures Purple's analytics data is correctly attributed per network segment.

[IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - 2 MINUTES]

Let me give you the implementation sequence I recommend for a clean first deployment.

Start with your VLAN architecture before you touch the WiFi configuration. Define VLAN 10 for guests, VLAN 20 for staff, VLAN 30 for tenants, or whatever numbering fits your existing scheme. Configure these VLANs on your ECS switches first, with the appropriate trunk and access port assignments. The access points need to receive tagged traffic on the uplink port for each VLAN you plan to use.

Then configure the SSIDs in EnGenius Cloud in this order: guest SSID first, because it is the most straightforward. Validate the captive portal redirect to Purple before moving on. Then configure the staff SSID with 802.1X. Test with a known device before rolling out to the full estate. Then configure MyPSK if you need multi-tenant isolation.

The pitfalls. First, the walled garden. This is the number one cause of failed captive portal deployments. If guests cannot reach the portal, check the walled garden first. Second, RADIUS shared secret mismatch. The shared secret must be identical on both the EnGenius Cloud configuration and the Purple RADIUS server configuration. A single character difference causes every authentication to fail silently. Third, VLAN trunk configuration on the switch. If the ECS switch port connecting to the access point is not configured as a trunk carrying all the required VLANs, dynamic VLAN assignment will fail. Fourth, certificate validation on 802.1X clients. If staff devices are not configured to validate the RADIUS server certificate, they are vulnerable to credential theft via rogue access points. Enforce this via Group Policy for Windows and MDM profiles for everything else.

[RAPID-FIRE Q&A - 1 MINUTE]

A few questions I hear regularly on EnGenius and Purple deployments.

Can I use EnGenius Cloud RADIUS instead of Purple's RADIUS? Yes, for internal authentication. But for guest WiFi with Purple's analytics and portal, you need to point to Purple's RADIUS endpoint. The two can coexist on different SSIDs.

Does MyPSK work with WPA3? Yes. EnGenius supports WPA3 and WPA2/WPA3 mixed mode with MyPSK, so WPA3-capable devices get SAE authentication while older devices fall back to WPA2 PSK, all using the same per-user key.

Does Purple support RADIUS accounting for session data? Yes. Enable the accounting server in EnGenius Cloud's RADIUS configuration, pointing to Purple's accounting endpoint on UDP 1813. This feeds session duration and data volume into Purple's analytics.

[SUMMARY AND NEXT STEPS - 1 MINUTE]

To summarise. EnGenius Cloud access points integrate cleanly with Purple's guest WiFi platform through four configuration layers. Guest captive portal redirection uses Custom RADIUS and an external splash page URL pointing to Purple. Walled garden whitelisting ensures the portal loads before authentication. Staff WiFi uses WPA2 Enterprise with 802.1X and dynamic VLAN assignment via RADIUS attributes. And multi-tenant isolation uses EnGenius MyPSK to assign unique per-user keys bound to specific VLANs, with optional expiry dates for time-limited access.

Purple operates across 80,000 venues and has processed 440 million logins in 2024 alone. The platform is ISO 27001 certified, GDPR compliant, and hardware-agnostic, which is exactly why it works cleanly with EnGenius alongside Cisco Meraki, HPE Aruba, Ruckus, and the rest of the enterprise hardware ecosystem.

If you are ready to deploy, start with the walled garden configuration guide in Purple's support documentation, then work through the SSID setup in EnGenius Cloud. The full step-by-step guide is available at purple.ai. Thank you for listening.

Key Takeaways

✓EnGenius Cloud integrates with Purple via Custom RADIUS (UDP 1812/1813) and an external splash page URL configured under the SSID Captive Portal settings.
✓A correctly configured Walled Garden is the single most critical element for captive portal deployments - it must include OS probe endpoints, Purple CDN domains, and all social login OAuth domains.
✓IEEE 802.1X with WPA2/WPA3 Enterprise provides secure, passwordless staff authentication with dynamic VLAN assignment driven by RADIUS Tunnel-Private-Group-ID attributes.
✓EnGenius MyPSK delivers multi-tenant isolation on a single SSID by assigning unique PSKs and VLANs to individual users, supporting up to 500 keys per SSID with optional expiration dates.
✓Configure ECS switch trunk ports before configuring SSIDs - dynamic VLAN assignment fails silently if the switch cannot carry the assigned VLAN.
✓PEAP-MSCHAPv2 is only secure with strict server certificate validation enforced via Group Policy or MDM - deploy this before any 802.1X rollout.
✓Purple processes 440 million logins annually across 80,000+ venues and is ISO 27001 certified, GDPR compliant, and hardware-agnostic across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet hardware.

Executive summary

Relying on a shared pre-shared key for enterprise WiFi exposes venues to significant security risks and prevents the collection of valuable first-party data. This guide details the integration of EnGenius Cloud Access Points with Purple's Guest WiFi platform to deliver secure, segmented, and measurable wireless networks across hospitality , retail , and multi-tenant environments. By implementing IEEE 802.1X authentication for staff, dynamic VLAN assignment via EnGenius MyPSK for residents and tenants, and a cloud-hosted captive portal for guests, IT teams can enforce strict access controls while turning wireless infrastructure into a business intelligence asset.

Purple processes 440 million logins annually across 80,000+ live venues (Purple internal data, 2024). The platform is ISO 27001 certified, GDPR and CCPA compliant, and hardware-agnostic - which is precisely why it integrates cleanly with EnGenius alongside Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi. This guide covers the four configuration layers required to deploy Purple on EnGenius Cloud hardware: guest captive portal redirection, Walled Garden setup, secure Staff WiFi, and multi-tenant isolation using EnGenius MyPSK.

Technical deep-dive

Architecture overview

The integration between EnGenius Cloud and Purple relies on standard RADIUS protocols and HTTP redirection. When a guest connects to an EnGenius ECW access point on a captive portal-enabled SSID, the AP intercepts the first HTTP request and redirects the browser to Purple's cloud-hosted splash page. This redirection passes several parameters to the portal - including client_mac, ap_mac, and userurl - which Purple uses to track the session and return an authentication decision.

For staff and operational devices, the architecture shifts from captive portal redirection to IEEE 802.1X port-based network access control. The EnGenius access point acts as the authenticator, forwarding Extensible Authentication Protocol (EAP) messages to Purple's RADIUS server via UDP port 1812. Upon successful authentication, the RADIUS server returns an Access-Accept message containing VLAN assignment attributes, instructing the AP to place the device on the correct network segment.

Layer	SSID Type	Authentication Method	VLAN Assignment
Guest WiFi	Open or WPA2 PSK	Purple captive portal via Custom RADIUS	Static (e.g., VLAN 10)
Staff WiFi	WPA2/WPA3 Enterprise	802.1X (PEAP or EAP-TLS)	Dynamic via RADIUS attributes
Multi-Tenant	WPA2/WPA3 PSK with MyPSK	Per-user PSK	Per-key VLAN binding

EnGenius Cloud platform

EnGenius Cloud is a cloud-managed networking platform supporting the ECW series access points (including the ECW220, ECW230, and ECW520 WiFi 7 models) and ECS series managed switches. The platform provides a centralised dashboard for SSID management, RADIUS configuration, VLAN tagging, and captive portal settings across all devices in an organisation. EnGenius Cloud supports three RADIUS-based captive portal authentication types: EnGenius Authentication (using the built-in Cloud RADIUS), Custom RADIUS (pointing to an external server such as Purple), and Voucher Service.

For enterprise deployments, Custom RADIUS is the correct authentication type when integrating with Purple. This mode instructs the access point to proxy authentication requests to Purple's RADIUS endpoint, enabling Purple's portal, analytics, and data capture capabilities.

EnGenius MyPSK and multi-tenant isolation

In environments such as build-to-rent properties, student accommodation, serviced offices, or coworking spaces, broadcasting a separate SSID for every tenant degrades radio frequency performance. Each additional SSID generates beacon frames that consume airtime and reduce the capacity available for data traffic. EnGenius MyPSK (also referred to as PPSK, or Private Pre-Shared Key) resolves this by allowing up to 500 unique PSKs on a single SSID.

Each key is bound to a specific VLAN. When a resident connects using their unique key, the access point places them on their designated network segment automatically. The encryption is per-user: each key generates a unique Pairwise Master Key (PMK), so one tenant cannot decrypt another tenant's over-the-air traffic even though they share the same SSID. This is a fundamental security advantage over a single shared PSK, where any user who knows the password can decrypt all traffic on the network.

MyPSK keys support expiration dates, making them well-suited to time-limited access scenarios: a student's key expires at the end of the academic year, a contractor's key expires when their engagement ends, and a conference attendee's key expires at midnight on the final day of the event.

Implementation guide

Step 1: Define your VLAN architecture

Before configuring any SSID, define the VLAN structure on your ECS switches. A typical deployment uses three VLANs:

VLAN ID	Purpose	Access Policy
VLAN 10	Guest WiFi	Internet-only, isolated from corporate LAN
VLAN 20	Staff WiFi	Full corporate LAN access
VLAN 30	Tenant/Resident WiFi	Isolated per-tenant segments

Configure the ECS switch port connecting to each ECW access point as a trunk port, allowing all three VLANs. The native VLAN on the trunk should be the management VLAN. If the trunk is not configured correctly, dynamic VLAN assignment will fail silently.

Step 2: Configure the guest captive portal (EnGenius captive portal setup)

This is the primary configuration for deploying the EnGenius splash page with Purple.

Log into your EnGenius Cloud dashboard at cloud.engenius.ai .
Navigate to Configure > SSID and select your guest network (e.g., "VenueGuest").
Under the Wireless tab, set Security Type to Open. This is standard for guest WiFi; guests are identified and authenticated at the portal layer, not the association layer.
Switch to the Captive Portal tab and enable the portal.
Set Authentication Type to Custom RADIUS.
Enter the Purple RADIUS server details:

Field	Value
RADIUS Server IP	Provided in Purple dashboard under Hardware Configuration
Authentication Port	UDP 1812
Accounting Port	UDP 1813
Shared Secret	22+ character string generated by Purple
NAS Identifier	Your venue name or Purple venue ID

Switch to the Splash Page tab.
Select External Splash Page URL.
Enter the Purple portal URL for your venue (format: https://portal.purple.ai/[venue-id]).
Click Apply.

Step 3: Configure the Walled Garden

The Walled Garden (EnGenius guest WiFi whitelist) must be configured to allow pre-authentication access to the domains required for the portal to load. Navigate to Captive Portal > Advanced Settings > Walled Garden and add the following entries:

Purple infrastructure:

*.purple.ai
*.purpleportal.net

OS captive portal probes (mandatory):

captive.apple.com (iOS and macOS)
connectivitycheck.gstatic.com (Android)
msftconnecttest.com (Windows)

Social login (if enabled):

Google: accounts.google.com, oauth2.googleapis.com, apis.google.com, *.gstatic.com
Facebook: www.facebook.com, graph.facebook.com, connect.facebook.net, *.fbcdn.net
Microsoft Entra ID: login.microsoftonline.com, login.live.com

Always use domain names rather than static IP addresses. Social login providers use dynamic IP ranges and anycast routing; a static IP whitelist will degrade over time as CDN addresses change.

Step 4: Configure secure staff WiFi (802.1X)

The EnGenius RADIUS setup for staff WiFi uses WPA2 Enterprise to provide certificate-backed, passwordless authentication.

Create a new SSID (e.g., "VenueStaff").
Under the Wireless tab, set Security Type to WPA2 Enterprise.
Select Custom RADIUS and enter the RADIUS server IP, port 1812, and the shared secret.
No captive portal is required. Staff devices authenticate silently via 802.1X.
Configure your RADIUS server to return the following attributes on Access-Accept:

RADIUS Attribute	Value
Tunnel-Type	13 (VLAN)
Tunnel-Medium-Type	6 (802)
Tunnel-Private-Group-ID	20 (or your staff VLAN ID)

For EAP method selection: PEAP-MSCHAPv2 is the practical choice for environments using Microsoft Entra ID or Active Directory. EAP-TLS provides stronger security by eliminating passwords entirely, but requires a Public Key Infrastructure and MDM solution to deploy client certificates. Enforce strict server certificate validation on all client devices via Group Policy (Windows) or MDM profiles (macOS, iOS, Android) to prevent credential theft from rogue access points.

Step 5: Configure EnGenius MyPSK for multi-tenant isolation

EnGenius MyPSK setup for a multi-tenant environment:

Create a new SSID (e.g., "VenueResident").
Under the Wireless tab, set Security Type to WPA2 PSK or WPA3 Personal.
Enable MyPSK (Private PSK).
Click Add PSK to create individual keys, or use Auto-Generate to create batches of up to 50 at a time.
For each PSK, assign a VLAN ID and optionally set a Start Date and Expiration Date.
Distribute each unique PSK to the corresponding tenant or resident.

When a tenant's lease ends, delete or expire their PSK. Access is revoked immediately without affecting any other tenant on the network.

Best practices

Enforce strict certificate validation on 802.1X clients. PEAP-MSCHAPv2 is only secure when clients are configured to validate the RADIUS server's certificate against a trusted CA. Without this, a rogue access point can present a fraudulent certificate and harvest credentials. Deploy validation settings via Group Policy Objects for Windows and MDM configuration profiles for all other platforms. This is non-negotiable for any deployment in a regulated environment.

Use dynamic DNS resolution in the Walled Garden. Google, Apple, and Meta use dynamic IP ranges for their OAuth and CDN endpoints. Configure Walled Garden entries as domain names and ensure your EnGenius Cloud controller resolves them dynamically. A static IP whitelist will cause authentication failures as CDN IPs rotate.

Segment IoT devices with MAC Authentication Bypass. Headless devices such as printers, displays, and IoT sensors cannot authenticate via 802.1X. Use MAC Authentication Bypass (MAB) to identify them and place them on a restricted VLAN with firewall rules preventing lateral movement. MAB is not a security control - it is a device identification mechanism. Treat MAB-authenticated devices as untrusted.

Implement RADIUS accounting. Enable the accounting server in EnGenius Cloud's RADIUS configuration, pointing to Purple's accounting endpoint on UDP 1813. This feeds session duration, data volume, and device information into Purple's WiFi Analytics platform, providing the venue utilisation data that justifies the infrastructure investment.

Review the Walled Garden quarterly. OAuth providers and CDNs change their domain structures. Apple updated its Sign In domains twice in 2023. Build a quarterly review of the Walled Garden into your operational calendar. For further guidance on enterprise WiFi security practices, see our Enterprise WiFi Security guide .

Troubleshooting and risk mitigation

Symptom: Captive portal fails to load on iOS devices. Cause: captive.apple.com is not in the Walled Garden. iOS uses this endpoint to detect the presence of a captive portal and trigger the Captive Network Assistant. Without it, the device reports "No Internet Connection" and never opens the portal browser. Fix: Add captive.apple.com to the Walled Garden in EnGenius Cloud under Captive Portal > Advanced Settings.

Symptom: Authentication fails silently - RADIUS returns no response. Cause: Shared secret mismatch between EnGenius Cloud and the Purple RADIUS server configuration. A single character difference causes every authentication request to be discarded. Fix: Re-enter the shared secret in both systems. Copy-paste from a plain text source to avoid invisible character substitution.

Symptom: 802.1X client authenticates but receives no IP address. Cause: The ECS switch uplink port is not configured as a trunk, or the VLAN returned by the RADIUS server is not permitted on the trunk. Fix: Verify the switch port configuration. The port must be a trunk carrying all VLANs referenced in RADIUS responses.

Symptom: MyPSK client connects but can reach other tenants' devices. Cause: Client isolation is not enabled on the SSID, or the VLAN configuration on the switch is not correctly isolating the segments. Fix: Enable client isolation on the SSID in EnGenius Cloud. Verify that each VLAN is configured with appropriate inter-VLAN routing rules on the upstream router or firewall.

Symptom: Social login button loads but authentication fails. Cause: One or more OAuth provider subdomains are missing from the Walled Garden. Google and Meta use multiple subdomains for their authentication flows. Fix: Capture browser console output from an unauthenticated device to identify which domain is being blocked. Add the missing domain to the Walled Garden. Refer to Purple's Walled Garden Domain Whitelist documentation for the current list.

ROI and business impact

Deploying Purple with EnGenius Cloud transforms wireless infrastructure from a cost centre into a data asset. Venue operators capture fully compliant, first-party demographic data from guests through conscious-choice opt-ins, enabling targeted marketing campaigns and measurable engagement. For IT teams, the shift to 802.1X and MyPSK eliminates the operational overhead of managing shared passwords, reduces support tickets related to access issues, and provides granular visibility into network utilisation.

For hospitality operators, Premier Inn - a named Purple customer - uses guest WiFi data to drive loyalty programme engagement and personalise post-visit communications. For retail environments, the combination of footfall analytics from Purple's WiFi Analytics platform and dwell-time data provides merchandising insights that justify the infrastructure investment independently of the security benefits.

In multi-tenant environments, MyPSK eliminates the need for separate physical network infrastructure per tenant. A single EnGenius ECW access point can serve 500 isolated tenants on one SSID, reducing hardware costs and simplifying ongoing management. When a tenant moves out, their PSK is deleted in seconds - no password change required, no impact on other residents.

Purple's platform is hardware-agnostic, meaning the same Purple configuration, analytics, and data capture layer works across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet hardware. If your estate includes a mix of EnGenius and other vendors, Purple provides a single pane of glass for guest WiFi management across all of them. For related deployment guidance, see our DrayTek Vigor integration guide .

Key Definitions

Captive portal

A web page that intercepts a user's first HTTP request after connecting to a WiFi network and requires them to authenticate or accept terms before granting internet access.

The primary mechanism for guest onboarding, data capture, and GDPR-compliant consent management in Purple deployments. EnGenius Cloud supports both internal and external captive portal pages.

Walled Garden

The explicit whitelist of domains and IP addresses a client device can communicate with before successfully authenticating through the captive portal.

Required to allow devices to reach the Purple portal servers, OS probe endpoints, and third-party identity providers such as Google or Microsoft Entra ID before authentication completes.

EnGenius MyPSK

A feature that allows network administrators to create multiple unique Pre-Shared Keys on a single SSID, each bound to a specific VLAN for network isolation.

Used in multi-tenant environments to provide secure, isolated network segments without broadcasting multiple SSIDs. Supports up to 500 unique keys per SSID with optional expiration dates.

Dynamic VLAN assignment

The process where a RADIUS server instructs an access point to place an authenticated device onto a specific VLAN based on directory group membership, using the Tunnel-Private-Group-ID attribute.

Allows a single 802.1X SSID to securely segment traffic for different staff roles automatically, without manual VLAN configuration per device.

IEEE 802.1X

An IEEE standard for port-based Network Access Control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN, using EAP to carry credentials to a RADIUS server.

The foundation of enterprise WiFi security for staff networks, replacing vulnerable shared passwords with individualised credential or certificate validation.

RADIUS

Remote Authentication Dial-In User Service; a networking protocol providing centralised Authentication, Authorization, and Accounting management for network access.

The protocol used by EnGenius access points to communicate with Purple's authentication servers. Authentication uses UDP port 1812; accounting uses UDP port 1813.

PEAP-MSCHAPv2

Protected Extensible Authentication Protocol with Microsoft Challenge Handshake Authentication Protocol version 2; an 802.1X method that creates a TLS tunnel using a server-side certificate, inside which username-password credentials are exchanged.

The most common 802.1X deployment method for environments using Active Directory or Microsoft Entra ID. Requires strict server certificate validation on clients to prevent credential theft.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security; an 802.1X authentication method requiring digital certificates on both the RADIUS server and every client device, eliminating passwords entirely.

The most secure 802.1X method, recommended for high-security environments. Requires a Public Key Infrastructure and MDM solution to deploy client certificates.

NAS Identifier

Network Access Server Identifier; a string attribute included in RADIUS requests to identify the access point or controller originating the authentication request.

Configured in EnGenius Cloud to match the venue identifier in the Purple platform, ensuring analytics and session data are attributed to the correct location.

PMK

Pairwise Master Key; the cryptographic key derived from a PSK and the SSID name, used to encrypt the wireless session between a specific client and access point.

In MyPSK deployments, each unique PSK generates a distinct PMK, preventing one tenant from decrypting another's traffic even on the same SSID.

Worked Examples

A 200-room hotel needs to provide seamless WiFi access to guests, secure access to hotel staff, and isolated networks for three retail concessions in the lobby, all using the same EnGenius ECW access points and ECS switches.

Deploy three SSIDs on the same hardware. SSID 1 (VenueGuest): Open security with Custom RADIUS pointing to Purple's RADIUS endpoint. External splash page URL configured to the Purple portal. Walled Garden populated with OS probes, Purple CDN domains, and Google OAuth endpoints. VLAN 10 assigned statically. SSID 2 (VenueStaff): WPA2 Enterprise with Custom RADIUS. No captive portal. RADIUS server returns Tunnel-Private-Group-ID of 20 for all staff, with sub-groups (finance, operations, maintenance) mapped to VLANs 21, 22, and 23 respectively. SSID 3 (VenueRetail): WPA2 PSK with MyPSK enabled. Three unique PSKs created, each bound to VLANs 31, 32, and 33. Expiration dates set to match each concession's lease term. The ECS switch uplink port is configured as a trunk carrying VLANs 10, 20-23, and 31-33.

Examiner's Commentary: This approach minimises SSID overhead to three broadcasts, reducing co-channel interference, while enforcing strict Layer 2 isolation between guests, staff, and third-party tenants. The dynamic VLAN assignment for staff eliminates manual reconfiguration when staff change roles. The MyPSK expiration dates automate access revocation for the retail concessions without requiring IT intervention.

A university campus deploying EnGenius Cloud reports that students attempting to log into the Purple guest portal using their Google Workspace accounts are receiving a browser error after clicking the Google login button. The portal page itself loads correctly.

The portal page loading confirms the Purple CDN domains are correctly whitelisted. The failure at the Google login step indicates one or more Google OAuth domains are missing from the Walled Garden. Navigate to EnGenius Cloud > Captive Portal > Advanced Settings > Walled Garden and add: accounts.google.com, oauth2.googleapis.com, apis.google.com, and *.gstatic.com. The gstatic.com wildcard is required because Google serves its client-side JavaScript libraries from this CDN. After updating the Walled Garden, test with an unauthenticated device and capture browser console output to confirm no further domains are blocked.

Examiner's Commentary: OAuth failures at the provider step (rather than the portal loading step) are almost universally caused by incomplete Walled Garden configurations. The captive portal intercepts the HTTPS call to the identity provider unless the domain is explicitly bypassed. Using wildcard entries (*.gstatic.com) is the pragmatic approach for providers that use multiple CDN subdomains, provided your EnGenius Cloud version supports wildcard Walled Garden entries.

Practice Questions

Q1. You deploy a Purple captive portal on EnGenius ECW access points. Android guests report their devices show 'Connected, no internet' and the portal never appears. iOS guests on the same SSID see the portal correctly. What is the most likely configuration error and how do you fix it?

Hint: Android and iOS use different captive portal probe endpoints.

View model answer

Android uses connectivitycheck.gstatic.com as its captive portal probe endpoint. iOS uses captive.apple.com. If iOS guests see the portal but Android guests do not, connectivitycheck.gstatic.com is missing from the Walled Garden. Add it in EnGenius Cloud under Captive Portal > Advanced Settings > Walled Garden. Also add connectivitycheck.android.com and www.google.com as Android uses multiple probe URLs depending on the device version.

Q2. A venue configures 802.1X on an EnGenius SSID. Staff devices authenticate successfully (the RADIUS server logs show Access-Accept), but devices receive a 169.x.x.x APIPA address rather than a corporate IP. What is the most likely cause?

Hint: The RADIUS server is accepting the authentication, so the issue is downstream of authentication.

View model answer

The RADIUS server is returning a Tunnel-Private-Group-ID attribute specifying a VLAN ID. The EnGenius access point is attempting to tag the client's traffic with that VLAN, but the uplink port on the ECS switch is not configured as a trunk port carrying that VLAN. The device is placed on a VLAN with no DHCP server reachable. Fix: configure the ECS switch uplink port as a trunk, explicitly permitting the VLAN ID returned by the RADIUS server.

Q3. A build-to-rent property manager asks why you are recommending EnGenius MyPSK rather than creating a separate SSID for each of the 80 residential units. Provide a technical justification.

Hint: Consider the impact of SSID beacons on WiFi performance.

View model answer

Each SSID broadcasts beacon frames at regular intervals (typically every 100ms). In a dense environment, 80 SSIDs would generate constant beacon overhead consuming significant airtime, reducing the capacity available for actual data traffic and degrading performance for all users. Most enterprise access points also impose a practical limit of 8-16 SSIDs per radio. MyPSK delivers the same isolation (each resident on a unique VLAN with a unique encryption key) using a single SSID, eliminating the beacon overhead entirely. The per-user PMK also prevents residents from decrypting each other's traffic, which a single shared PSK cannot achieve.

Continue reading in this series

OpenWrt Custom Firmware Integration with Purple WiFi

This guide provides the complete integration playbook for deploying OpenWrt custom firmware with Purple WiFi. It covers CoovaChilli captive portal configuration, iptables walled garden management, 802.1X secure staff WiFi with hostapd, and multi-tenant PPSK segmentation with dynamic VLAN assignment - giving IT teams the exact configuration steps needed to build an Identity-Based Network on any OpenWrt-capable hardware.

OpenWrt Custom Firmware Integration with Purple WiFi

Huawei AirEngine and CloudCampus Integration with Purple WiFi

This guide provides step-by-step instructions for integrating Huawei AirEngine access points and iMaster NCE-Campus with Purple WiFi. It covers captive portal configuration, 802.1X staff authentication, and PPSK dynamic VLAN steering for enterprise networks.