Skip to main content
English (UK)

Captive Portal for Aruba

An authoritative technical reference guide for configuring Aruba Instant (IAP) and Aruba Central managed access points to redirect guest users to Purple's high-converting, secure external captive portal. This guide covers step-by-step guest SSID setup, external captive portal redirection, RADIUS server authentication and accounting parameters, walled garden exception lists, and WISPr support.

📖 11 min read📝 2,686 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
CAPTIVE PORTAL FOR ARUBA: INTEGRATING PURPLE FOR ENTERPRISE GUEST WIFI A Purple Technical Briefing — Approximately 10 Minutes [INTRODUCTION & CONTEXT — approx. 1 minute] Welcome to the Purple Technical Briefing series. I'm your host, and today we're covering something that comes up in almost every enterprise wireless deployment conversation we have: how to configure a captive portal on Aruba infrastructure, and specifically, how to connect that portal to Purple's guest WiFi intelligence platform. If you're running Aruba Instant APs, or you're managing a fleet of access points through Aruba Central, this episode is for you. We're going to move quickly — this is a practitioner briefing, not a lecture — so I'll assume you know your way around a WLAN configuration screen and you understand the basics of RADIUS authentication. The core problem we're solving is this: Aruba's built-in guest portal is functional, but it's limited. It doesn't give you the marketing data capture, GDPR-compliant consent flows, or the real-time analytics that enterprise venues need. Replacing it with Purple's external captive portal is the right architectural decision, and today I'll walk you through exactly how to do it. [TECHNICAL DEEP-DIVE — approx. 5 minutes] Let's start with the architecture. When a guest connects to your Aruba SSID and opens a browser, the AP intercepts that HTTP request on TCP port 80 and redirects it to the external portal URL — in this case, Purple's cloud-hosted splash page. The guest authenticates through Purple's portal, which then sends a RADIUS Access-Request to Purple's RADIUS servers on UDP port 1812. On success, the RADIUS server returns an Access-Accept message, and the AP grants the client full internet access. Accounting records are sent on UDP port 1813 throughout the session. That's the fundamental flow. Now let's get into the configuration. There are two management planes you might be working with: Aruba Instant, which is the on-premises virtual controller model running ArubaOS 8.x, and Aruba Central, which is HPE's cloud management platform. The configuration steps are similar in concept but differ in where you find the settings. Starting with Aruba Instant on ArubaOS 8. First, you'll configure your RADIUS server. Navigate to Security, then Authentication Server, and click New. You'll need four pieces of information from Purple's platform: the primary server IP address, the authentication port — typically 1812 — the accounting port — typically 1813 — and the shared secret. Purple provides these in your venue configuration dashboard. Add a secondary server for resilience; Purple operates a multi-region RADIUS infrastructure, so you'll have a geographically appropriate backup. Next, create the External Captive Portal profile. Go to Security, then Captive Portal, click New, and set the Type to External. Enter the splash page URL from your Purple venue configuration — this will be a Purple-hosted HTTPS endpoint. Set the port to 443, enable Use HTTPS, and critically, set the WISPr field to Enabled. WISPr — that's Wireless Internet Service Provider roaming — is the protocol that allows devices to auto-detect the captive portal and present it correctly, particularly on iOS and Android devices that use background captive portal detection. Without WISPr enabled, some devices will fail to trigger the portal automatically. Now, the Guest SSID. Create a new WLAN, set Primary Usage to Guest, and in the Security tab, set Splash Page Type to External — RADIUS Server. Assign the captive portal profile and RADIUS server you just created. Set the Reauth Interval to something sensible — 1440 minutes, which is 24 hours, is a common choice for hospitality environments. Enable MAC authentication if you want returning guests to bypass the portal on subsequent visits within that window. For Aruba Central on AOS-8, the flow is essentially the same but accessed through the WLAN wizard under Devices, Config, WLANs. Set Security Level to Visitors, Type to External Captive Portal, and create a new captive portal profile with the Purple splash URL. Add your primary and secondary RADIUS servers, enable accounting, and set an accounting interval of five minutes. This interval is important — it ensures Purple's analytics platform receives regular session updates for accurate dwell time and engagement reporting. On AOS-10, which is the cloud-first architecture, there's one important difference: the walled garden is no longer configured in the WLAN Security tab. Instead, you configure it through Access Rules. You create a pre-authentication role — call it Guest Logon — and add allow rules for each domain in the walled garden whitelist. Then you assign that role as the Pre-Authentication Role on the SSID. Speaking of the walled garden — this is where most deployments go wrong. The walled garden is the list of domains that unauthenticated guests can reach before they've completed the portal flow. Without these entries, the portal itself won't load, because the guest's device can't reach the Purple CDN to download the splash page assets. The mandatory Purple entries are: star dot purple dot ai, star dot cloudfront dot net, and star dot venuewifi dot com. If you're using social login — Google, Facebook, Apple, Microsoft — you'll need to add the relevant OAuth domains for each provider. Google requires star dot google dot com, star dot googleapis dot com, and star dot gstatic dot com. Facebook requires star dot facebook dot com, star dot fbcdn dot net, and connect dot facebook dot net. Apple Sign-In needs star dot apple dot com and appleid dot apple dot com. Microsoft Entra ID requires star dot microsoft dot com and star dot microsoftonline dot com. One thing worth calling out: on Aruba, you can enable Automatic URL Whitelisting in the captive portal profile. This feature dynamically whitelists URLs that the portal page references. It's useful as a fallback, but I'd recommend explicitly configuring the walled garden rather than relying on automatic whitelisting in production — it's more predictable and easier to audit. Let's talk about RADIUS parameters specifically. The key attributes Purple uses are: NAS-IP-Address, which identifies your AP or controller; Called-Station-Id, which carries the BSSID and SSID in the format MAC-address:SSID-name — Purple uses this to map sessions to specific venues and access points; and Calling-Station-Id, which is the client MAC address. On the accounting side, Acct-Session-Id provides the unique session identifier, and Acct-Status-Type carries Start, Interim-Update, and Stop events. Make sure your Aruba configuration is sending all three accounting event types — some deployments only send Start and Stop, which means Purple's analytics miss the interim session data needed for accurate dwell time calculations. [IMPLEMENTATION RECOMMENDATIONS & PITFALLS — approx. 2 minutes] Let me give you the practical recommendations I'd give any client deploying this. First: always test with a dedicated test device before going live. Connect to the guest SSID, open a browser to an HTTP URL — not HTTPS — and verify the redirect fires. If you go straight to HTTPS, the redirect won't work because the AP can't intercept encrypted traffic. This is the number one support call we see. Second: firewall rules. Your AP management VLAN or controller needs outbound UDP access to Purple's RADIUS server IPs on ports 1812 and 1813. If you have a stateful firewall between your APs and the internet, make sure it allows these UDP flows. RADIUS is connectionless, so some firewalls need explicit rules rather than relying on stateful inspection. Third: certificate trust. When you configure the splash page URL as HTTPS, the AP needs to trust the certificate presented by Purple's portal server. On Aruba Central, you may need to import a trusted CA certificate into the global settings before the portal redirect works correctly over HTTPS. Purple uses certificates from a widely trusted CA, but it's worth verifying this in your environment. Fourth: VLAN segmentation. Your guest SSID should be on a dedicated VLAN that is isolated from your corporate network. This is both a security requirement — PCI DSS 3.2.1 requires network segmentation for cardholder data environments — and a practical necessity for captive portal functionality. The guest VLAN should have internet access but no route to internal resources. Fifth: the WISPr setting. I mentioned this earlier but it bears repeating. Enable WISPr. Without it, iOS devices in particular will not automatically detect the captive portal, and guests will see a confusing experience where they appear to be connected but have no internet access. [RAPID-FIRE Q&A — approx. 1 minute] Let me run through the questions I get most often. Can I use Aruba Instant On — the small-business product — with Purple? Yes, with some limitations. Instant On supports external captive portals, but the configuration interface is more limited than full Aruba Central. Purple has a dedicated Instant On integration guide. Does Purple support RadSec for encrypted RADIUS? Yes. Purple supports RADIUS over TLS — RadSec — for deployments where RADIUS traffic traverses untrusted networks. This is increasingly relevant for cloud-managed deployments where the RADIUS exchange crosses the public internet. What happens if the Purple portal is unreachable? You can configure the Captive Portal Failure setting to either Deny Internet — which is the secure default — or Allow Internet, which provides a fallback open access mode. For most enterprise venues, Deny Internet is the right choice. Can I run multiple SSIDs with different Purple venues on the same Aruba infrastructure? Absolutely. Each SSID gets its own captive portal profile pointing to a different Purple venue URL. The Called-Station-Id RADIUS attribute carries the SSID name, which Purple uses to route the session to the correct venue configuration. [SUMMARY & NEXT STEPS — approx. 1 minute] Let me bring this together. Deploying Purple as an external captive portal on Aruba infrastructure is a well-trodden integration path. The key steps are: configure your RADIUS servers with Purple's credentials, create an external captive portal profile pointing to your Purple splash URL with WISPr enabled, build your guest SSID with the External RADIUS Server splash type, and configure your walled garden with the Purple core domains plus any social login provider domains you're enabling. The AOS-10 difference to remember is that walled garden configuration moves to Access Rules rather than the WLAN Security tab. From a business perspective, replacing Aruba's basic local portal with Purple gives you GDPR-compliant data capture, real-time location analytics, demographic reporting, and marketing automation — all from the same WiFi infrastructure you already own. For your next steps: pull your Purple venue RADIUS credentials from the Purple dashboard, run through the configuration checklist in the accompanying written guide, and test with a dedicated device before rolling out to production. If you're deploying across multiple sites, Purple's multi-site management console lets you manage captive portal configurations, branding, and analytics across your entire estate from a single interface. Thanks for listening. The full written guide, configuration tables, and walled garden reference lists are available at purple dot ai. Until next time. [END OF SCRIPT]

📚 Part of our core series: Multi-Tenant WiFi

header_image.png

Executive Summary

For enterprise wireless engineers, network architects, and venue operations directors, deploying a robust guest wireless infrastructure is no longer just about providing basic internet access. Modern venues require a solution that balances strict network security, regulatory compliance, and a high-converting guest experience. While HPE Aruba's native captive portal capabilities are highly reliable, they lack the sophisticated marketing data capture, global multi-site scalability, and real-time location and demographic analytics required by enterprise venues in hospitality, retail, and public sectors.

By integrating Purple directly with Aruba Instant (IAP) or Aruba Central managed access points, organizations can replace basic local splash pages with a secure, highly-scalable, global guest portal. This integration leverages standard network protocols, including Remote Authentication Dial-In User Service (RADIUS) and Wireless Internet Service Provider roaming (WISPr), to deliver seamless, secure, and brand-consistent onboarding. This technical reference guide provides the exact configuration parameters, architectural diagrams, and troubleshooting workflows required to successfully deploy Purple on Aruba infrastructure.

Technical Deep-Dive

The integration of Purple with Aruba wireless infrastructure relies on a standard external captive portal redirect and RADIUS authentication flow. This architecture ensures that user authentication and traffic accounting are handled securely in the cloud, while local access points enforce access control and quality of service (QoS) policies.

The Captive Portal Redirect Flow

When an unauthenticated client associates with the guest Service Set Identifier (SSID), the Aruba access point intercepts the client's initial HTTP request (typically TCP port 80) and performs a HTTP 302 redirect to Purple's cloud-hosted splash page.

+--------------+             +-----------------+             +------------------+             +------------------+
| Guest Device |             |  Aruba AP / AP  |             |  Purple Captive  |             |  Purple RADIUS   |
|   (Client)   |             |  (Central/IAP)  |             |  Portal (Cloud)  |             |  Server (Cloud)  |
+--------------+             +-----------------+             +------------------+             +------------------+
       |                              |                               |                                |
       |-- 1. Associates to SSID ---->|                               |                                |
       |                              |                               |                                |
       |-- 2. HTTP Request (TCP 80) ->|                               |                                |
       |                              |-- 3. HTTP 302 Redirect ------>|                                |
       |<-- 4. Presents Splash Page ----------------------------------|                                |
       |                              |                               |                                |
       |-- 5. Submits Login Form ------------------------------------>|                                |
       |                              |                               |-- 6. RADIUS Access-Request --->|
       |                              |<-- 7. RADIUS Access-Accept ------------------------------------|
       |                              |      (with Session Timeout)   |                                |
       |<-- 8. Internet Granted ------|                               |                                |
       |                              |                               |                                |
       |                              |-- 9. RADIUS Accounting Start --------------------------------->|
       |                              |-- 10. RADIUS Accounting Interim (every 5 min) ---------------->|

architecture_overview.png

RADIUS Authentication and Accounting Parameters

Once the guest submits their credentials or completes a social login on the Purple splash page, the Purple portal backend communicates with the local Aruba access point or controller to initiate RADIUS authentication. The Aruba AP acts as the Network Access Server (NAS) and sends a RADIUS Access-Request to Purple's cloud RADIUS servers on UDP port 1812.

To ensure accurate session tracking, policy enforcement, and reporting, the following RADIUS attributes must be exchanged:

Attribute Name Attribute ID Description Practical Context
NAS-IP-Address 4 The management IP address of the Aruba virtual controller or AP. Identifies the physical hardware originating the authentication request.
Calling-Station-Id 31 The MAC address of the client device (typically formatted as XX-XX-XX-XX-XX-XX). Used by Purple to track unique devices and enforce MAC caching for returning guests.
Called-Station-Id 30 The MAC address of the AP radio (BSSID) combined with the SSID name (formatted as MAC:SSID). Crucial for Purple to identify the exact physical venue and specific SSID the user is connecting to.
Acct-Session-Id 44 A unique identifier generated by the AP for each client session. Links authentication events with subsequent accounting start, interim, and stop records.
Acct-Status-Type 40 Indicates the type of accounting record: Start (1), Stop (2), or Interim-Update (3). Enables real-time tracking of active sessions and accurate dwell-time calculations.
Acct-Interim-Interval 85 Specifies the frequency (in seconds) of interim accounting updates sent by the AP. Must be set to 300 seconds (5 minutes) to ensure Purple's analytics dashboard displays accurate real-time data.

The Walled Garden (Exception List) Architecture

Before a user is authenticated, the Aruba AP restricts all traffic except for destinations explicitly defined in the Walled Garden (or exception list). Because Purple's portal is cloud-hosted and relies on external identity providers (such as Google, Facebook, and Apple) for social authentication, the AP must allow unauthenticated clients to resolve DNS and communicate with these external domains.

If any required domain is omitted from the walled garden, the guest will experience a blank page, broken CSS, missing images, or a complete timeout during the login flow.

walled_garden_infographic.png

Implementation Guide

Deploying Purple on Aruba wireless infrastructure can be achieved via Aruba Instant (IAP) running ArubaOS 8.x (on-premises virtual-controller mode) or Aruba Central (cloud-managed AOS-8 or AOS-10).

Aruba Instant (IAP) Configuration (ArubaOS 8.x)

Step 1: Configure RADIUS Servers

  1. Log in to the Aruba Instant AP virtual controller web interface.
  2. Navigate to Security > Authentication Server and click New.
  3. Configure the Primary RADIUS Server with the following parameters:
    • Name: Purple_Primary
    • IP Address: 34.94.146.135
    • Auth Port: 1812
    • Acct Port: 1813
    • Shared Key: [Provided in your Purple Venue Dashboard]
  4. Click OK to save.
  5. Click New again to configure the Secondary RADIUS Server:
    • Name: Purple_Secondary
    • IP Address: 34.94.183.201
    • Auth Port: 1812
    • Acct Port: 1813
    • Shared Key: [Provided in your Purple Venue Dashboard]
  6. Click OK to save.

Step 2: Create the Captive Portal Profile

  1. Navigate to Security > Captive Portal and click New.
  2. Configure the profile with the following settings:
    • Name: Purple_Portal
    • Type: External
    • IP or Hostname: portal.venuewifi.com
    • URL: /
    • Port: 443
    • Use HTTPS: Enabled
    • Redirect URL: https://portal.venuewifi.com
    • WISPr: Enabled (Crucial for auto-triggering the portal on iOS and Android devices)
  3. Click OK to save.

Step 3: Configure the Walled Garden Whitelist

  1. In the Security > Captive Portal menu, select your newly created Purple_Portal profile.
  2. Under the Walled Garden section, click the link to open the whitelist configuration.
  3. Add the following core Purple domains:
    • *.purple.ai
    • *.cloudfront.net
    • *.venuewifi.com
  4. If social login is enabled, add the respective domains (e.g., *.google.com, *.facebook.com, *.apple.com).
  5. Click Save.

Step 4: Create and Configure the Guest SSID

  1. Navigate to Network > New to start the WLAN wizard.
  2. On the WLAN Settings tab:
    • Name (SSID): Guest-WiFi
    • Primary Usage: Guest
    • Click Next.
  3. On the VLAN tab, configure IP and VLAN assignment according to your network architecture (typically Client IP assignment: Network Assigned on a dedicated guest VLAN). Click Next.
  4. On the Security tab:
    • Splash Page Type: External
    • Captive Portal Profile: Select Purple_Portal
    • Auth Server 1: Select Purple_Primary
    • Auth Server 2: Select Purple_Secondary
    • Reauth Interval: 1440 (24 hours, or as per venue policy)
    • Accounting: Enabled
    • Accounting Interval: 5 minutes
  5. Click Next to proceed to the Access tab. Ensure the default guest rule allows DHCP and DNS pre-authentication, then click Finish.

Aruba Central Configuration (AOS-8 and AOS-10)

Aruba Central AOS-8

  1. Navigate to Devices under the Manage section of your group in Aruba Central.
  2. Click Config (gear icon) on the top right, then go to the WLANs tab and click + Add SSID.
  3. In Step 1: General, enter the SSID name (e.g., Guest-WiFi) and click Next.
  4. In Step 2: VLANs, configure your guest VLAN mapping and click Next.
  5. In Step 3: Security:
    • Set Security Level to Visitors.
    • Set Type to External Captive Portal.
    • Ensure Key Management is set to Open (do not use Enhanced Open/OWE for standard guest portals as it can cause client compatibility issues).
    • Click the + icon next to Captive Portal Profile to add a new profile:
      • Name: Purple_Central_Portal
      • IP or Hostname: portal.venuewifi.com
      • URL: /
      • Port: 443
      • Redirect URL: https://portal.venuewifi.com
      • Use HTTPS: True
      • Captive Portal Failure: Deny Internet (Recommended for security compliance)
    • Click Save.
    • Click the + icon next to Primary Server and Secondary Server to add the Purple RADIUS servers using the IPs 34.94.146.135 and 34.94.183.201 respectively, with ports 1812 (Auth) and 1813 (Acct).
    • Expand Advanced Settings, scroll to Accounting, select Use authentication servers, and set Accounting Interval to 5 minutes.
  6. Scroll down to the Walled Garden section, click + Add, and input the required Purple and social login domains.
  7. Click Save Settings.

Aruba Central AOS-10

In AOS-10, the walled garden configuration moves from the WLAN Security tab to Access Rules.

  1. Follow the same SSID and RADIUS configuration steps as AOS-8 above.
  2. In the SSID wizard, navigate to the Access tab.
  3. Click + Add Role and create a pre-authentication role named Purple_Pre_Auth.
  4. In the rules editor for this role, configure explicit Allow rules for DNS, DHCP, and the required walled garden domains (e.g., *.purple.ai, *.venuewifi.com).
  5. Scroll down to Assign Pre-Authentication Role, enable the option, and select Purple_Pre_Auth from the dropdown.
  6. The post-authorization role (typically matching the SSID name) should remain configured with Allow any to all destinations or your specific corporate access policies.
  7. Click Save Settings.

Best Practices

To ensure maximum performance, security, and compliance, network architects must adhere to the following industry standards and vendor-neutral best practices when deploying captive portals on Aruba and Purple.

1. Secure Certificate Management

Aruba access points must present a valid, trusted SSL/TLS certificate during the captive portal redirect flow.

  • Avoid Self-Signed Certificates: If the AP presents a self-signed certificate, modern browsers will display a highly visible "Your connection is not private" warning, severely damaging guest trust and reducing conversion rates.
  • Deploy a Trusted CA Certificate: Upload a wildcard certificate from a globally recognized Certificate Authority (CA) to your Aruba Central global settings or Instant virtual controllers. Ensure that the intermediate and root certificates are combined into a single file to complete the trust chain.

2. Network Segmentation and Compliance

Guest traffic must be kept entirely separate from corporate and administrative traffic to mitigate security risks and ensure compliance with industry standards.

  • VLAN Isolation: Map the guest SSID to a dedicated, non-routable VLAN. Use Access Control Lists (ACLs) on the upstream core switch or firewall to prevent any routing between the guest VLAN and internal corporate subnets.
  • PCI DSS Compliance: If your venue processes card payments (e.g., retail point-of-sale), network segmentation is a mandatory requirement under PCI DSS Requirement 1.2 [3]. Guest WiFi must be physically or logically isolated from the Cardholder Data Environment (CDE).
  • GDPR and Data Privacy: Ensure that the Purple portal is configured to display explicit, un-ticked consent checkboxes for marketing opt-ins, meeting the strict requirements of the General Data Protection Regulation (GDPR) [4].

3. Optimizing WISPr and Captive Portal Detection

Modern mobile operating systems use active probing to detect captive portals immediately upon association.

  • Enable WISPr: Always ensure that WISPr support is enabled in your Aruba captive portal profile. This protocol passes XML-formatted metadata to the client operating system, allowing iOS (Captive Network Assistant) and Android (Captive Portal Login) to gracefully launch the login screen in a dedicated browser window.
  • Prevent "Enhanced Open" (OWE) Issues: While Opportunistic Wireless Encryption (OWE) provides encryption on open networks, many legacy client devices do not support it. For public guest networks, stick to standard Open key management to maximize device compatibility.

Troubleshooting & Risk Mitigation

Even with meticulous planning, captive portal deployments can encounter common failure modes. The following troubleshooting matrix provides immediate, actionable steps for wireless engineers.

Captive Portal Troubleshooting Matrix

Symptom Probable Cause Diagnostic Steps Actionable Solution
Guest associates but the splash page does not load (Timeout/Blank Page). Missing or incomplete Walled Garden configuration. Attempt to ping portal.venuewifi.com from a wired device on the same VLAN. Check if the device is trying to load external resources (e.g., social login scripts) that are blocked. Explicitly add *.purple.ai, *.venuewifi.com, and *.cloudfront.net to the Aruba walled garden. Verify that DNS resolution is allowed in the pre-auth role.
Guest is redirected but browser displays an SSL/TLS Certificate Warning. The Aruba AP is presenting an untrusted or self-signed certificate for the local redirect page. Inspect the browser certificate details to see which certificate is being presented. Upload a valid, trusted SSL certificate signed by a public CA to the Aruba virtual controller or Central global settings.
Guest completes the login form but is not granted internet access (Redirect Loop). RADIUS communication failure between the Aruba AP and Purple servers. Check the Aruba virtual controller logs for RADIUS timeouts or access-rejects. Run show auth-survivability or check firewall logs. Verify that outbound UDP ports 1812 (Auth) and 1813 (Acct) are open on your perimeter firewall. Ensure the RADIUS shared secret matches exactly on both Purple and Aruba.
The captive portal does not auto-popup on iOS or Android devices. WISPr is disabled, or the AP is blocking the operating system's captive portal detection URLs. Verify if the device can access the internet without logging in, or if it remains connected with "No Internet" and no popup. Enable WISPr in the Aruba captive portal profile. Ensure that captive portal detection URLs (e.g., captive.apple.com, connectivitycheck.gstatic.com) are not blocked by custom pre-auth ACLs.
Real-time dwell-time analytics are inaccurate or missing in Purple. RADIUS Accounting is disabled or the accounting interval is set too high. Check the AP configuration to see if accounting is enabled and inspect the interval. Enable RADIUS Accounting on the Aruba SSID. Set the Accounting Interval to exactly 5 minutes (300 seconds) to ensure regular session updates.

ROI & Business Impact

Transitioning from a basic, local captive portal to an enterprise-grade WiFi intelligence platform like Purple delivers measurable business outcomes across operations, marketing, and network management.

Operational Efficiency and Scalability

Managing individual local captive portals across hundreds of retail stores, hotels, or public venues is an administrative bottleneck. Purple provides a centralized, cloud-managed console that allows IT teams to deploy, update, and audit captive portal configurations globally with a single click. This reduces configuration drift, ensures consistent branding, and slashes administrative overhead by up to 60%.

Data Monetization and Marketing ROI

For industries like Retail and Hospitality, guest WiFi is a powerful channel for customer acquisition and engagement. Purple replaces anonymous connections with rich demographic profiles.

  • Direct Integration: Purple integrates with CRM and marketing automation platforms to trigger real-time, context-aware campaigns. For example, a retail venue can trigger a personalized discount SMS the moment a loyalty customer connects to the guest WiFi.
  • Measurable Footfall Analytics: By analyzing RADIUS accounting data and BSSID associations, Purple provides highly accurate dwell-time, return-rate, and path-analysis reporting. This data enables venue operations directors to optimize staffing levels, evaluate window display effectiveness, and measure the direct ROI of marketing campaigns.

Cost-Benefit Analysis: Native Aruba vs. Purple Integration

Feature / Metric Native Aruba Local Portal Aruba + Purple Integration Business Impact
Centralized Multi-Site Management Limited. Requires individual configuration per virtual controller or complex Central group mapping. Fully Centralized. Manage thousands of venues and SSIDs from a single cloud dashboard. Reduces IT overhead and eliminates configuration drift across distributed estates.
Data Capture & Compliance Basic form capture. No built-in GDPR/CCPA consent validation workflows. Enterprise-grade. Automated, legally-compliant consent tracking with real-time API sync to CRMs. Mitigates legal risk and ensures compliance with global privacy regulations [4].
Social Authentication Requires custom external web development and manual API maintenance. Out-of-the-box support for Google, Facebook, Apple, Microsoft, LinkedIn, and SMS. Increases conversion rates by up to 40% through friction-free login options.
Analytics & Reporting Basic session logs (IP, MAC, connect time). No demographic or behavior tracking. Rich analytics: age, gender, dwell-time, return rates, heatmaps, and cross-venue roaming. Drives marketing ROI and provides actionable business intelligence for operations.

Key Definitions

Captive Portal

A web page that is displayed to newly connected users of a Wi-Fi network before they are granted broader access to network resources.

Used to capture guest data, enforce terms of service, and present branded marketing content.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for users who connect and use a network service.

Purple acts as the external RADIUS server, authenticating guests and tracking their session duration.

WISPr (Wireless Internet Service Provider roaming)

A draft protocol that enables independent wireless internet service providers to allow users to roam onto each other's networks using a common login portal.

Enabling WISPr on Aruba APs allows modern smartphones to automatically detect the captive portal and display the splash page in a system-native window.

Walled Garden

A restricted set of web sites or domains that an unauthenticated user is allowed to access before they complete the captive portal login process.

Crucial for allowing guests to load the splash page assets (CSS, JS, images) and access social login providers (Google, Facebook) before being authenticated.

BSSID (Basic Service Set Identifier)

The MAC address of the wireless access point's radio interface for a specific SSID.

Sent in the RADIUS Called-Station-Id attribute, allowing Purple to map the user's physical location to a specific AP.

NAS-IP-Address

The IP address of the Network Access Server (the Aruba AP or controller) originating the RADIUS request.

Used in RADIUS packets to identify which physical hardware is requesting authentication.

RadSec

A protocol that secures RADIUS transactions using Transport Layer Security (TLS) over TCP.

Used to encrypt RADIUS authentication and accounting traffic when traversing untrusted public networks between the local AP and Purple's cloud.

Enhanced Open (OWE)

An extension to Wi-Fi Certified Easy Connect that provides encryption of wireless transmissions on open networks without requiring a password.

Can cause compatibility issues with older guest devices; standard Open security is recommended for public captive portals.

Worked Examples

An enterprise wireless engineer is deploying guest WiFi across a national retail chain with 150 stores. Each store has 3-5 Aruba Instant APs managed via Aruba Central. The marketing team requires a branded captive portal with Facebook and Google social login options, and the compliance team mandates that guest traffic must be completely isolated from the store's Point-of-Sale (PoS) network. How should this be architected and configured?

  1. Network Segmentation: Map the Guest SSID to VLAN 100 on the Aruba APs. Configure the local switch ports as trunk ports, allowing VLAN 100. On the store's gateway firewall, configure VLAN 100 with a DHCP scope and an outbound-only NAT policy. Apply an ACL on the firewall to drop all traffic from VLAN 100 to the PoS VLAN (VLAN 10).
  2. RADIUS & Portal Configuration in Aruba Central: Create a new SSID named 'Store-Guest' on VLAN 100. Set Security to 'Visitors' and Splash Page to 'External Captive Portal'. Add Purple's primary RADIUS server (34.94.146.135) and secondary server (34.94.183.201) with ports 1812/1813. Enable RADIUS Accounting with a 5-minute interval.
  3. Walled Garden: Configure the walled garden in Aruba Central to include: *.purple.ai, *.venuewifi.com, *.cloudfront.net (for Purple core), and the social login domains: *.google.com, *.googleapis.com, *.gstatic.com (for Google) and *.facebook.com, *.fbcdn.net, connect.facebook.net (for Facebook).
  4. Testing: Connect a test device to 'Store-Guest', verify DHCP assigns an IP on VLAN 100, confirm the browser redirects to the Purple portal over HTTPS, complete the Facebook login, and verify that internet access is granted while internal PoS resources remain completely unreachable.
Examiner's Commentary: This approach is highly effective because it addresses both security and user experience. Using VLAN isolation at the physical switch and gateway firewall ensures robust PCI DSS compliance, preventing guest devices from ever reaching the CDE. Explicitly defining the social login domains in the walled garden is critical; relying on 'Automatic URL Whitelisting' can sometimes cause intermittent failures if the social provider dynamically changes their CDN subdomains. Setting the RADIUS accounting interval to 5 minutes ensures the marketing team gets high-fidelity dwell-time analytics without overloading the AP's CPU.

A stadium venue with 50,000 seats is running Aruba Central on AOS-10 with high-density AP-555 access points. During peak event hours, thousands of users attempt to connect to the guest WiFi simultaneously. The IT director is concerned about the performance impact of captive portal redirects on the virtual controller and wants to ensure the authentication process is as fast and resilient as possible. What advanced configurations should be applied?

  1. Pre-Authentication Role (AOS-10): In AOS-10, configure a dedicated pre-authentication role named 'Stadium-Pre-Auth'. Apply an ACL that permits DHCP (UDP 67-68), DNS (UDP 53), and outbound traffic to the Purple walled garden domains. Assign this role as the 'Pre-Authentication Role' in the SSID settings. This offloads the packet filtering from the central controller to the individual APs, distributing the load.
  2. RADIUS Load Balancing: In Aruba Central, enable RADIUS Load Balancing across the primary and secondary Purple RADIUS servers. This distributes the authentication load evenly during peak ingress windows.
  3. Server Offload: Enable 'Server Offload' in the Captive Portal Profile settings. This prevents non-browser client applications (like background mobile apps, system updates, or IoT devices) from being repeatedly redirected to the external captive portal, preserving AP CPU cycles and WAN bandwidth.
  4. Captive Portal Failure Policy: Set 'Captive Portal Failure' to 'Deny Internet'. While 'Allow Internet' seems customer-friendly, during an extreme network event it could lead to uncontrolled open access, bypassing security controls and exhausting DHCP pools.
Examiner's Commentary: High-density environments like stadiums require a distributed processing model. Configuring the walled garden via Access Rules in AOS-10 ensures that the access control lists are compiled and executed locally in the AP's hardware-accelerated data path, rather than being tunneled back to a gateway. Enabling Server Offload is an industry-standard best practice for stadium deployments; it mitigates the 'captive portal storm' caused by background apps on thousands of locked phones attempting to reach their respective cloud servers simultaneously.

Practice Questions

Q1. A network engineer configures a new guest SSID on an Aruba Instant AP cluster. When testing, they connect to the SSID, but instead of the branded Purple splash page, they see a browser timeout error. What is the most likely cause of this issue, and what troubleshooting steps should be taken?

Hint: Think about what is required for the client device to reach the cloud-hosted splash page before authentication.

View model answer

The most likely cause is a missing or incomplete Walled Garden configuration, or a DNS resolution issue. Before authentication, the AP blocks all traffic except for whitelisted domains. If the Purple domains (*.purple.ai, *.venuewifi.com, *.cloudfront.net) are not in the walled garden, the client cannot load the splash page. Troubleshooting steps: 1. Verify the client device has received a valid IP address and DNS server via DHCP. 2. Attempt to resolve 'portal.venuewifi.com' from a wired device on the same VLAN to confirm DNS is working. 3. Check the Aruba AP configuration to ensure the Walled Garden whitelist is active and contains all required Purple domains. 4. Verify that the pre-authentication role allows DNS traffic (UDP port 53) to the DNS server.

Q2. During a rollout of Purple guest WiFi at a large convention center, the IT team reports that guest devices connect successfully, but they are prompted to log in again every 15 minutes. The desired behavior is for guests to remain logged in for 24 hours. Which Aruba and Purple configuration parameters should be inspected to resolve this?

Hint: Look at parameters controlling session lifetime and re-authentication intervals.

View model answer

This issue is caused by a mismatch in session timeout or re-authentication interval settings. To resolve this: 1. Inspect the 'Reauth Interval' on the Aruba SSID security tab; it should be set to 1440 minutes (24 hours) rather than 15 minutes. 2. Check the 'Session Timeout' attribute returned by the Purple RADIUS server in the Access-Accept message. If Purple is configured with a short session lifetime, it will force re-authentication. 3. Ensure that MAC Authentication is enabled on the Aruba SSID. This allows the AP to automatically authenticate returning guests via their MAC address against Purple's database without prompting them with the splash page again during the 24-hour window.

Q3. A public-sector organization is deploying guest WiFi across multiple libraries using Aruba Central on AOS-10. The security policy mandates that all guest traffic must be encrypted over the air, but the library directors want a seamless, friction-free login experience. How can the wireless architect achieve both requirements using Aruba and Purple?

Hint: Consider the differences between Open, OWE (Enhanced Open), and WPA2/WPA3-Enterprise, and how they interact with captive portals.

View model answer

To achieve both over-the-air encryption and a seamless captive portal experience, the architect should deploy 'Enhanced Open' (Opportunistic Wireless Encryption - OWE) with a transition mode if legacy device compatibility is required. Enhanced Open encrypts the wireless connection between the client and the AP without requiring a pre-shared key, protecting guests from passive eavesdropping. 1. Configure the guest SSID in Aruba Central with Security Level set to 'Visitors' and Key Management set to 'Enhanced Open'. 2. Enable 'OWE Transition Mode' and associate it with a standard Open guest SSID to support older devices that do not support WPA3 OWE. 3. Configure the External Captive Portal profile pointing to Purple as usual. This combination ensures that modern devices get encrypted wireless transport automatically, while still redirecting to the Purple splash page for data capture and compliance.

Continue reading in this series

Captive Portal for Ruckus

This technical reference guide provides an authoritative integration playbook for deploying external captive portals on CommScope Ruckus SmartZone and Unleashed architectures. It guides network engineers through step-by-step configurations for Guest WLANs, WISPr redirection, RADIUS AAA server settings, and Walled Garden exceptions to deliver a secure, high-density guest WiFi solution.

Read the guide →

Captive Portal for Cisco Meraki

An authoritative, intermediate-level technical reference guide for integrating Cisco Meraki MR access points with Purple's cloud captive portal. Covers step-by-step Meraki Dashboard configurations, RADIUS server settings (ports 1812/1813), walled garden wildcard domain exceptions, and session timeout parameters for high-performance guest WiFi deployments.

Read the guide →

Captive Portal for Cisco Meraki

An authoritative, intermediate-level technical reference guide for integrating Cisco Meraki MR access points with Purple's cloud captive portal. Covers step-by-step Meraki Dashboard configurations, RADIUS server settings (ports 1812/1813), walled garden wildcard domain exceptions, and session timeout parameters for high-performance guest WiFi deployments.

Read the guide →