Cisco WLC and Catalyst Integration with Purple WiFi: Step-by-Step Guest Access Guide

This guide details the step-by-step integration of Cisco WLC and Catalyst 9800 Wireless with Purple, covering Guest WiFi captive portal redirection via Central Web Authentication, Secure Staff WiFi using 802.1X EAP-TLS, and Multi-Tenant segmentation using Cisco Identity Pre-Shared Keys (iPSK) with dynamic VLAN assignment. It is written for enterprise network architects and IT security directors deploying Cisco infrastructure in hospitality, retail, and large public venues.

📖 9 min read📝 2,116 words🔧 2 worked examples❓ 3 practice questions📚 9 key definitions

Listen to this guide

View podcast transcript

Welcome to the Purple Technical Briefing. I'm your host, and today we're covering a definitive deployment scenario for enterprise network architects: integrating Cisco Wireless LAN Controllers and Catalyst 9800 hardware with the Purple WiFi platform. If you manage IT for a hotel chain, a retail network, or a large public venue, you know that relying on basic Pre-Shared Keys is an unacceptable security risk. Today, we'll outline the step-by-step architecture to segment your network, secure your staff, and turn your guest WiFi into a data-driven asset.

Let's establish the context. An enterprise wireless environment must handle three distinct profiles: Guests, Staff, and Headless or Tenant devices. You cannot treat them the same, and you cannot broadcast twenty different SSIDs to accommodate them. The solution is a unified hardware footprint leveraging different authentication mechanisms on a single Cisco Catalyst 9800 Wireless LAN Controller.

Now let's dive into the technical architecture. The first tier is Guest WiFi. The goal here is low-friction access combined with data capture. We achieve this using an open SSID and Central Web Authentication, or CWA. When a guest connects, the Cisco WLC applies a pre-authentication Access Control List. This is your walled garden. It blocks general internet access but permits traffic to Purple's domains and essential services. When the guest tries to browse, the WLC intercepts the HTTP request and redirects them to the Purple captive portal splash page. Once they authenticate, perhaps via a registration form, a social login, or a one-time code, Purple acts as the RADIUS server. It sends a Change of Authorization message, known as a CoA, to the WLC. This moves the client to an isolated guest VLAN and grants internet access. The entire flow is automated, and every login is recorded in Purple's analytics platform.

The second tier is Staff WiFi. For corporate devices, we mandate 802.1X authentication. Specifically, EAP-TLS, which stands for Extensible Authentication Protocol Transport Layer Security. This method uses digital certificates installed on corporate devices via your Mobile Device Management platform, whether that's Microsoft Intune, Jamf, or another solution. The WLC acts as the authenticator, passing EAP messages to the RADIUS server. Because we use certificates, there are no passwords to steal. If a device is lost or an employee leaves, you revoke the certificate. Access is terminated instantly, without changing a global password or disrupting anyone else. EAP-TLS is the gold standard for enterprise security.

The third tier is Multi-Tenant or IoT WiFi. Think of retail mall tenants, coworking space members, or smart building sensors that do not support 802.1X. For this, we deploy Cisco Identity PSK, or iPSK. Everyone connects to the same SSID, but the RADIUS server assigns a unique password and a unique VLAN to each tenant based on their MAC address. When a tenant's device connects, the WLC sends a MAC authentication request to the RADIUS server. The server returns the specific PSK for that tenant as a Cisco AV-Pair attribute, along with three standard IETF RADIUS attributes to dynamically assign the client to the correct VLAN. Those attributes are: Tunnel-Type, set to VLAN; Tunnel-Medium-Type, set to 802; and Tunnel-Private-Group-ID, set to the target VLAN ID. The WLC processes these attributes and places the device on the correct isolated network segment. iPSK delivers enterprise segmentation with consumer simplicity.

Now let's discuss implementation recommendations and the pitfalls we see most frequently in production deployments.

The most common point of failure in guest deployments is the walled garden ACL. If guests connect but the splash page does not appear, check your DNS configuration first. If your pre-authentication ACL blocks UDP port 53, the client cannot resolve domain names. The operating system will not trigger the captive portal mini-browser, and the guest will see a No Internet error. Always explicitly permit DNS traffic in your walled garden ACL. This is the single most common support issue we encounter.

The second pitfall is in staff deployments. If you choose to deploy PEAP-MSCHAPv2 instead of EAP-TLS, because you do not yet have an MDM solution to distribute certificates, you must configure your client devices to explicitly validate the RADIUS server certificate. This means specifying the exact Certificate Authority to trust and the expected server name in the WiFi profile. If you leave this to the end user to configure manually, an attacker can spin up a rogue access point, present a fraudulent certificate, and capture corporate credentials. This is not a theoretical attack. It is a well-documented real-world threat. Enforce certificate validation via Group Policy for Windows devices and via MDM profiles for macOS and mobile devices.

The third pitfall is in iPSK deployments. If a client connects but receives the wrong VLAN, or fails to connect entirely, the most likely cause is that the target VLAN ID specified in the Tunnel-Private-Group-ID attribute does not exist on the WLC. The VLAN must be created and active on the controller before the RADIUS server can steer clients into it. Use the debug radius command on the WLC to verify that the attributes are being received correctly from the RADIUS server.

Now let's do a rapid-fire question and answer session on the questions we hear most often.

Question one: Can I use MAC Authentication Bypass instead of iPSK for IoT devices?

You can, but you should not. MAC addresses are broadcast in plaintext and are trivial to spoof. MAC Authentication Bypass provides device identification, not security. iPSK provides actual cryptographic security for headless devices. If the device supports any form of PSK, use iPSK.

Question two: Does Purple support Cisco Catalyst 9800 IOS-XE controllers?

Yes. Purple fully supports modern Catalyst 9800 IOS-XE controllers as well as legacy AireOS WLCs. The RADIUS and Change of Authorization integration is fully validated for both platforms.

Question three: How do I handle RADIUS server redundancy?

Always configure both a primary and secondary RADIUS server in your WLC AAA method lists. The WLC will automatically fail over to the secondary server if the primary does not respond within the configured timeout. Purple provides two RADIUS server IP addresses for exactly this purpose. Never deploy a single RADIUS server in a production environment.

Question four: What RADIUS port numbers does Purple use?

Purple uses UDP port 1812 for authentication and UDP port 1813 for accounting. These are the IANA-registered standard ports for RADIUS, as defined in RFC 2865 and RFC 2866.

To summarise the key takeaways from today's briefing. Audit your current wireless architecture. If you are using shared passwords for staff, plan a migration to 802.1X. If you are broadcasting multiple SSIDs for different tenants, consolidate them using Cisco iPSK. If your guest WiFi is simply an open network with no data capture, integrate it with Purple to collect first-party data, drive marketing return on investment, and ensure compliance with GDPR and PCI DSS requirements.

By combining Cisco's enterprise-grade infrastructure with Purple's cloud overlay, you deliver secure, segmented, and intelligent connectivity across your venue. Purple operates across more than 80,000 live venues and recorded 440 million logins in 2024. The platform is hardware-agnostic, ISO 27001 certified, and built for enterprise scale.

Your next step is clear. Review the full step-by-step configuration guide on the Purple website, obtain your RADIUS server credentials from the Purple portal, and begin the integration with your Cisco WLC today. For detailed configuration guides and hardware-specific documentation, visit the Purple support portal at support dot purple dot ai.

Thank you for listening to this Purple Technical Briefing. Until next time, stay secure.

Key Takeaways

✓Replace insecure shared Pre-Shared Keys with a three-tier architecture: Guest WiFi via captive portal, Staff WiFi via 802.1X EAP-TLS, and Tenant/IoT WiFi via Cisco iPSK.
✓Integrate Cisco WLC with Purple using Central Web Authentication (CWA) and RADIUS CoA to automate guest onboarding and capture first-party data at scale.
✓Configure precise pre-authentication ACLs (walled garden) on the WLC, always permitting DNS (UDP 53) or the captive portal redirect will fail.
✓Deploy EAP-TLS for Staff WiFi to eliminate passwords entirely and rely on MDM-distributed digital certificates for the strongest available security posture.
✓Use Cisco iPSK with dynamic VLAN assignment (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) to segment multi-tenant and IoT environments over a single SSID.
✓Always enforce RADIUS server certificate validation on client devices when using PEAP-MSCHAPv2 to prevent rogue access point credential theft.
✓Purple operates across 80,000+ venues, is ISO 27001 and GDPR certified, and provides redundant RADIUS infrastructure - configure both primary and secondary servers on the WLC.

Executive summary

Enterprise wireless networks must serve distinct user groups simultaneously: guests who need frictionless internet access, staff who require secure access to corporate resources, and headless or tenant devices that need isolation from one another. Relying on a single shared Pre-Shared Key for any of these groups is a security liability. A single compromised credential exposes the entire segment, and revoking access requires changing a global password that disrupts every device on the network.

This guide details the integration of Cisco Wireless LAN Controllers (WLC) and Catalyst 9800 series hardware with Purple's cloud overlay. We provide the step-by-step configuration for three distinct authentication tiers: an open Guest WiFi network with captive portal redirection powered by Purple, a Secure Staff WiFi network using 802.1X EAP-TLS certificate authentication, and a Multi-Tenant WiFi environment using Cisco Identity Pre-Shared Keys (iPSK) with dynamic VLAN assignment. By deploying this architecture, you isolate corporate resources from visitor traffic, automate identity-based access control, and capture first-party data through Purple's WiFi Analytics platform. Purple operates across 80,000+ live venues and recorded 440 million logins in 2024 (Purple internal data), making it a proven cloud overlay for Cisco infrastructure at scale.

Technical deep-dive: the three-tier architecture

A modern enterprise wireless deployment on Cisco hardware must cater to distinct user profiles with differing security and access requirements. The integration between Cisco WLC and Purple enables a unified hardware footprint to serve these profiles through distinct authentication mechanisms, all managed from a single Catalyst 9800 controller.

Tier 1: Guest WiFi - Central Web Authentication (CWA)

For visitors in Hospitality and Retail environments, the objective is low-friction onboarding combined with compliant data capture. This is achieved using an open SSID coupled with Central Web Authentication (CWA). When a guest connects, the Cisco WLC applies a pre-authentication Access Control List (ACL) - the walled garden. This ACL blocks general internet traffic while permitting traffic to Purple's captive portal domains, DNS, and social login endpoints.

When the guest attempts to browse, the WLC intercepts the HTTP request and issues a redirect to the Purple splash page. The guest authenticates via their chosen method (social login, email registration, or voucher code). Purple then acts as the RADIUS server, sending a RADIUS Change of Authorization (CoA) message back to the WLC. The CoA instructs the WLC to move the client from the pre-authentication state to a post-authentication state on an isolated guest VLAN, granting internet access. Every login is recorded in Purple's analytics platform, capturing first-party data in compliance with GDPR and CCPA.

Tier 2: Staff WiFi - 802.1X EAP-TLS

Corporate devices require the highest level of security. IEEE 802.1X defines port-based Network Access Control (PNAC), and when combined with EAP-TLS (Extensible Authentication Protocol - Transport Layer Security), it delivers certificate-based authentication that eliminates passwords entirely. Digital certificates are deployed to corporate devices via Mobile Device Management (MDM) - Microsoft Intune, Jamf, or equivalent. The Cisco WLC acts as the Authenticator, passing EAP messages between the supplicant (device) and the RADIUS server. The RADIUS server validates the certificate and returns an Access-Accept with optional VLAN assignment attributes.

Because authentication relies on certificates rather than passwords, there are no credentials to steal. If a device is lost or an employee leaves, you revoke the certificate. Access terminates instantly without disrupting any other user. For a comprehensive treatment of enterprise security standards including WPA3 and Zero Trust, see our guide on Enterprise WiFi Security: A Complete Guide for 2026 .

Tier 3: Multi-Tenant WiFi - Cisco iPSK and dynamic VLAN assignment

In environments like student accommodation, coworking spaces, or retail malls, you need private, segmented networks for different tenants without broadcasting dozens of SSIDs. Cisco Identity PSK (iPSK) solves this. All tenants connect to a single SSID. The WLC sends a MAC authentication request to the RADIUS server for each connecting device. The RADIUS server returns the specific PSK for that tenant as a cisco-av-pair attribute, along with standard IETF RADIUS attributes to dynamically assign the client to the correct VLAN.

The three IETF RADIUS attributes that drive dynamic VLAN assignment are:

RADIUS Attribute	ID	Value
Tunnel-Type	64	VLAN
Tunnel-Medium-Type	65	802
Tunnel-Private-Group-ID	81	Target VLAN ID (e.g., 31)

The Tunnel-Private-Group-ID is encoded as a string, as defined in RFC 2868. The VLAN ID must exist on the WLC for the assignment to succeed.

Implementation guide: Cisco Catalyst 9800 WLC configuration

The following steps detail the configuration for a Cisco Catalyst 9800 WLC running IOS-XE to integrate with Purple for Guest WiFi redirection. For legacy AireOS WLC deployments, the equivalent settings are available in the Purple support portal.

Step 1: Configure RADIUS authentication and accounting

You must point the WLC to Purple's RADIUS servers to handle guest authentication and session accounting.

Navigate to Configuration > Security > AAA > Servers/Groups > RADIUS > Servers > + Add.
Enter the primary Purple RADIUS server IP address, set auth-port to 1812, acct-port to 1813, and enter the shared secret from the Purple portal.
Enable Support for CoA - this is mandatory for captive portal redirection.
Repeat for the secondary Purple RADIUS server.
Navigate to RADIUS > Server Groups > + Add and create a group containing both servers.
Navigate to AAA Method List > Authorization > + Add, set Type to network, and point it to the RADIUS server group.
Navigate to AAA Method List > Accounting > + Add, set Type to identity, and point it to the same group.

The equivalent CLI commands on IOS-XE are:

radius server Purple-Primary
 address ipv4  auth-port 1812 acct-port 1813
 key 0 
!
radius server Purple-Secondary
 address ipv4  auth-port 1812 acct-port 1813
 key 0 
!
aaa group server radius Purple-RADIUS-Group
 server name Purple-Primary
 server name Purple-Secondary
!
aaa authorization network Purple-Authz group Purple-RADIUS-Group
aaa accounting identity Purple-Acct start-stop group Purple-RADIUS-Group

Step 2: Define the pre-authentication ACL (walled garden)

The pre-authentication ACL permits traffic to Purple's splash page and essential services before the user authenticates. This is the walled garden.

Navigate to Configuration > Security > ACL > + Add.
Create an IPv4 Extended ACL named Purple_Guest_Walled_Garden.
Add rules to deny traffic to the WLC management IP and RADIUS server IPs.
Add rules to permit DNS (UDP port 53) to your DNS servers.
Add rules to permit traffic to Purple's walled garden IP ranges and domains (obtain the current list from the Purple support portal for your specific hardware type).
Add a final permit ip any any rule - the WLC will redirect permitted traffic to the CPU for portal processing.

Step 3: Configure the guest WLAN

Navigate to Configuration > Tags & Profiles > WLANs > + Add.
Create a WLAN named Guest-WiFi with your chosen SSID.
Under Security > Layer 2, set security to None (Open).
Under Security > Layer 3, enable Web Policy and set Web Auth type to External.
Enter your Purple access URL in the redirect field.
Apply the Purple_Guest_Walled_Garden ACL.
Under Security > AAA Servers, assign the Purple RADIUS servers to both Authentication and Accounting.

Step 4: Configure the Policy Profile

Navigate to Configuration > Tags & Profiles > Policy > + Add.
Under Access Policies, assign VLAN 20 (or your designated guest VLAN).
Under Advanced, enable Allow AAA Override and NAC State.
Assign the Purple accounting method list.

The CLI equivalent:

wireless profile policy Guest-Policy
 aaa-override
 nac
 vlan 20
 accounting-list Purple-Acct
 no shutdown
!
wireless tag policy Guest-Policy-Tag
 wlan Guest-WiFi policy Guest-Policy

Step 5: Configure iPSK for multi-tenant or IoT deployments

For iPSK, the WLAN configuration differs from the guest setup. The WLAN uses WPA2-PSK with MAC filtering enabled, and the Policy Profile has AAA Override active to accept the per-client PSK and VLAN from the RADIUS server.

wlan Tenant-WiFi 2 Tenant-WiFi
 mac-filtering Purple-Authz
 security wpa psk set-key ascii 0 DefaultKey123
 no security wpa akm dot1x
 security wpa akm psk
 peer-blocking allow-private-group
 no shutdown
!
wireless profile policy Tenant-Policy
 aaa-override
 accounting-list Purple-Acct
 vlan 30
 no shutdown

The RADIUS server (configured in Purple or your RADIUS platform) returns the following attributes per tenant group:

cisco-av-pair = psk-mode=ascii
cisco-av-pair = psk=
Tunnel-Type = VLAN
Tunnel-Medium-Type = 802
Tunnel-Private-Group-ID =

Best practices

Adherence to established standards ensures stability, security, and regulatory compliance across your deployment.

Enforce strict certificate validation. When deploying 802.1X, configure client devices via MDM to explicitly trust your RADIUS server's certificate authority and specify the expected server name. Failure to enforce this leaves clients vulnerable to rogue access point attacks, where an attacker presents a fraudulent certificate to capture credentials. This is a hard requirement, not a recommendation.

Isolate guest traffic at the network layer. Guest WiFi must terminate on a dedicated VLAN that is firewalled from all corporate resources. PCI DSS 4.0 requires that cardholder data environments are isolated from public networks. A guest on VLAN 20 must have no route to the corporate network on VLAN 10.

Use iPSK for IoT devices, not MAC Authentication Bypass. MAC addresses are broadcast in plaintext and are trivial to spoof. iPSK provides cryptographic security for headless devices. For guidance on how display and IoT devices interact with wireless protocols, see What Is Wireless Display: Protocols & Best Practices 2026 .

Define clear terms of use. Your captive portal must present a terms of use agreement before granting access. This is a GDPR requirement for data collection and a legal necessity for network usage policies. For internal staff networks, consult Staff WiFi Terms and Conditions: Legal and Compliance Essentials .

Deploy RADIUS redundancy. Always configure a primary and secondary RADIUS server. Purple provides two server IP addresses for this purpose. A single RADIUS server failure will prevent all guest logins.

Troubleshooting and risk mitigation

Even with careful configuration, integration issues arise. Address the most common failure modes systematically before escalating.

Issue: Guests connect but the splash page does not appear.

This is the most common issue. The pre-authentication ACL is blocking DNS. Without DNS, the client cannot resolve the initial HTTP request, and the operating system will not trigger the captive portal mini-browser. Verify that UDP port 53 is permitted to your DNS servers in the walled garden ACL. On the WLC, run show wireless client summary to confirm the client is in a Webauth Pending state rather than Run.

Issue: iPSK clients fail to connect or land on the wrong VLAN.

The VLAN specified in Tunnel-Private-Group-ID does not exist on the WLC, or the cisco-av-pair attributes are malformed. Run debug radius all on the WLC to inspect the raw RADIUS response. Verify the VLAN ID is created under Configuration > Layer 2 > VLAN > VLAN List.

Issue: 802.1X staff clients fail to authenticate intermittently.

This is typically a RADIUS server timeout or a certificate trust issue on the client. Check the RADIUS server logs for Access-Reject messages. On Windows clients, verify the WiFi profile is configured to validate the server certificate and specifies the correct trusted CA.

Issue: CoA from Purple is not processed by the WLC.

The CoA shared secret must match the RADIUS shared secret configured on the WLC. On IOS-XE 17.4 and later, the CoA key is configured separately from the shared secret. Verify both match the values in the Purple portal.

ROI and business impact

Transitioning from basic PSK networks to a structured, identity-based architecture with Purple delivers measurable business outcomes across Hospitality , Retail , Healthcare , and Transport verticals.

First, the architecture eliminates the operational cost of managing shared passwords. When staff leave, you revoke their certificate. You do not change a global password and update every device on the estate. Second, the integration with Purple's captive portal turns an IT cost centre into a revenue driver. Purple's platform captures compliant first-party data at every login, enabling automated marketing campaigns and visitor analytics. With 29 billion data points collected across the Purple network (Purple internal data), the platform provides actionable insight into visitor behaviour, dwell time, and return rates.

For venue operators running surveys to understand visitor satisfaction, the Purple platform integrates directly with research workflows. See Design of a Survey: A Practical Guide for Venues for guidance on structuring effective venue surveys delivered via the captive portal.

By integrating Cisco's enterprise-grade hardware with Purple's cloud overlay, you achieve a secure, scalable network that actively contributes to the venue's commercial objectives. Purple is ISO 27001 certified, GDPR and CCPA compliant, Cyber Essentials certified, and B Corp certified - meeting the compliance requirements of enterprise procurement teams.

Key Definitions

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorization, and Accounting (AAA) management for network access. Defined in RFC 2865 and RFC 2866.

IT teams configure the Cisco WLC to forward client credentials to the RADIUS server, which checks them against a directory and returns an Access-Accept or Access-Reject response along with policy attributes.

Captive portal

A web page that a user of a public-access network must view and interact with before internet access is granted. Implemented via HTTP redirection by the network access device.

Used in Guest WiFi deployments to capture visitor data, present terms of use, or display branded content before allowing internet access. Purple provides the hosted captive portal infrastructure.

iPSK (Identity Pre-Shared Key)

A Cisco feature that allows unique Pre-Shared Keys to be assigned to different users or device groups on the same SSID, with the PSK delivered per-client by a RADIUS server.

Essential for IoT devices or multi-tenant environments where 802.1X is not feasible but network segmentation is required. Eliminates the need to broadcast multiple SSIDs.

IEEE 802.1X

An IEEE standard for port-based Network Access Control (PNAC). It provides an authentication mechanism that blocks all data traffic from a device until the RADIUS server has confirmed authorisation.

The foundation of enterprise Staff WiFi, ensuring only authorised corporate devices with valid credentials or certificates can access internal resources.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security. A certificate-based authentication method that requires digital certificates on both the RADIUS server and the client device, eliminating passwords entirely.

The most secure method for authenticating corporate devices. Certificates are deployed via MDM. Access is revoked by invalidating the certificate, not by changing a shared password.

Walled garden

A limited network environment that controls the user's access to web content before they have fully authenticated. Implemented as a pre-authentication ACL on the WLC.

Configured on the Cisco WLC to allow access to the Purple splash page, DNS, and social login providers before the guest is granted full internet access.

Dynamic VLAN assignment

The process of automatically placing a connected device on a specific Virtual LAN based on RADIUS authorization attributes returned at authentication time.

Ensures that staff, guests, and IoT devices are placed on isolated network segments automatically upon connection, without manual configuration per device.

Change of Authorization (CoA)

A RADIUS extension (RFC 5176) that allows the RADIUS server to dynamically modify the session authorization attributes of an already-connected client.

Required for captive portals. Once the guest authenticates on the Purple splash page, Purple sends a CoA message to the WLC to transition the client from the pre-authentication walled garden state to full internet access.

Central Web Authentication (CWA)

A Cisco authentication method where the RADIUS server (rather than the WLC) hosts or redirects to the web authentication portal, enabling cloud-hosted captive portal solutions.

Used to integrate the Cisco WLC with Purple's cloud-hosted captive portal, allowing Purple to manage the guest authentication experience and data capture.

Worked Examples

A large shopping centre needs to provide secure, private WiFi to 50 retail tenants using a single Cisco Catalyst 9800 WLC and a single broadcast SSID. Each tenant must be isolated from every other tenant's devices. How do they achieve this without broadcasting 50 separate SSIDs?

The IT team deploys Cisco iPSK. They configure a single SSID named 'Mall-Tenant-WiFi' with WPA2-PSK and MAC filtering enabled. In the RADIUS server, they create 50 endpoint identity groups, one per tenant. Each group is assigned a unique PSK via the cisco-av-pair psk= attribute and a unique VLAN ID via the IETF Tunnel-Private-Group-ID attribute. When a retail tenant's point-of-sale device connects using their specific password, the WLC sends a MAC authentication request to the RADIUS server. The server matches the MAC address to the tenant's group and returns the PSK and VLAN assignment. The WLC processes the attributes, validates the PSK, and places the device on the tenant's isolated VLAN. The peer-blocking allow-private-group setting ensures devices sharing the same PSK can communicate with each other, while devices on different PSKs are blocked from cross-tenant communication.

Examiner's Commentary: This approach scales efficiently. Broadcasting 50 separate SSIDs would cause severe co-channel interference in a dense environment and degrade performance for every user. Each additional SSID consumes airtime with management frames. iPSK delivers the security and segmentation of 50 separate networks with the RF efficiency of one. The trade-off is that the RADIUS server becomes a critical dependency - ensure it is highly available.

A 300-room Premier Inn property is migrating from local WLC guest accounts to Purple's cloud captive portal. After the configuration is applied, guests report they connect to the WiFi SSID, receive an IP address, but their devices show 'No Internet' and the splash page never appears. What is the diagnostic process?

Step 1: Verify the client state on the WLC using show wireless client detail <mac-address>. The client should be in 'Webauth Pending' state. If it shows 'Run', the pre-authentication ACL is not applied correctly. Step 2: Check the pre-authentication ACL. The most common cause of this symptom is that the ACL blocks DNS (UDP port 53). Without DNS, the client cannot resolve any domain, and the OS captive portal detection mechanism fails silently. Add an explicit permit rule for UDP port 53 to the venue's DNS server IPs. Step 3: Verify the Purple walled garden domains are permitted in the ACL. The client must be able to reach the Purple splash page URL before authentication. Step 4: Confirm the WLC virtual IP address has been changed from the default 1.1.1.1 to a non-routable address such as 192.0.2.1, as the default address can conflict with legitimate internet traffic.

Examiner's Commentary: The 'No Internet' symptom with no redirect is almost always a DNS or walled garden ACL issue. Modern operating systems (iOS, Android, Windows, macOS) use captive portal detection by making HTTP requests to known URLs. If DNS fails, these requests cannot be made, and the OS never triggers the captive portal browser. Always permit DNS in the pre-authentication ACL - this is the single most common deployment error we see.

Practice Questions

Q1. You are deploying Staff WiFi across 40 retail branches using Cisco Catalyst 9800 WLCs. You want to use 802.1X, but the company does not yet have an MDM solution to distribute certificates to employee smartphones. What is the most secure viable approach, and what risk mitigation must you implement?

Hint: Consider the balance between credential security and deployment feasibility when certificates are not yet an option. Focus on the specific risk that arises from the alternative method.

View model answer

Deploy PEAP-MSCHAPv2 as an interim measure. While not as secure as EAP-TLS, it provides encrypted password authentication within a TLS tunnel. The critical risk mitigation is enforcing server certificate validation on every client device. For Windows laptops, deploy a Group Policy Object that specifies the exact trusted Certificate Authority and the expected RADIUS server name in the WiFi profile. For iOS and Android devices, distribute a WiFi configuration profile via email or a lightweight MDM-free tool that enforces certificate validation. Without this, an attacker can deploy a rogue access point with a fraudulent certificate and capture credentials. Plan the migration to EAP-TLS as soon as MDM is available.

Q2. A stadium IT director needs to segment media broadcasters, ticketing terminals, and HVAC IoT sensors onto separate isolated networks. The IoT sensors do not support 802.1X. All three groups must use WiFi. How should the WLC be configured?

Hint: Look for a solution that provides unique credentials and VLAN assignment per device group without requiring enterprise supplicants on headless devices.

View model answer

Implement Cisco iPSK with a single SSID for venue operations. Create three endpoint identity groups in the RADIUS server: Broadcasters, Ticketing, and HVAC. Assign each group a unique PSK via cisco-av-pair and a unique VLAN ID via Tunnel-Private-Group-ID. Configure the WLC WLAN with WPA2-PSK, MAC filtering enabled, and AAA Override active. Broadcasters receive PSK-A and VLAN 31, ticketing receives PSK-B and VLAN 32, and HVAC sensors receive PSK-C and VLAN 33. Set peer-blocking to allow-private-group so devices within the same group can communicate (e.g., ticketing terminals to their server), while cross-group communication is blocked. This avoids MAC Authentication Bypass, which would be trivially spoofed.

Q3. During a Guest WiFi deployment at a conference centre, clients connect to the SSID and receive an IP address, but the captive portal redirect never occurs. The walled garden ACL permits traffic to all Purple IP ranges. What is the most likely missing configuration element, and how do you verify it?

Hint: Think about the protocols required before an HTTP request can be made by the client device.

View model answer

The most likely cause is that the pre-authentication ACL blocks DNS traffic (UDP port 53). Before a client device can make the HTTP request that the WLC intercepts to trigger the redirect, it must resolve the domain name via DNS. Modern OS captive portal detection mechanisms (Apple's captive.apple.com, Microsoft's www.msftconnecttest.com , Google's connectivitycheck.gstatic.com) all require DNS resolution. To verify: run 'show wireless client detail ' on the WLC and confirm the client is in 'Webauth Pending' state. Then review the ACL hit counters to see if DNS traffic is being denied. Fix by adding an explicit permit rule for UDP port 53 to the venue's DNS server IPs in the walled garden ACL.

Continue reading in this series

Grandstream GWN Access Points Integration with Purple WiFi

This authoritative technical reference guide details how to integrate Grandstream GWN access points with Purple's Guest WiFi and analytics platform. It covers Grandstream captive portal configuration, RADIUS AAA settings, walled garden setup, secure staff 802.1X authentication with dynamic VLAN steering, and multi-tenant PPSK segmentation - providing actionable, step-by-step guidance for MSPs and IT teams deploying guest and staff WiFi at scale.

OpenWrt Custom Firmware Integration with Purple WiFi

This guide provides the complete integration playbook for deploying OpenWrt custom firmware with Purple WiFi. It covers CoovaChilli captive portal configuration, iptables walled garden management, 802.1X secure staff WiFi with hostapd, and multi-tenant PPSK segmentation with dynamic VLAN assignment - giving IT teams the exact configuration steps needed to build an Identity-Based Network on any OpenWrt-capable hardware.