跳至主要内容
ISO 27001
Purple certified since 2017
99.999%
authentication uptime SLA
WPA3
enterprise-ready across the platform
< 50ms
cloud RADIUS auth latency

TL;DR / Key Takeaways

  • Enterprise WiFi security is identity-first. A device joining the network proves it belongs to a known user or asset, against an identity provider, before traffic is allowed.
  • The three credible authentication models in 2026: WPA3 Enterprise with EAP-TLS (managed workforce), iPSK (IoT and contractors), captive portal with RADIUS (guests). Shared pre-shared keys do not belong in any of them.
  • Cloud RADIUS replaces on-prem Windows NPS for most organisations. The exceptions are estates where authentication has to survive WAN failure - distributed retail, remote sites, ships, aircraft.
  • The identity provider is the source of truth. Entra ID, Okta, and Google Workspace integrations are first-class; SCIM-driven group sync drives VLAN, ACL, and role assignment at the access point.
  • The compliance story (UK GDPR, PCI DSS 4.0, HIPAA, ISO 27001:2022) is satisfied by the same control set. Build the stack once; pass every audit that asks about wireless.

Most enterprise WiFi networks are still running on a credential model designed when employees worked from one building and IoT meant a wired printer. A single pre-shared key, shared across the workforce, rotated at variable intervals, written on a whiteboard near reception.

That model has been obsolete for a decade. Hybrid working, BYOD, contractor density, and the long parade of IoT make a shared password an unmanaged credential by definition. The leaver risk alone is enough to retire it; PCI DSS 4.0 and ISO 27001:2022 are now explicit that wireless authentication is in scope.

This guide is the technical and operational reference for what replaces the shared password. 802.1X and EAP-TLS for managed devices, iPSK for IoT and contractors, captive portal for guests, and a cloud RADIUS layer that ties all three back to your identity provider. Aimed at IT directors, security architects, and the network engineers who run the deployments.

The four properties of secure enterprise WiFi

A wireless network qualifies as enterprise-grade if it does four things. Networks that do three of them are common; networks that do all four are rare and worth working towards.

Identity-bound authentication

Every device that joins the network is tied to a known user or known asset, authenticated against your directory. No shared credentials, no anonymous joins.

Transmission encryption

WPA3 Enterprise as a minimum. AES-256, forward secrecy, protected management frames (802.11w) on. Transitional WPA2 fallback only where unavoidable.

Authorisation past join

Authentication grants network access; authorisation decides what that access is. Dynamic VLAN, ACL, or SGT assigned from RADIUS attributes - not flat-L2 trust after the password.

Auditable revocation

When a user leaves, when a device is lost, when a contract ends, network access stops within minutes. JML automation, certificate revocation, iPSK rotation - whichever the model is.

The six authentication models

Most organisations end up running two or three of these in parallel: one for managed workforce devices, one for IoT and contractors, one for guests. Mapping the right method to the right population is the first decision.

WPA3 Enterprise

Current standard. 192-bit suite-B mode for sensitive environments. Forward secrecy by default. The destination for any new enterprise SSID.

Use for: New builds. Refresh of existing 802.1X SSIDs.

EAP-TLS

Certificate-based, passwordless. The most secure method available; the one auditors prefer; the one with the highest user-experience score once provisioning is automated.

Use for: Managed workforce devices. BYOD with MDM-issued certs.

iPSK

Per-identity pre-shared key, looked up via RADIUS. No supplicant configuration. Per-identity isolation and revocation. Right answer where 802.1X is impractical.

Use for: IoT, contractors, multi-tenant residential, headless devices.

PEAP-MSCHAPv2

Username and password tunnelled inside TLS. Widely deployed, but only safe with strict server-certificate validation on every supplicant. Plan to retire.

Use for: Legacy estates during EAP-TLS migration only.

Captive portal + RADIUS

Authenticated guest WiFi. Identity comes through a portal sign-in, RADIUS records the session for accounting and policy. The right answer for visitors, not for staff.

Use for: Guests, contractors, partners. Never for managed devices.

Passpoint / OpenRoaming

Device-level certificate trust to a federated identity provider; joining is automatic. The future of public and large-venue WiFi; complementary to the above.

Use for: Large venues, transport hubs, federated education.

RADIUS: cloud or on-prem?

Every authentication model above runs through a RADIUS layer. RADIUS is the protocol; what changes between vendors and deployment models is where the RADIUS server sits and how it talks to your identity provider.

The dominant on-prem implementations - Microsoft Network Policy Server (NPS) and FreeRADIUS - were designed for an era when authentication latency over a leased line was tolerable and the identity provider was a domain controller in the same rack. Both still run a lot of corporate WiFi. Neither is a comfortable place to be in 2026.

Cloud RADIUS replaces the server-in-the-rack model with a managed service: anycast or multi-region active-active, sub-50ms authentication latency to anywhere, native connectors into Entra ID, Okta, and Google Workspace, automated certificate handling for EAP-TLS. The trade-off is that the WAN now sits between the access point and the auth server.

For most mid-market and a growing share of large-enterprise estates, the trade-off is worth taking. The exceptions are estates where authentication has to survive WAN failure: distributed retail with poor backhaul, remote industrial sites, ships, aircraft. There, on-prem RADIUS or a hybrid local-with-cloud-failover model still has a job. See Purple RADIUS-as-a-Service.

NPS to cloud RADIUS migration

  1. Export current NPS policy set; translate to the cloud-RADIUS policy model.
  2. Stand up cloud RADIUS in parallel, bound to the same identity provider.
  3. Migrate one SSID at a time, or one site at a time. Watch the auth-latency dashboards.
  4. Switch back-up routes from NPS to local-fallback (if used) before retiring NPS.
  5. Decommission NPS once the rollback window has closed.

The first three weeks are the entire risk. Plan a long quiet-period rollback option.

Identity provider integration

The identity provider is the source of truth. Group membership, employment status, device posture, and conditional-access policy all live there. The RADIUS layer is the bridge between the access point and the IdP; the value of the integration is what the IdP can decide about each authentication attempt.

Purple integrates natively with:

Microsoft Entra ID (Azure AD)
Okta
Google Workspace
JumpCloud
Ping Identity
Active Directory
OneLogin
Auth0

SCIM provisioning is the operational layer that makes the integration useful. When HR marks a leaver, SCIM propagates the change to the IdP, the IdP propagates to RADIUS, and the user’s WiFi access is removed within minutes. This is the JML automation that ISO 27001 auditors look for; it is also what saves the helpdesk from doing it manually.

Conditional Access (Entra ID) and equivalent policy engines apply at the WiFi join moment. Device posture (compliant, healthy, managed), location, and risk score are all available signals. Used well, they let you enforce “managed corporate devices only on this SSID” without writing a single ACL.

BYOD onboarding and the zero-trust LAN

Personal devices are the second-biggest population on most enterprise WiFi networks. Getting them onto WPA2/3 Enterprise without a helpdesk ticket is the difference between a workable security policy and one that gets routed around.

The pattern that scales is self-service certificate issuance through an onboarding portal. The user signs in with their corporate credentials, the portal generates a per-device certificate, the device installs it via a provisioning profile (iOS, macOS), Group Policy / Intune (Windows, Android), or MDM (corporate-managed devices). The certificate is bound to the user and the device, has a short lifetime, and auto-renews while the user remains an employee.

The zero-trust framing applies here. The WiFi join is the first authentication moment, not the only one. Device posture, network segmentation past the SSID, and continuous verification are the rest of the model. A modern WiFi stack contributes to a zero-trust LAN without needing to be marketed as such; the principles are identity-first authentication, micro-segmentation by role, and explicit-deny defaults. See WPA2 and WPA3 Enterprise and Staff WiFi.

Compliance and audit evidence

Wireless authentication has moved from a supporting control to an explicit, in-scope requirement across every major framework. The same stack satisfies all of them; the evidence just has to be available on demand. Pizza Express, AGS Airports, and the University of Sheffield run on Purple.

UK GDPR

Consent capture, data-subject rights, and breach notification all run through the guest WiFi data path, and the ICO can act on shared-credential exposure of personal data. Identity-bound access with an auditable log is the defensible position.

Reference ›

PCI DSS 4.0

Wireless requirements: 4.2.1 (strong cryptography), 11.2 (rogue-AP detection), 8.3 (unique user IDs - no shared passwords on the CDE WLAN). 802.1X with EAP-TLS is the cleanest control.

Reference ›

HIPAA Security Rule

§164.312(a)(1) unique user identification, §164.312(b) audit controls, §164.312(d) person or entity authentication. Certificate-based WiFi maps to all three.

Reference ›

ISO 27001:2022

Annex A.5.16 identity management, A.8.5 secure authentication, A.5.18 access rights. JML-tied WiFi access with audit trail is the evidence auditors look for.

Reference ›

Cyber Essentials

The UK government security baseline, which Purple holds. Secure configuration and access control both cover wireless authentication; certificate-based join is the cleanest evidence.

Reference ›

The three pieces of evidence that auditors ask for, in order: a current access log showing who has WiFi access and on what authentication method; a sample of leaver records demonstrating that access was removed within the documented SLA; and a configuration export of the RADIUS policy showing how each population is segregated. A WiFi stack that cannot produce these in minutes is not audit-ready, regardless of how secure it actually is.

Hardware compatibility

The authentication layer should be hardware-agnostic. Purple’s enterprise security stack runs on the access points you already own.

Cisco Meraki
Cisco Catalyst
HPE Aruba
Ruckus
Juniper Mist
Ubiquiti UniFi
Cambium Networks
Extreme Networks
Fortinet

Every current-generation enterprise access point supports the relevant standards: WPA3 Enterprise, EAP-TLS (RFC 5216), RADIUS (RFC 2865), and dynamic VLAN assignment via vendor-specific attributes. Older equipment (pre-Wave 2 802.11ac) may not; check before committing to an EAP-TLS rollout on it.

How to evaluate an enterprise WiFi security platform

An eight-item checklist for procurement, security, and network teams.

IdP-native integration

Direct authentication against Entra ID, Okta, or Google Workspace - not a brittle LDAP shim. SCIM-driven group sync.

Certificate lifecycle automation

SCEP / EST / Intune for issuance. Auto-renewal at 30 days, auto-revocation on leaver event. Manual cert handling does not scale past ~200 devices.

Cloud RADIUS with regional failover

Anycast or multi-region active-active. Authentication latency under 50ms. Survives WAN events without bringing the WLAN down.

Dynamic VLAN / role assignment

RADIUS VSAs that drive VLAN, ACL, or SGT. Authorisation must do real work; identity alone is not enough.

Passpoint / OpenRoaming readiness

Even if not deployed today, the platform should be Passpoint-capable. The transition is starting.

Auditable access log

Every join attempt, every failure reason, every policy decision. ISO 27001 and SOC 2 evidence in the dashboard, not a CSV export.

Hardware independence

Works with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet. The authentication layer should outlive the AP refresh.

Migration tooling

Parallel-run support during NPS or legacy-RADIUS replacement. Cutover by SSID or by site, not all at once.

How to secure public WiFi for a venue

Securing public WiFi for a venue requires five layers working together: network isolation, session accountability, content filtering, encryption, and activity logging. Each layer addresses a distinct threat - from lateral movement into business systems to liability from unlogged traffic.

  1. Network segmentation. Place the guest SSID on a dedicated VLAN, completely isolated from your POS terminals, CCTV system, staff network, and any system holding cardholder or personal data. A guest who can reach your internal network is not a guest - they are a security incident. Most enterprise access points support this natively; the VLAN assignment can be driven from RADIUS so it applies automatically as guests associate.
  2. Captive portal with consent logging. Require sign-on before granting internet access. This creates an auditable session record - who connected, when, and from which device - and captures GDPR-compliant consent before any personal data is processed. A session log also deters misuse: anonymous access is the single biggest liability risk on a public network.
  3. DNS filtering and content blocking. Block malware domains, command-and-control infrastructure, peer-to-peer traffic, and illegal content at the DNS resolver - before any packet reaches the open internet. Category-based controls let you allow business browsing while blocking the traffic categories that create liability or consume disproportionate bandwidth.
  4. WPA2 or WPA3 encryption on the guest SSID. WPA2 is the minimum; WPA3 is available on all current-generation access points and removes the “unsecured network” warning that damages guest trust on iOS and Android. Passpoint (OpenRoaming) goes further - guests join automatically using a device certificate, with no password prompt and no splash page friction.
  5. Activity log retention. Retain connection logs for the period required by your jurisdiction. 12 months under the UK Investigatory Powers Act. Logs are both a legal obligation and your liability protection if you are ever required to assist an investigation. Ensure the logs capture session start and end times, the authenticating identity, and the assigned IP address.

Purple handles all five layers: Purple’s captive portal provides session accountability and consent capture; Purple Shield delivers DNS filtering and content controls; Purple SecurePass provides Passpoint-based WPA3 join. All three are hardware-agnostic and work across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet.

Frequently asked questions

What is enterprise WiFi security?

+

Enterprise WiFi security is the umbrella term for the standards, protocols, and operational practices that protect a wireless network used by employees, contractors, and managed devices. The defining difference from consumer WiFi is identity: each user or device is authenticated against a directory rather than sharing a single password.

What is the difference between WPA2 Personal and WPA2 Enterprise?

+

WPA2 Personal uses a single pre-shared key (PSK) - the office WiFi password everyone shares. WPA2 Enterprise uses 802.1X to authenticate each user or device against a RADIUS server backed by your identity provider. WPA3 is the current standard; WPA3 Enterprise replaces the older PSK fallback weaknesses and adds 192-bit suite-B mode for sensitive environments.

What is 802.1X?

+

802.1X is the IEEE port-based network access control standard. A supplicant (the device) authenticates to an authenticator (the access point) which passes credentials to an authentication server (RADIUS). It works the same way on wired and wireless, but enterprise WiFi is where most organisations meet it. EAP-TLS, PEAP, and EAP-TTLS are the methods that run inside the 802.1X envelope.

Is EAP-TLS the same as passwordless WiFi?

+

In practice, yes. EAP-TLS uses a per-user or per-device certificate instead of a password. The user never types a credential; the device presents its certificate to the network and is authenticated against the issuing CA. Most "passwordless WiFi" products are EAP-TLS with managed certificate issuance bolted on top.

Should we still use PEAP?

+

Only with caveats. PEAP-MSCHAPv2 is still widely deployed but has known weaknesses: if the supplicant skips server-certificate validation (a common misconfiguration), a rogue AP can capture credentials and brute-force them offline. PEAP is acceptable as a stopgap during EAP-TLS migration; it should not be a long-term destination for a security-conscious organisation.

What is cloud RADIUS?

+

A managed RADIUS authentication service hosted by a vendor, with the access points connecting over the public internet (TLS-protected, hardened). It replaces the operational burden of running Windows NPS or FreeRADIUS on-premises. The right answer for most mid-market and a growing share of large-enterprise estates; the wrong answer where you need authentication to survive WAN failure.

How do I integrate WiFi with Entra ID, Okta, or Google Workspace?

+

Through a RADIUS layer that speaks to the IdP. For Entra ID, that's typically a cloud RADIUS service authenticating against Entra ID via the OpenID Connect or modern Microsoft Graph integration, plus Intune-issued certificates for EAP-TLS. Okta and Google Workspace follow the same pattern with their respective directory APIs.

What is iPSK and how is it different from 802.1X?

+

iPSK (Identity Pre-Shared Key) issues a unique pre-shared key per user or device, looked up at the access point through RADIUS. It's simpler to deploy than 802.1X (no supplicant configuration on every device) but provides per-identity isolation. iPSK is the right authentication for IoT devices, contractor BYOD, and multi-tenant residential WiFi; 802.1X with EAP-TLS is the right authentication for managed workforce devices.

Does WiFi security have to be part of a zero-trust programme?

+

WiFi authentication is the LAN equivalent of the identity-first principle in zero trust. A modern WiFi stack contributes: identity verification at network join, device posture as a continuous signal, micro-segmentation past the SSID via dynamic VLAN assignment, and revocation tied to the JML process. Calling it 'zero trust' isn't necessary; getting these four right is.

How does this satisfy HIPAA, PCI DSS, and ISO 27001?

+

HIPAA technical safeguards require unique user identification and audit controls; certificate-based WiFi gives you both natively. PCI DSS 4.0 requires authentication for any wireless access to the cardholder data environment and prohibits shared accounts; 802.1X with EAP-TLS is the cleanest path. ISO 27001:2022 Annex A.5.16 (identity management) and A.8.5 (secure authentication) are both addressable with the same stack. We have a full control-mapping cluster post linked from this pillar.

How do I secure public WiFi for a venue?

+

Secure public WiFi for a venue with five layers: (1) Network segmentation - put the guest SSID on its own VLAN, isolated from your point-of-sale, CCTV, and corporate systems. (2) Captive portal - require sign-on to create an accountable session log and collect GDPR-compliant consent. (3) DNS filtering and content blocking - stop malware domains and peer-to-peer traffic at the resolver. (4) WPA2 or WPA3 encryption on the guest SSID; Passpoint removes the "unsecured network" warning on modern devices. (5) Activity log retention for your jurisdiction - 12 months under the UK Investigatory Powers Act. Purple Shield handles DNS and content filtering; Purple Connect provides the captive portal and consent flow; Purple SecurePass delivers Passpoint and WPA3.

Cluster guides in this series

Deep-dive guides that support this pillar. Each goes further on one part of the enterprise WiFi authentication stack.

WPA2 Personal 与 Enterprise:有什么区别以及您应该使用哪一个?

本技术参考指南对 WPA2 Personal 和 WPA2 Enterprise 无线安全标准进行了权威对比。它详细介绍了 IT 决策者保护企业网络安全所需的底层加密握手、架构要求和部署方法。读者将学习如何从共享密码过渡到个性化的、基于证书的身份验证,以符合合规性框架并减轻内部威胁。

Read guide →

三大 SSID 统领全局:访客、Passpoint 与 IoT WiFi 设置指南

本技术指南为企业级场馆实施三 SSID WiFi 设计提供了权威蓝图。它详细介绍了开放式访客 Captive Portal 的配置、自动化 Passpoint 引导以及单设备 xPSK 身份验证,以实现完全的 VLAN 隔离和零信任网络访问。

Read guide →

Server RADIUS:面向企业的全面指南

本指南为 IT 经理、网络架构师和 CTO 提供关于企业 WiFi 的 server RADIUS 身份验证的权威技术参考。它涵盖了 AAA 框架、802.1X 架构、EAP 方法选择、云端与本地部署的权衡以及动态 VLAN 分配。酒店、零售、活动和公共部门的场所运营商将获得可行的实施指导、真实案例研究以及从不安全的预共享密钥迁移到安全的、身份驱动的网络访问控制架构所需的决策框架。

Read guide →

Aruba ClearPass 对比 Purple WiFi:功能与协同部署比较

一份全面的技术指南,详细介绍了 Aruba ClearPass 和 Purple WiFi 的协同部署架构。内容涵盖 RADIUS 代理配置、动态 VLAN 分配,以及在企业级网络准入控制(NAC)旁部署安全且由分析驱动的访客网络的最佳实践。

Read guide →

Cisco ISE 对比 Purple WiFi:如何进行对比与协同工作

本指南阐述了 Cisco ISE 和 Purple WiFi 在企业网络中如何承担不同但互补的角色。它详细介绍了如何使用 Cisco ISE 进行安全的 802.1X 企业级访问控制,同时利用 Purple 实现符合 GDPR 的访客 WiFi、营销分析以及 CRM 集成。

Read guide →

EAP-TLS 对比 EAP-TTLS:您应该选择哪种基于证书的 WiFi 协议?

本指南针对 IEEE 802.1X 下的企业 WiFi 身份验证,对 EAP-TLS 和 EAP-TTLS 进行了权威的直接对比。它解释了双向证书身份验证与仅服务器证书隧道之间的架构差异,并根据设备管理能力和合规性要求,为 IT 经理、网络架构师和 CISO 提供了清晰的决策框架。Purple 支持员工 WiFi 的 EAP-TLS 和 EAP-TTLS 身份验证路径,本指南可帮助企业在致力于任何一种方法之前了解基础设施的权衡。

Read guide →

什么是 802.1X Supplicant(客户端)?客户端类型与设备配置

本指南阐述了 802.1X supplicant 在企业 WiFi 身份验证中的作用。内容涵盖技术架构、原生操作系统 supplicant 与第三方客户端的对比,并为部署 EAP-TLS 和 PEAP 的 IT 团队提供实用的配置指导。

Read guide →

管理用于 EAP-TLS WiFi 身份验证的数字证书

本技术参考指南详细介绍了 EAP-TLS WiFi 身份验证数字证书的生命周期管理。它提供了利用 SCEP 和 MDM 集成在企业网络中大规模部署、更新和吊销证书的可行策略。

Read guide →

无需 Active Directory 或本地服务器的企业级 WiFi 身份验证

本指南阐述如何在没有本地 Active Directory、Windows NPS 或 RADIUS 服务器的情况下部署安全的 WPA2/3-Enterprise WiFi 身份验证。内容涵盖云身份提供商与 802.1X 之间的协议不匹配问题、选择 EAP-TLS 而非 PEAP-MSCHAPv2 的理由,以及如何针对 Microsoft Entra ID、Okta 或 Google Workspace 部署结合 MDM 颁发证书的云 RADIUS。本指南专门面向准备淘汰本地基础设施、采用云优先架构以及重度使用 Mac/Chromebook 的组织中的 IT 负责人。

Read guide →

员工离职时如何撤销其 WiFi 访问权限

本指南详细介绍了如何在员工离职时撤销其 WiFi 访问权限,将不安全的共享密码替换为每个用户的 802.1X 证书或 iPSK。它涵盖了通过 SCIM 进行的自动停用,以满足 ISO 27001 和 SOC 2 的审计要求。

Read guide →

EAP 方法对比:PEAP、EAP-TLS、EAP-TTLS 与 EAP-FAST

这份权威的技术参考指南对 PEAP、EAP-TLS、EAP-TTLS 和 EAP-FAST 进行了全面的同类对比,用于企业 WiFi 认证。它提供关于安全态势、部署复杂性和设备兼容性的可行指导,帮助 IT 经理和网络架构师选择最佳的 802.1X 部署策略。

Read guide →

通过 SCEP 和 PKCS 的 Microsoft Intune WiFi 证书部署

本指南为通过 Microsoft Intune 使用 SCEP 和 PKCS 部署 WiFi 身份验证证书提供了分步技术参考。它专为实施无密码 802.1X WiFi 的 IT 经理和网络架构师而设计,以确保在企业环境中实现无缝、安全的连接。

Read guide →