跳至主要内容
简体中文

Alta Labs 与 Purple WiFi 的集成:设置与 Captive Portal 配置

本技术参考指南涵盖了 Alta Labs AP6 和 AP6 Pro 接入点与 Purple 云托管 Captive Portal 的端到端集成。它详细介绍了外部重定向配置、RADIUS 身份验证、围墙花园(walled garden)要求,以及使用 AltaPass 私有预共享密钥(Private Pre-Shared Keys)的多租户细分。场所运营商和 IT 团队将获得一份适用于酒店、零售和智能办公环境的可重复部署指南。

📖 8 分钟阅读📝 1,844 🔧 2 应用实例3 练习题📚 9 关键定义

收听本指南

查看播客转录
PODCAST SCRIPT: Alta Labs Integration with Purple WiFi: Setup and Captive Portal Configuration Purple WiFi Intelligence Platform - Technical Briefing Series Duration: Approximately 10 minutes Voice: UK English, senior consultant tone - confident, conversational, authoritative --- [INTRO - 1 MINUTE] Welcome to the Purple Technical Briefing Series. I'm your host, and today we are breaking down the integration between Alta Labs access points and the Purple WiFi intelligence platform. If you are an IT manager, network architect, or venue operations director looking to deploy a robust, scalable guest WiFi solution, this briefing is for you. We are going to cover the specific setup for the Alta Labs AP6 and AP6 Pro, how to configure the external captive portal redirection, and the critical walled garden settings required to make social logins actually work in the real world. We will also dive into AltaPass - Alta Labs' implementation of Private Pre-Shared Keys, or PPSK - and how you can use it to segment multi-tenant environments without destroying your RF performance with SSID bloat. Let's get into it. --- [TECHNICAL DEEP-DIVE - 5 MINUTES] The integration between Alta Labs and Purple relies on two fundamental networking concepts: HTTP redirection for the captive portal, and RADIUS for authentication and accounting. When a guest walks into your venue - say, a retail store or a hotel lobby - and connects to your open or WPA3-OWE guest network, the Alta Labs AP acts as the gatekeeper. It intercepts the client's initial HTTP requests and redirects them to your branded Purple splash page. To configure this in the Alta Labs Cloud Management platform, you navigate to your WiFi settings, select your guest SSID, and under the Advanced Settings, set the network type to Guest. This is crucial because it automatically applies client isolation, preventing devices from communicating laterally across the network. Next, under the Hotspot section, you select External and drop in the Purple redirect URL provided in your venue settings, along with your Authorisation Secret. But here is where most deployments hit a snag: the walled garden. The walled garden is the list of domains and IP addresses that a device is allowed to access before it has authenticated. If you want guests to log in using Google, Facebook, or Apple, their devices need to reach those OAuth servers while they are still in the pre-authenticated state. You must explicitly whitelist the Purple infrastructure domains - like region1.purpleportal.net and cloudfront.net. Then, you need to add the OS captive portal probes: captive.apple.com for iOS, and connectivitycheck.gstatic.com for Android. If you block these, the phone doesn't know it's behind a captive portal, and the splash page never pops up. Finally, you add the social login domains. For Google, that's accounts.google.com, oauth2.googleapis.com, and gstatic.com. For Facebook, it's facebook.com, graph.facebook.com, and the fbcdn.net domains. A static IP whitelist will not work here because these providers use dynamic content delivery networks. You must use domain names and ensure your controller performs dynamic DNS resolution. Once the user completes the login on the Purple splash page, Purple's RADIUS server sends an Access-Accept message back to the Alta Labs AP. The AP then removes the walled garden restriction and grants the device full internet access. It's a clean, secure flow that captures first-party data while maintaining network integrity. Now, let's talk about multi-tenant segmentation. In environments like smart offices, student accommodation, or multi-dwelling units, you often need to provide secure, isolated networks for different groups. Historically, IT teams would broadcast a separate SSID for every tenant. That is a terrible practice. It causes massive management overhead and destroys your wireless performance due to beacon frame overhead. Alta Labs solves this with AltaPass, their version of Private Pre-Shared Keys. With AltaPass, you broadcast one single SSID - let's call it BuildingWiFi. But, you generate unique passwords for different users or devices. When Tenant A enters their specific password, the AP dynamically assigns them to VLAN 101 with a 100 Megabit bandwidth limit. When the management team enters their password on the same SSID, they are dropped onto VLAN 200 with unlimited bandwidth. You can even create a password for IoT devices, like smart thermostats, that assigns them to an isolated VLAN and bypasses the captive portal entirely. One SSID. Unlimited passwords. Complete isolation. This is Identity-Based Networking at the edge, and it is a genuinely elegant solution to a problem that has plagued multi-tenant deployments for years. Let me give you a concrete example of how this works in practice. Consider a 72-unit apartment complex - a real-world deployment type that Alta Labs has been used for extensively. Instead of broadcasting 72 separate SSIDs, the network administrator creates a single SSID and generates a unique password for each unit. Each password maps to a dedicated VLAN and subnet. Residents on the basic tier get 100 Megabits. Residents who have paid for the premium tier get 300 Megabits. The building management team gets unrestricted access. The building automation system - door locks, HVAC, lifts - gets its own isolated VLAN with deep packet inspection enabled. All from one SSID. The RF environment is cleaner, performance is higher, and management is dramatically simpler. Now, let's move on to the 802.1X configuration for secure staff WiFi. For your staff network, you should not be using a pre-shared key at all. You should be using WPA2 or WPA3 Enterprise with 802.1X authentication. In the Alta Labs platform, you configure this by selecting your staff SSID, setting the security mode to WPA2-Enterprise or WPA3-Enterprise, and pointing the AP to your RADIUS server. If you are integrating with Purple's SecurePass product, Purple acts as the RADIUS intermediary, connecting to your identity provider - whether that is Microsoft Entra ID, Okta, or Google Workspace - and returning the appropriate VLAN assignment in the Access-Accept message. The Alta Labs AP reads the Tunnel-Private-Group-Id attribute from the RADIUS response and places the device on the correct VLAN automatically. One important note on dynamic VLAN assignment with Alta Labs: when configuring RADIUS-assigned VLANs, set the default VLAN on the SSID to VLAN 1 or leave it untagged. There is a known behaviour where if the default VLAN is set to a specific value, the AP may override the RADIUS-assigned VLAN with the configured default. Setting the default to VLAN 1 ensures the RADIUS assignment takes precedence. --- [IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - 2 MINUTES] When you are rolling this out, there are a few key recommendations I want to highlight. First, always test your captive portal flow with a fresh device. Do not use your own phone if you have already connected to the network during testing. Your device remembers the MAC address authorisation or has cached DNS entries, which will mask walled garden failures. Grab a tablet that has never seen the network, connect it, and verify that the OS captive portal assistant launches automatically. Second, watch out for over-whitelisting. I see engineers get frustrated with social login errors and just whitelist entire wildcard domains or massive IP blocks. This creates a security vulnerability where savvy users can bypass your captive portal entirely. Stick to the specific domains required for the OAuth flow. Third, when deploying AltaPass PPSK with dynamic VLANs, ensure your entire switching infrastructure is configured correctly. The switch ports connecting to your Alta Labs APs must be configured as trunks, allowing all the tagged VLANs to pass through to the gateway. If the AP tags the traffic for VLAN 101, but the switch port is set to access mode on VLAN 1, the traffic drops, and the client gets no IP address. Fourth, implement a quarterly review of your walled garden configuration. OAuth providers and content delivery networks change their domain structures. Apple updated its Sign In domains twice in 2023. A walled garden that was correct at deployment will drift out of alignment without active maintenance. --- [RAPID-FIRE Q&A - 1 MINUTE] Let's run through a couple of quick questions we hear from the field. Question one: Can I use WPA3 with the Purple captive portal on Alta Labs hardware? Yes. You should use WPA3-OWE, which stands for Opportunistic Wireless Encryption. This encrypts the data over the air, protecting guest privacy, while still functioning as an open network that triggers the captive portal redirect. It is the right choice for any new guest WiFi deployment in 2026. Question two: What ports do I need to open on my firewall for the RADIUS traffic? Purple's RADIUS servers communicate over UDP port 1812 for authentication and UDP port 1813 for accounting. Ensure your edge firewall allows outbound traffic on these ports from the Alta Labs APs to the Purple infrastructure. Question three: Can I use AltaPass PPSK alongside the Purple captive portal on the same SSID? Yes, and this is actually a very useful configuration. You can create an AltaPass password that bypasses the captive portal for known devices - like your point-of-sale terminals or digital signage - while standard connections to the same SSID still go through the Purple splash page. This gives you a single, clean SSID that handles both authenticated devices and guest users. --- [SUMMARY AND NEXT STEPS - 1 MINUTE] To wrap up: Integrating Alta Labs with Purple WiFi gives you a secure, scalable platform for capturing first-party data and delivering a branded guest experience. Remember the three pillars of a successful deployment. First, configure the external hotspot redirect and RADIUS settings accurately in the Alta Labs Cloud Management platform. Second, meticulously define your walled garden domains to ensure OS probes and social logins function correctly. And third, leverage AltaPass PPSK to implement Identity-Based Networking, segmenting your traffic without polluting your airspace with unnecessary SSIDs. Purple operates across 80,000 live venues and has processed 440 million logins in 2024. The platform is ISO 27001 certified, GDPR compliant, and built to scale from a single boutique hotel to a national retail estate. When you pair that with the performance and flexibility of Alta Labs hardware, you have a compelling enterprise WiFi stack. If you follow this playbook, you will deliver a seamless, compliant WiFi experience that your marketing team and your security team will both be happy with. Thank you for listening to the Purple Technical Briefing Series. Until next time, keep your networks secure and your data actionable.

header_image.png

执行摘要

Alta Labs AP6 和 AP6 Pro 接入点通过标准的 RADIUS 身份验证和 HTTP 重定向与 Purple 的云端 Captive Portal 进行集成。AP 会拦截未授权的访客流量,将其重定向到您的 Purple 欢迎页面(splash page),并在 Purple 的 RADIUS 服务器返回 Access-Accept 后授予访问权限。对于多租户环境,Alta Labs 的 AltaPass 技术可根据所使用的密码将每个连接的设备分配到唯一的 VLAN 和带宽策略中,无需额外的 SSID。本指南为您提供了从零开始部署该集成所需的精确配置步骤、围墙花园域名列表和 RADIUS 参数。Purple 在全球 80,000 多个真实场所中运行,并在 2024 年处理了 4.4 亿次登录(Purple 内部数据)。对于需要以极具竞争力的价格实现企业级细分的 MSP 和智能办公室安装商而言,Alta Labs 硬件是一个非常理想的选择。

技术架构

该集成横跨三个层级:Alta Labs 云管理平台、边缘侧的 AP6 或 AP6 Pro 硬件,以及处理身份验证和分析的 Purple 云基础设施。

当访客连接到开放式或 WPA3-OWE SSID 时,AP 会将设备置于受限的预身份验证状态。所有出站 HTTP 流量都会被拦截并重定向到 Purple 欢迎页面 URL。在身份验证完成之前,设备只能访问围墙花园中明确列出的域名。一旦访客在 Purple 欢迎页面上提交其凭据,Purple 的 RADIUS 服务器就会向 AP 发送 Access-Accept,AP 随后会解除限制并授予完整的互联网访问权限。Purple 会记录会话数据(设备类型、停留时间、登录方式),并将其呈现在 WiFi Analytics 仪表板中。

architecture_overview.png

对于员工和后勤网络,相同的 AP 硬件可处理 WPA2/WPA3-Enterprise (IEEE 802.1X) 身份验证。AP 作为 RADIUS 客户端,将身份验证请求转发到 Purple 的 SecurePass 基础设施,后者进而针对 Microsoft Entra ID、Okta 或 Google Workspace 验证凭据。RADIUS Access-Accept 响应包含 Tunnel-Private-Group-Id 属性,AP 使用该属性动态地将设备分配到正确的 VLAN。

实施指南

步骤 1:在 Purple 中添加场所和硬件

在操作 Alta Labs 控制器之前,请先在 Purple 中注册该部署。

  1. 登录 Purple 管理门户,并导航至 Management > Locations(管理 > 位置)。
  2. 选择场所和组 > 添加场所 (Venues and Groups > Add venue),并完成场所设置向导。
  3. 在您的场所中,选择硬件 > 添加硬件 > 添加新硬件 (Hardware > Add hardware > Add new hardware)
  4. 将硬件类型设置为 WiFi AP,并选择相应的 AP 类型。
  5. 输入每个 Alta Labs AP6 或 AP6 Pro 设备的 MAC 地址。
  6. 单击在线查看手册 (View Manual Online),以获取该场所的 RADIUS 服务器 IP 地址、端口和共享密钥。记录这些值——您将在步骤 3 中用到它们。

步骤 2:在 Alta Labs 中配置访客 SSID

登录 Alta Labs 云管理平台 manage.alta.inc。

  1. 导航至设置 > WiFi (Settings > WiFi),然后选择用于访客访问的 SSID。
  2. 高级设置 (Advanced Settings)中,将网络类型设置为访客 (Guest)。这将自动强制执行客户端隔离。
  3. 滚动到热点 (Hotspot)部分,然后选择外部 (External)
  4. 在**重定向 URL (Redirect URL)**字段中,粘贴您的 Purple 场所硬件设置中提供的 Purple 欢迎页面 URL(例如 https://region1.purpleportal.net/access/)。
  5. 输入您的 Purple 场所设置中的授权密钥 (Authorisation Secret)(RADIUS 共享密钥)。
  6. 单击保存 (Save)

步骤 3:配置 RADIUS 身份验证

配置好外部重定向后,配置 RADIUS 设置,以便 AP 可以与 Purple 的身份验证基础设施进行通信。

参数
主认证服务器 IP 由 Purple 场所设置提供
身份验证端口 UDP 1812
主计费服务器 IP 由 Purple 场所设置提供
计费端口 UDP 1813
共享密钥 由 Purple 场所设置提供

对于高可用性部署,请使用 Purple 提供的备用 IP 地址配置次级 RADIUS 服务器。

步骤 4:定义围墙花园

围墙花园允许在身份验证完成之前访问特定的域名。遗漏条目会导致 Captive Portal 流程中断或无法加载社交登录。请在 Alta Labs 热点配置的**其他授权主机/IP (Additional Authorised Hosts / IPs)**字段中输入以下域名。

Purple 基础设施(必填)

域名 用途
region1.purpleportal.net 欢迎页面托管
venuewifi.com Purple 重定向基础设施
cloudfront.net 门户资源的 CDN

操作系统 Captive Portal 探测(必填)

域名 操作系统
captive.apple.com iOS / macOS
connectivitycheck.gstatic.com Android
msftconnecttest.com Windows

社交登录(根据启用的提供商添加)

提供商 域名
Google accounts.google.com, oauth2.googleapis.com, apis.google.com, gstatic.com
Facebook facebook.com, graph.facebook.com, connect.facebook.net, *.fbcdn.net
Apple appleid.apple.com, idmsa.apple.com, *.apple.com

captive_portal_flow.png

AltaPass PPSK 与多租户细分

AltaPass 是 Alta Labs 正在申请专利的私有预共享密钥(PPSK)实现方式。它允许单个 SSID 携带多个唯一的密码,,每个密码都映射到独立的 VLAN、带宽限制、日程表和热点绕过规则。这消除了为每个租户、员工组或设备类别广播单独 SSID 的需要。

在 Alta Labs 控制面板中配置 AltaPass

  1. 选择您的 SSID 并导航至密码管理部分。
  2. 点击每个密码条目左侧的紫色网络类型按钮
  3. 为密码分配 VLAN ID。使用此密码连接的客户端将被分配到指定的 VLAN 子网中。
  4. 根据需要设置每个密码的带宽限制(上传和下载)。
  5. 启用或禁用每个密码的热点绕过。IoT 设备和 POS 终端通常会绕过 Captive Portal。
  6. 如果需要,应用日程限制(例如,限制某些设备在营业时间以外访问互联网)。

altapass_ppsk_segmentation.png

对于拥有 72 个单元的住宅楼,这意味着一个 SSID 和 72 个以上的唯一密码——每个单元一个,管理人员一个,楼宇自动化系统一个。每个密码都映射到一个隔离的 VLAN 和子网。标准档的居民获得 100 Mbps。高级档的居民获得 300 Mbps。楼宇管理团队不受限制。IoT 设备被隔离在启用了深度包检测的专用 VLAN 上。这就是将 SSID 数量从 72 个减少到 1 个的部署模式。

通过 RADIUS 进行动态 VLAN 分配

对于 802.1X 员工网络,VLAN 分配是通过 RADIUS 属性而不是 PPSK 进行的。RADIUS Access-Accept 响应必须包含:

属性
Tunnel-Type 13 (VLAN)
Tunnel-Medium-Type 6 (IEEE-802)
Tunnel-Private-Group-Id 目标 VLAN ID(例如 "20")

重要提示:使用 RADIUS 分配的 VLAN 时,请将 SSID 上的默认 VLAN 设置为 VLAN 1(或保持未标记状态)。如果默认 VLAN 设置为特定值,AP 可能会使用配置的默认值覆盖 RADIUS 分配。这是当前 Alta Labs 固件中的已知行为。

最佳实践

以下建议适用于任何结合 Purple 的 Alta Labs 部署,无论场所类型如何。

对围墙花园(walled garden)条目使用动态 DNS 解析。 OAuth 提供商和 CDN 经常轮换 IP 地址。静态 IP 白名单会随着时间的推移而失效。配置 Alta Labs 控制器以动态解析围墙花园域名,并将 DNS TTL 设置为不低于 30 秒,以避免过多的查询负载。

精确界定围墙花园的范围。 仅将身份验证流程所需的域名加入白名单。过度加入白名单(特别是为大型域名添加通配符条目)会创建绕过向量,从而破坏 Captive Portal 的目的。

在上线前使用未认证的设备进行测试。 使用从未连接过该网络的设备。先前已认证的设备可能会缓存 MAC 授权或 DNS 条目,从而掩盖围墙花园的故障。逐一测试您打算提供的每种登录方式。

每季度审查一次围墙花园域名。 Apple、Google 和 Meta 会定期更新其 OAuth 域名结构。将季度审查纳入您的运营日程中,以便在影响用户之前发现偏差。

从一开始就对 IoT 设备进行隔离。 使用 AltaPass 将 IoT 设备分配到启用了热点绕过的专用 VLAN。将 IoT 流量与访客或员工流量混合会带来不必要的风险,并使事件响应复杂化。

有关企业 WiFi 安全架构的更广泛视图,请参阅我们的指南: 企业 WiFi 安全:2026 年完整指南

故障排除与风险缓解

iOS 上未显示 Splash 页面。 最常见的原因是围墙花园中缺少 captive.apple.com 条目。iOS 使用此域名来检测 Captive Portal。如果该探测被阻止,Captive Network Assistant 将永远不会启动,用户会看到通用的连接错误。

社交登录返回空白屏幕或 CORS 错误。 检查围墙花园中是否缺少 CDN 或 API 子域名。Facebook 的 *.fbcdn.net 和 Google 的 gstatic.com 是最常被遗漏的条目。在未认证的会话中使用浏览器开发者工具来确定哪些域名请求失败。

使用 AltaPass 时 VLAN 分配失败。 验证连接到 AP 的上行交换机端口是否配置为 Trunk 端口并允许标记的 VLAN。接入模式(Access-mode)的交换机端口会静默丢弃标记的帧,导致客户端无法获取 IP 地址。

RADIUS 身份验证超时。 确认边缘防火墙上已向外开放 UDP 端口 1812 和 1813。检查 Alta Labs 配置中的共享密钥是否与 Purple 场所设置中的值完全匹配——单个字符不匹配都会导致所有身份验证请求失败。

动态 VLAN 分配将用户置于错误的 VLAN 中。 将 802.1X SSID 上的默认 VLAN 设置为 VLAN 1。如果默认 VLAN 设置为特定值,AP 可能会覆盖 RADIUS 分配的 VLAN。这是在 Alta Labs 社区论坛中确认的固件级行为。

投资回报率(ROI)与业务影响

部署带有 Purple 访客 WiFi 的 Alta Labs 硬件可在三个维度上带来可衡量的回报:运营效率、数据捕获和安全态势。

在运营方面,将多个 SSID 合并为一个由 AltaPass 管理的单一网络可减少管理开销并提高无线性能。更少的 SSID 意味着更少的信标帧(beacon frame)开销,这直接转化为所有连接设备的更高吞吐量。

在数据方面,Purple 的 Captive Portal 在每次登录时都会捕获经过验证的第一方数据。与未管理的访客 WiFi 相比,使用 Purple 的 Capture 和 Engage 计划的场所报告营销数据库选择加入(opt-in)人数增加了 40%(Purple 内部数据)。这些数据直接导入到 WiFi 分析 ,为营销团队提供关于客流量模式、停留时间和重复访问率的直观洞察。

在安全方面,动态 VLAN 分配在边缘隔离了访客、员工和物联网 (IoT) 流量。结合 Purple 获得 ISO 27001 认证的基础设施和符合 GDPR 合规要求的数据处理,该架构满足了处理刷卡支付的场所对 PCI DSS 网络分段的要求。

特别是对于 酒店餐饮 部署,品牌展示页面、会员计划集成以及单设备带宽控制的结合,在不增加网络运营团队复杂性的情况下,创造了差异化的访客体验。

对于 零售 环境,利用 AltaPass 旁路规则在同一物理基础设施上将 POS 终端与访客 WiFi 进行隔离的能力,无需单独布线或硬件,从而降低了资本支出和运营支出。

相关指南: Arista 认知 Wi-Fi 与 Purple WiFi 集成 | 访客 WiFi 的 Walled Garden 配置

关键定义

Captive portal

A web page that intercepts unauthenticated network traffic and requires the user to interact - log in, accept terms, or pay - before granting internet access. Purple hosts the splash page in the cloud; the Alta Labs AP handles the redirect.

The primary mechanism for guest data capture in hospitality, retail, and public-sector WiFi deployments.

Walled garden

A defined list of domains and IP addresses that a client device can access before completing captive portal authentication. Everything outside the list is blocked until the user logs in.

Critical for allowing social login APIs, OS detection probes, and portal CDN assets to function before authentication completes.

PPSK (Private Pre-Shared Key)

A security method where multiple unique passwords can be used on a single SSID, with each password assigning the connecting device to a specific VLAN, bandwidth policy, and access schedule.

Alta Labs implements this as AltaPass. Used in MDUs, smart offices, and stadiums to provide isolated access without SSID proliferation.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised authentication, authorisation, and accounting (AAA) management. Purple acts as the RADIUS server; the Alta Labs AP acts as the RADIUS client.

The mechanism that tells the AP a guest has successfully authenticated and should be granted internet access.

Identity-Based Networking

A network architecture where access rights, VLANs, and bandwidth limits are applied based on the authenticated identity of the user or device, rather than the physical port or SSID they connect to.

Purple's term for the combination of RADIUS, PPSK, and VLAN assignment that enables consistent policies across a distributed estate.

Dynamic VLAN assignment

The process of placing a client device onto a specific Virtual Local Area Network based on authentication credentials returned by a RADIUS server, rather than a static SSID-to-VLAN mapping.

Essential for isolating staff, guest, and IoT traffic on shared wireless infrastructure. Requires correct RADIUS attributes: Tunnel-Type, Tunnel-Medium-Type, and Tunnel-Private-Group-Id.

Captive Network Assistant (CNA)

The built-in OS mechanism on iOS, Android, and Windows that detects a captive portal by probing a known URL. If the probe is redirected, the OS launches a pseudo-browser for the user to log in.

If the CNA probe domains are blocked in the walled garden, the user never sees the splash page. This is the most common captive portal failure mode.

WPA3-OWE

Wi-Fi Protected Access 3 - Opportunistic Wireless Encryption. A standard that encrypts data in transit on open networks without requiring a password, protecting guest privacy while still allowing captive portal redirection.

The recommended security mode for guest SSIDs in 2026. Provides encryption without the friction of a pre-shared key.

AltaPass

Alta Labs' patent-pending implementation of multi-password SSID technology. Allows a single SSID to carry unlimited unique passwords, each with its own VLAN, bandwidth limit, schedule, and hotspot bypass setting.

The primary tool for multi-tenant segmentation on Alta Labs hardware. Replaces the need for multiple SSIDs in residential, hospitality, and smart office deployments.

应用实例

A 200-room hotel needs to provide tiered WiFi access: a free basic tier (10 Mbps) for standard guests, a premium paid tier (50 Mbps) for loyalty members, and a secure network for housekeeping staff. They want to avoid broadcasting multiple SSIDs to maintain RF performance across 40 Alta Labs AP6 Pro units.

Deploy a single SSID named 'Hotel Guest WiFi' with AltaPass enabled. Create three password profiles in the Alta Labs dashboard: (1) a standard guest password assigned to VLAN 10 with a 10 Mbps download limit and external hotspot redirect to the Purple splash page; (2) a loyalty member password assigned to VLAN 20 with a 50 Mbps limit - Purple can distribute this password post-authentication via its marketing automation; (3) a housekeeping staff password assigned to VLAN 30 with no bandwidth limit, hotspot bypass enabled, and client isolation disabled so staff devices can communicate with back-of-house systems. Configure the switch uplinks as trunks allowing VLANs 10, 20, and 30. The guest and loyalty VLANs route to the internet via NAT. The staff VLAN routes to the property management system subnet.

考官评语: This approach uses AltaPass to achieve Identity-Based Networking without SSID proliferation. The key insight is that hotspot bypass is a per-password setting, not a per-SSID setting. This allows the same SSID to serve both captive-portal guests and bypass-enabled staff simultaneously. The loyalty tier distribution via Purple's post-authentication flow is a common pattern in hospitality - the guest logs in on the standard tier, and Purple's marketing engine sends them a premium access code if they match the loyalty criteria.

A retail chain is deploying Purple Guest WiFi across 50 stores using Alta Labs hardware. During testing, the splash page loads correctly on Android devices, but Apple iOS devices show a generic 'No Internet Connection' error and do not display the login screen. The walled garden includes the Purple portal domain and Google OAuth entries.

Add captive.apple.com to the walled garden in the Alta Labs Hotspot configuration. iOS uses this domain as its Captive Network Assistant probe. When the device connects to a new network, iOS sends an HTTP request to captive.apple.com. If it receives the expected response, it assumes the network is open. If it receives a redirect, it launches the pseudo-browser. If the domain is blocked entirely, iOS cannot detect the captive portal and displays a connectivity error. Once the domain is whitelisted, iOS devices will detect the redirect and launch the login screen automatically.

考官评语: This is the single most common captive portal failure mode in the field. Android uses connectivitycheck.gstatic.com and Windows uses msftconnecttest.com for the same purpose. All three must be in the walled garden for a cross-platform deployment. The failure is particularly confusing because it presents as a network connectivity error rather than a portal error, leading engineers to investigate DHCP and DNS before checking the walled garden.

练习题

Q1. You are deploying Alta Labs AP6 Pro access points in a conference centre. The client requires a captive portal for attendees, but also needs point-of-sale terminals to connect securely to the same access points without seeing the splash page. Both device types should use the same SSID to simplify signage. How do you configure this?

提示:AltaPass allows per-password hotspot bypass settings on the same SSID.

查看标准答案

Enable AltaPass on the single SSID. Create one password for POS terminals that assigns them to a secure VLAN (e.g., VLAN 50) with hotspot bypass enabled - these devices connect directly to the network without seeing the captive portal. Create a separate password (or use an open connection) for attendees that triggers the external redirect to the Purple splash page on VLAN 10. Both device types connect to the same SSID but receive different network policies based on their password.

Q2. After configuring the Purple captive portal on an Alta Labs network, Android devices successfully display the splash page, but Apple iOS devices show a generic 'No Internet Connection' error and do not open the login screen. The walled garden includes the Purple portal domain and Google OAuth entries. What is the most likely cause and fix?

提示:iOS uses a specific domain to detect captive portals. If it cannot reach that domain, it assumes the network has no internet access.

查看标准答案

The walled garden is missing captive.apple.com. iOS sends an HTTP probe to this domain when connecting to a new network. If the probe is blocked, iOS cannot detect the captive portal and displays a connectivity error instead of launching the Captive Network Assistant. Add captive.apple.com to the walled garden in the Alta Labs Hotspot configuration. Also add connectivitycheck.gstatic.com for Android and msftconnecttest.com for Windows to ensure cross-platform compatibility.

Q3. A stadium IT director has configured RADIUS-assigned VLANs on an Alta Labs 802.1X staff network. The RADIUS server is sending the correct Tunnel-Private-Group-Id attribute (VLAN 20), but all staff devices are landing on VLAN 5, which is the default VLAN configured on the SSID. What is causing this and how do you resolve it?

提示:There is a known behaviour in Alta Labs firmware related to the interaction between the SSID default VLAN and RADIUS-assigned VLANs.

查看标准答案

The Alta Labs AP is overriding the RADIUS-assigned VLAN with the SSID default VLAN value. This is a known firmware behaviour: when the default VLAN on the SSID is set to a specific value (VLAN 5 in this case), the AP uses that value instead of the RADIUS-returned VLAN. The fix is to set the default VLAN on the 802.1X SSID to VLAN 1 (or leave it untagged). With the default set to VLAN 1, the AP correctly defers to the RADIUS-assigned VLAN for each authenticated user.

继续阅读本系列

MikroTik RouterOS Captive Portal 与 Purple WiFi 集成指南

本技术指南提供了将 MikroTik RouterOS 与 Purple 的 WiFi 平台集成的分步说明。内容涵盖访客 WiFi Captive Portal 配置、员工 WiFi 802.1X 认证,以及使用私有 PSK 进行动态 VLAN 隔离的多租户 WiFi。

阅读指南 →

NETGEAR Insight 和企业级接入点与 Purple WiFi 的集成

本指南为 IT 经理提供了将 NETGEAR Insight 和 WAX 企业级接入点与 Purple WiFi 进行集成的权威技术路线图。内容涵盖了关键配置,包括访客 Captive Portal、802.1X 员工网络,以及使用 PPSK 和动态 VLAN 分配的多租户隔离。

阅读指南 →

WatchGuard Firebox 与 Purple WiFi 集成:安装与配置指南

本指南是为部署 WatchGuard Firebox 和接入点与 Purple 的 IT 经理和网络架构师提供的分步集成手册。它涵盖了用于 Guest WiFi 的外部 Captive Portal 重定向、用于 Staff WiFi 的安全 802.1X 认证,以及使用 WatchGuard 私有预共享密钥 (PPSK) 配合动态 VLAN 引导的多租户细分——为您在所有访问层级提供单一、统一的架构。

阅读指南 →