跳至主要内容
简体中文

Zyxel Nebula Cloud and USG Integration with Purple WiFi

本技术参考指南涵盖了 Zyxel Nebula Cloud 和 USG Flex 防火墙与 Purple WiFi 平台的端到端集成。它提供了有关访客 Captive Portal 重定向、RADIUS 身份验证、Walled Garden 设置、使用 802.1X 的安全员工 WiFi,以及使用具有动态 VLAN 分配的 Zyxel 私有预共享密钥 (PPSK) 进行多租户网络细分的逐步配置说明。在酒店、零售和多租户场所部署 WiFi 的 IT 经理、MSP 和网络架构师将获得基于行业标准(包括 PCI DSS、IEEE 802.1X 和 GDPR)的可操作指导。

📖 9 分钟阅读📝 2,234 🔧 2 应用实例3 练习题📚 9 关键定义

收听本指南

查看播客转录
Welcome to the Purple Technical Briefing Series. I am your host, and today we are covering a crucial deployment scenario for IT managers and network architects: integrating Zyxel Nebula Cloud and USG Flex Firewalls with Purple WiFi. If you are deploying guest WiFi across a hotel chain, a retail estate, or a multi-tenant environment, this episode is for you. Let us get straight into the architecture. First, why this integration? Zyxel provides robust hardware, and Nebula offers centralised cloud management. But when you deploy WiFi at scale - say, across 50 retail branches or a 200-room hotel - you need more than basic connectivity. You need a structured authentication flow, compliant data capture, and dynamic network segmentation. That is where Purple comes in. We integrate with Zyxel via RADIUS and external captive portal redirection to deliver Identity-Based Networks. Let us walk through the core configuration on Zyxel Nebula. The process starts with your SSID settings. You navigate to Site-wide, Configure, Access points, and then SSID advanced settings. Here, you enable the external captive portal URL. You will input the specific Purple redirect URL provided in your Purple portal. But redirection alone is not enough; you must configure the Walled Garden. The Walled Garden defines which domains a guest device can reach before authentication. This is a common pitfall. You must whitelist the Purple portal domains, any asset CDNs, and the standard OS captive portal detection endpoints. In Nebula, you add these domains line by line. If you miss a domain, the splash page will fail to load properly, and your guests will be stuck. Next, we configure the RADIUS server. In the SSID advanced settings, you select WPA2-Enterprise with My RADIUS server, or configure MAC-based authentication depending on your flow. You enter the Purple RADIUS IP address, set the authentication port to 1812, the accounting port to 1813, and input the shared secret. Always configure the backup RADIUS server to ensure high availability. Now, let us discuss a more advanced scenario: Multi-Tenant segmentation using Zyxel Private Pre-Shared Keys, or PPSK. In environments like student accommodation or coworking spaces, you want a single SSID, but you need to isolate traffic per tenant. Zyxel PPSK allows you to issue a unique WiFi password to each user. When they connect, the Nebula controller dynamically assigns them to a specific VLAN based on that password. You configure this under Cloud Authentication by selecting DPPSK and assigning the corresponding VLAN ID. It reduces SSID overhead and significantly improves security. What about the USG Flex firewall? If you are running the gateway on-premise, you must ensure your firewall rules and zone policies align with your wireless segments. You typically create dedicated zones for Guest, Staff, and Multi-Tenant traffic. The Guest zone must only have outbound internet access, with strict rules blocking access to the LAN or DMZ zones. Let us move to implementation recommendations and common pitfalls. The most frequent issue we see is walled garden misconfiguration. If a guest connects and sees a blank page, check your whitelist. Use browser developer tools to identify blocked CDN requests. The second issue is RADIUS timeouts. Ensure your upstream firewalls allow UDP ports 1812 and 1813 outbound to the Purple cloud platform. Time for a rapid-fire Q and A. Question one: Do I need a dedicated VLAN for Guest WiFi? Answer: Yes. Always isolate guest traffic on a dedicated VLAN. This is mandatory for PCI DSS compliance if your venue processes payments on the same physical infrastructure. Question two: Can I use Purple with Zyxel standalone APs without Nebula? Answer: Yes, but managing the RADIUS and portal settings per AP is inefficient. We strongly recommend using Nebula Control Center for centralised management. Question three: How does Purple handle MAC address randomisation? Answer: Purple relies on the MAC address provided by the Zyxel controller via RADIUS accounting. While devices randomise MACs per network, they keep the same MAC for your specific SSID, allowing session persistence during their visit. To summarise: Integrating Zyxel Nebula with Purple requires precise configuration of the external captive portal URL, a comprehensive Walled Garden, and accurate RADIUS settings. For multi-tenant venues, leverage Zyxel PPSK for dynamic VLAN steering. Get these elements right, and you deliver a secure, scalable WiFi experience that captures valuable first-party data. If you are planning a deployment, review the full technical guide for step-by-step instructions and architecture diagrams. Thank you for listening, and we will see you on the next technical briefing.

header_image.png

执行摘要

Zyxel Nebula Cloud 和 USG Flex 防火墙已部署在数以千计的企业场所中,从连锁酒店到零售物业。当您将此硬件与 Purple 集成时,您将添加一个合规的数据捕获访客身份验证层,从而将标准无线网络转变为第一方数据资产。本指南涵盖四种部署场景:通过外部展示页面进行访客 Captive Portal 重定向、基于 RADIUS 的身份验证和计费、使用 IEEE 802.1X 的安全员工 WiFi,以及使用 Zyxel 动态个人预共享密钥 (DPPSK) 的多租户网络细分。Purple 在 80,000 多个真实场所中运行,并在 2024 年处理了 4.4 亿次登录(Purple 内部数据)。它持有 ISO 27001、GDPR、CCPA 和 Cyber Essentials 认证。此处描述的集成架构在平台层面上与硬件无关,但本指南中的特定配置路径和参数适用于运行当前固件的 Zyxel Nebula 控制中心 (NCC) 和 USG Flex 防火墙。

如需更广泛地了解企业 WiFi 安全架构,请参阅我们的 企业 WiFi 安全:2026 年完整指南

技术深挖

集成架构

Zyxel 和 Purple 的集成依赖于依次运行的三个标准协议:HTTP 重定向(Captive Portal 检测)、RADIUS 身份验证 (UDP 1812) 和 RADIUS 计费 (UDP 1813)。当访客设备连接到访客 WiFi SSID 时,Zyxel 接入点会拦截第一个 HTTP 请求,并向 Purple 外部 Captive Portal URL 发出 HTTP 302 重定向。访客在 Purple 展示页面上进行身份验证(通过电子邮件、社交登录或短信),然后 Purple 将 RADIUS Access-Accept 消息发送回 Zyxel 控制器。控制器授予互联网访问权限,并开始发送 RADIUS Accounting Start 数据包以记录会话数据。

architecture_overview.png

Zyxel USG Flex 防火墙介于无线网段和 WAN 之间。它执行基于区域的安全策略,将访客、员工和多租户 VLAN 彼此隔离,并与企业局域网隔离。Nebula 控制中心通过端口 443 上的 HTTPS 集中管理接入点和 SSID 配置到 Nebula 云。

RADIUS 参数

下表总结了您需要从 Purple 管理控制台获取的 RADIUS 配置参数。

参数
主 RADIUS IP 在 Purple 管理控制台中提供
备 RADIUS IP 在 Purple 管理控制台中提供
身份验证端口 UDP 1812
计费端口 UDP 1813
共享密钥 在 Purple 管理控制台中提供
NAS 标识符 设置为 AP MAC 地址或站点名称
呼叫站 ID AP MAC 地址

请务必同时配置主 RADIUS 服务器和备 RADIUS 服务器。单个 RADIUS 端点是单点故障,如果服务器无法访问,将导致访客无法登录。

Walled Garden 配置

Walled Garden(也称为白名单)定义了设备在完成身份验证之前可以访问的域名和 IP 范围。在 Zyxel Nebula 中,您可以在 Site-wide > Configure > Access points > Captive portal customisation > Captive portal advance setting 下进行配置。

您必须包含以下类别的条目:

  • Purple 门户域名和所有子域名(使用通配符格式:*.purple.ai
  • 提供门户 CSS、JavaScript 和图像资源的 CDN 域名
  • 如果您启用了 Facebook、Google 或 Microsoft 登录,则需要包含社交登录提供商域名
  • Apple Captive Portal 检测:captive.apple.com
  • Google 连接性检查:connectivitycheck.gstatic.com
  • Microsoft NCSI:www.msftconnecttest.com

缺少其中任何条目都将导致展示页面在特定设备类型上无法渲染。特别是如果未正确处理 Apple CNA 端点,iOS 设备将显示空白的微型浏览器。

使用 IEEE 802.1X 的安全员工 WiFi

对于员工网络,您不应使用共享 PSK。IEEE 802.1X(在 IEEE 802.1X-2020 标准中定义)使用每个用户的个人凭据提供基于端口的网络访问控制。在 Nebula 中,您可以通过将 SSID 安全性设置为 WPA2-Enterprise,并将身份验证指向 Nebula 云身份验证服务器 (NCAS) 或通过 RADIUS 代理指向外部 RADIUS 服务器(例如 Microsoft Entra ID 或 Okta)来进行配置。

对于 WPA3-Enterprise 部署,配置路径完全相同,但您要在安全选项中选择 WPA3。WPA3 强制执行受保护的管理帧 (PMF),并使用对等实体同时身份验证 (SAE) 以提高对离线字典攻击的防御能力。

多租户场所的 PPSK 和 动态 VLAN 分配

ppsk_vlan_diagram.png

Zyxel DPPSK(动态个人预共享密钥)允许单个 SSID 为多个隔离的网络段提供服务。每个用户或设备都会收到一个唯一的密码。当他们进行身份验证时,Nebula 控制器会将该密码映射到 DPPSK 数据库中定义的 VLAN ID。对于联合办公空间、学生公寓、建后出租 (BTR) 开发项目和多住宅单元 (MDU) 等需要租户隔离而无需广播数十个 SSID 的场景,这是正确的方法。

DPPSK 需要 Nebula Pro Pack 许可证以及 6.00 或更高版本的接入点固件。您可以在 Nebula 控制中心的 Configure > Cloud authentication > DPPSK 下配置 DPPSK 数据库。每个条目都包括密码、可选的到期日期、电子邮件地接收地址以及目标 VLAN ID。

同时授权的 DPPSK 条目最大数量为 2,048。对于并发用户数超过 2,048 的部署,您需要仔细管理过期日期,以确保活动凭据保持在此限制之内。

实施指南

步骤 1:准备网络基础设施

在操作 Nebula Control Center 之前,请先在 USG Flex 防火墙和下游交换机上配置您的 VLAN。

  1. 创建一个 访客 VLAN(例如:VLAN 10)并分配专用子网(例如:192.168.10.0/24)。在此接口上配置 DHCP 服务器。
  2. 创建一个 员工 VLAN(例如:VLAN 20)并分配专用子网(例如:192.168.20.0/24)。
  3. 对于多租户部署,为每个租户创建额外的 VLAN(例如:VLAN 30、40、50)。
  4. 在 USG Flex 上,创建一个映射到 VLAN 10 的 访客区域 (Guest Zone)。创建一条安全策略,允许流量从访客区域流向 WAN 区域。创建一条全部拒绝策略,阻止流量从访客区域流向 LAN 区域。
  5. 确保连接 Zyxel AP 的交换机端口配置为承载所有所需 VLAN 标签的 802.1Q trunk 端口。

步骤 2:在 Nebula Control Center 中配置访客 SSID

  1. 登录 Nebula Control Center:ncc.nebula.zyxel.com
  2. 导航至 Site-wide > Configure > Access points > SSID settings
  3. 启用访客 SSID 并切换到 Advanced mode
  4. 启用 Guest network 以激活二层客户端隔离。这可以防止访客设备在同一个 SSID 上直接相互通信。
  5. 保存。

步骤 3:配置外部 Captive Portal

  1. 导航至 Site-wide > Configure > Access points > SSID advanced settings
  2. 从下拉菜单中选择您的访客 SSID。
  3. Sign-in method 下,选择 Click-to-continue 进行初始重定向,或者如果您使用的是 Purple 基于 RADIUS 的 MAC 认证,请选择 My RADIUS server
  4. 导航至 Site-wide > Configure > Access points > Captive portal customisation
  5. External captive portal URL 下,输入来自 Purple 管理控制台的 Purple 重定向 URL。格式为 https://[your-purple-domain]/[venue-id]
  6. Captive portal advance setting 下,输入所有必需的 Walled Garden 域名。
  7. Strict policy 设置为 Block all access until sign-on,以防止访客绕过门户。
  8. 设置 Reauth time 以匹配您场所的会话策略(酒店行业通常为 24 小时,零售会员计划通常为 30 天)。
  9. 保存。

步骤 4:在 Nebula 中配置 RADIUS

  1. SSID advanced settingsNetwork access 下,选择 My RADIUS server
  2. 输入来自 Purple 管理控制台的 Primary RADIUS server IP
  3. Authentication port 设置为 1812
  4. 输入 Shared secret
  5. 对备用 RADIUS 服务器重复此操作。
  6. 启用 RADIUS accounting 并将计费端口设置为 1813
  7. 保存。

步骤 5:配置 DPPSK 以实现多租户隔离

  1. 导航至 Configure > Access points > SSID advanced settings
  2. 选择多租户 SSID 并将 Network access 设置为 Dynamic personal PSK
  3. 导航至 Configure > Cloud authentication > DPPSK
  4. 点击 Add 并选择 Batch create DPPSK
  5. 为每个租户组设置凭据数量、过期日期和目标 VLAN ID
  6. 输入用于接收批量凭据的电子邮件地址。
  7. 保存并向租户分发凭据。

步骤 6:验证部署

  1. 将测试设备连接到访客 WiFi SSID。
  2. 确认设备已重定向到 Purple 展示页面。
  3. 完成认证并确认已授予互联网访问权限。
  4. 在 Purple 管理控制台中,验证会话是否显示在分析仪表板中。
  5. 在 Nebula 中,导航至 Access point > Monitor > Clients,确认客户端已关联并分配到正确的 VLAN。
  6. 通过使用租户凭据进行连接并确认正确的 VLAN 分配来测试 DPPSK。

最佳实践

隔离每种流量类型。 访客、员工和物联网 (IoT) 流量必须各自占用专用的 VLAN。如果您的场所在相同的物理基础设施上处理刷卡支付,则此项为强制要求——PCI DSS v4.0 要求在持卡人数据环境与访客网络之间进行网络隔离。

使用 RADIUS 冗余。 在 Nebula 中配置主和备 Purple RADIUS IP。单个 RADIUS 服务器故障将导致所有访客认证失效,直至问题解决。

定期审计 Walled Garden。 门户供应商会更新其 CDN 配置。如果供应商将资源迁移到新的 CDN,部署时可用的域名可能会在六个月后失效。建议计划每季度对您的 Walled Garden 条目进行一次审查。

启用 RADIUS 计费。 没有计费,Purple 将无法跟踪会话时长、数据使用情况,或实施基于时间的访问限制。计费数据还会同步至 WiFi 分析 仪表板。

在硬件支持的情况下应用 WPA3。 2021 年及以后发布的 Zyxel 接入点支持 WPA3。对于员工 WiFi,采用 192 位安全模式的 WPA3-Enterprise 符合 NIST SP 800-187 对企业无线安全的建议。

在上线前测试 CNA 行为。 在 iOS 上,与完整浏览器相比,Captive Network Assistant (CNA) 微型浏览器的功能有限。在向访客部署之前,请先在 CNA 环境中测试您的 Purple 展示页面——特别是社交登录流程和自定义 JavaScript。

对于 酒店行业 部署,另请参阅我们关于隔离访客网络和后勤网络的指南。对于 零售 环境,相同的 PPSK 方法也适用于将销售点 (POS) 系统与顾客 WiFi 进行隔离。

故障排除与风险规避

展示页面无法加载

现象:访客连接到 SSID,但在 iOS CNA 中看到空白页面或浏览器错误。

原因:展示页面所需的一个或多个域名不在 Walled Garden。

解决方案:将测试设备连接到访客 SSID。打开浏览器(而非 CNA)并访问任意 HTTP URL。重定向到门户页面时,打开浏览器的开发者工具并检查“网络”(Network)标签页。识别所有返回 403 或连接被拒(connection-refused)错误的请求。将这些域名添加到 Nebula Walled Garden 中。

访客已认证但无法访问互联网

现象:访客完成了门户表单并看到了成功页面,但无法浏览网页。

原因:Zyxel 控制器未收到来自 Purple 的 RADIUS Access-Accept,或者 USG Flex 防火墙阻止了 RADIUS 响应。

解决方案:验证是否允许从 Zyxel AP 管理 IP 到 Purple RADIUS 服务器 IP 的出站 UDP 端口 1812 和 1813。检查 USG Flex 安全策略日志中是否有被拦截的流量。

Purple 控制面板中缺失 RADIUS 计费数据

现象:会话显示在 Nebula 中,但 Purple 分析控制面板未显示会话时长数据。

原因:Nebula SSID 配置中未启用 RADIUS 计费(RADIUS Accounting),或者 UDP 端口 1813 被阻止。

解决方案:确认 SSID 高级设置中已启用 RADIUS 计费。验证计费端口是否设置为 1813,且共享密钥与 Purple 配置匹配。

DPPSK 用户被分配到错误的 VLAN

现象:租户使用其 PPSK 进行连接,但被分配到了错误的网络网段。

原因:DPPSK 数据库条目中的 VLAN ID 与交换机 Trunk 或 USG Flex 接口上配置的 VLAN 不匹配。

解决方案:交叉比对 Nebula DPPSK 数据库中的 VLAN ID 与上游交换机及 USG Flex 上的 VLAN 配置。确保 AP 交换机端口为承载所有租户 VLAN 的 Trunk 端口。

投资回报率 (ROI) 与业务影响

将 Zyxel 基础设施与 Purple 集成,可将作为成本中心的无线网络转化为能够产生收入的数据资产。对于一家拥有 200 间客房的酒店,在 WiFi 登录时收集访客的电子邮件地址和营销同意书,可以构建一个 CRM 数据库,从而推动直接预订活动,减少对 OTA 佣金的依赖。对于零售连锁店,Purple 的 访客 WiFi 平台可提供客流量分析、停留时间数据和回头客率,为排班和商品规划决策提供依据。

对于多租户运营商(如长租公寓 (BTR) 项目、学生公寓、联合办公空间),将 Zyxel DPPSK 与 Purple 结合部署可以消除为每个租户管理独立 SSID 和凭据的运营开销。单个 SSID 与动态 VLAN 分配相结合可减少射频干扰,简化入网流程,并在无需额外基础设施的情况下扩展至数百名居民。

Purple 99.999% 的运行时间 SLA 确保了认证层不会成为访客接入的瓶颈。凭借在整个平台收集的 290 亿个数据点(Purple 内部数据),通过 Purple 管理控制台提供的分析为场所运营商提供了可操作的情报,在部署的第一季度内即可证明该集成投资的合理性。

对于将访客 WiFi 视为受监管服务的 医疗保健交通运输 环境,Purple 的 Captive Portal 中内置的符合 GDPR 合规要求的数据收集和同意管理功能,消除了与未托管开放网络相关的合规风险。

另请参阅: Arista Cognitive Wi-Fi 与 Purple WiFi 集成 ,了解在不同硬件平台上的类似集成模式。

关键定义

Captive portal

A web page that intercepts unauthenticated HTTP traffic from a connected device and requires the user to interact or authenticate before internet access is granted.

The primary mechanism Purple uses to capture guest data and enforce terms of service on Zyxel Guest WiFi networks.

Walled Garden

A list of IP addresses and domain names that a device can access before completing captive portal authentication.

Configured in Nebula under Captive portal advance setting. Must include all Purple portal domains, CDN endpoints, and OS connectivity check URLs.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol providing centralised Authentication, Authorisation, and Accounting (AAA) management for network access.

Purple acts as the RADIUS server. Zyxel APs send authentication requests on UDP 1812 and accounting data on UDP 1813.

DPPSK

Dynamic Personal Pre-Shared Key. A Zyxel Nebula feature that issues unique WiFi passphrases on a single SSID, mapping each passphrase to a specific VLAN.

Used in multi-tenant venues to isolate resident or tenant traffic without broadcasting multiple SSIDs. Requires Nebula Pro Pack.

VLAN

Virtual Local Area Network. A logical network segment that isolates traffic at Layer 2, regardless of the physical switch or AP infrastructure.

Mandatory for separating Guest, Staff, and Multi-Tenant traffic. Required for PCI DSS compliance in venues that process card payments.

IEEE 802.1X

An IEEE standard for port-based network access control that uses the Extensible Authentication Protocol (EAP) to authenticate individual users or devices before granting network access.

Used for Staff WiFi in Nebula by selecting WPA2-Enterprise or WPA3-Enterprise with either the Nebula Cloud Authentication Server or an external RADIUS server.

CNA

Captive Network Assistant. The pseudo-browser that iOS and macOS devices automatically open when they detect a captive portal on a WiFi network.

Has limited JavaScript and cookie support compared to a full browser. Purple splash pages must be tested in the CNA environment before deployment.

Identity-Based Networks

A network architecture where access policies, VLAN assignments, and bandwidth limits are dynamically applied based on the authenticated identity of the user or device.

The outcome of combining Zyxel DPPSK with Purple's RADIUS platform. Each user gets the right network segment automatically at connection time.

NCC

Nebula Control Center. Zyxel's cloud-based network management platform for centrally configuring and monitoring Zyxel access points, switches, and firewalls.

All SSID, captive portal, RADIUS, and DPPSK configurations described in this guide are performed within NCC.

应用实例

A 200-room hotel is deploying Zyxel Nebula access points and a USG Flex 500 firewall. They need guest WiFi with a branded splash page, a separate staff network with individual credentials, and an IoT network for smart TVs and thermostats - all without broadcasting more than three SSIDs.

The IT team configures three SSIDs. The first is 'Hotel-Guest', an open SSID with the Purple external captive portal URL configured in Nebula. Guests are redirected to a branded Purple splash page where they submit their email and accept marketing consent. RADIUS authentication and accounting point to the Purple cloud platform on ports 1812 and 1813. The second SSID is 'Hotel-Staff', configured with WPA2-Enterprise and the Nebula Cloud Authentication Server. Each staff member has a unique username and password in the NCAS database, mapped to VLAN 20. The third SSID is 'Hotel-IoT', configured with DPPSK. Each smart TV and thermostat receives a unique passphrase mapped to VLAN 30. The USG Flex enforces zone policies: Guest (VLAN 10) can only reach the WAN. Staff (VLAN 20) can reach the WAN and internal management systems. IoT (VLAN 30) is restricted to specific local services only.

考官评语: This architecture achieves full segmentation with minimal SSID overhead. Using DPPSK for IoT devices provides device-level isolation without requiring 802.1X supplicants, which headless devices cannot support. The Purple integration on the guest SSID captures first-party data at scale while the staff SSID maintains enterprise-grade security via individual 802.1X credentials.

A coworking space operator manages 12 tenants across three floors. Each tenant needs isolated internet access and must not be able to reach other tenants' devices. The operator wants to issue WiFi credentials at move-in and revoke them at move-out, without changing the SSID or reconfiguring the APs.

The operator deploys a single 'CoWork-Connect' SSID with DPPSK enabled in Nebula. At move-in, they log in to the Nebula Control Center, navigate to Configure > Cloud authentication > DPPSK, and create a new credential for the tenant with the target VLAN ID matching that tenant's network segment. They set an expiry date matching the lease end date and email the credential to the tenant. At move-out, they delete the DPPSK entry. The credential immediately becomes invalid and the tenant's devices can no longer associate. Layer 2 isolation is enabled on the SSID to prevent cross-tenant communication even within the same VLAN.

考官评语: DPPSK provides a clean lifecycle management model for multi-tenant environments. The expiry date feature automates offboarding without requiring manual AP reconfiguration. The 2,048 concurrent credential limit is well within the capacity of a 12-tenant coworking space. For larger deployments, operators should plan credential rotation schedules to stay within this limit.

练习题

Q1. You have configured the Purple captive portal URL in Zyxel Nebula and enabled the external portal. Guests connect to the SSID but report that the splash page takes over 30 seconds to load and appears visually broken - missing images and layout. What is the most likely cause and how do you resolve it?

提示:Consider what controls access to external resources before a guest has authenticated.

查看标准答案

The Walled Garden configuration is incomplete. The Purple splash page loads CSS, JavaScript, and image assets from CDN domains. If these domains are not whitelisted in the Nebula Captive portal advance setting, the AP blocks those requests before authentication is complete. Resolution: connect a test device to the Guest SSID, open a browser (not the CNA mini-browser), navigate to any HTTP URL to trigger the redirect, then open developer tools and inspect the Network tab. Identify any requests returning 403 or connection errors. Add those domains to the Nebula Walled Garden and retest.

Q2. A venue operator wants to provide isolated networks for 15 different retail tenants in a shopping centre. Their initial plan is to broadcast 15 separate SSIDs from their Zyxel APs. Why is this approach problematic, and what should they deploy instead?

提示:Think about RF airtime and the Zyxel feature designed specifically for this use case.

查看标准答案

Broadcasting 15 SSIDs generates 15 sets of beacon frames per access point per second. In a dense retail environment with multiple APs, this beacon overhead consumes significant airtime and degrades throughput for all connected devices. The correct approach is to broadcast a single SSID and enable Zyxel DPPSK. Each tenant receives a unique passphrase mapped to their dedicated VLAN ID. When a tenant device connects, the Nebula controller dynamically assigns it to the correct VLAN. This achieves full traffic isolation with a single SSID and minimal RF overhead.

Q3. After deploying the Zyxel and Purple integration, guests can authenticate successfully and browse the internet. However, the Purple analytics dashboard shows zero session duration data and the time-based access limit feature is not working. What is missing from the configuration?

提示:Authentication and session tracking use different ports and protocols.

查看标准答案

RADIUS Accounting is either not enabled in the Nebula SSID configuration or UDP port 1813 is blocked by the upstream firewall. Authentication (UDP 1812) is succeeding, which is why guests can connect. But without Accounting packets (Start, Interim-Update, Stop), Purple cannot track session duration, enforce time limits, or populate the analytics dashboard. Resolution: confirm RADIUS accounting is enabled in SSID advanced settings with the accounting port set to 1813 and the correct shared secret. Then verify the upstream firewall permits outbound UDP 1813 from the Zyxel AP management IP to the Purple RADIUS server IP.

继续阅读本系列

CommScope Ruckus 与 Purple WiFi 集成:安装与配置指南

本技术参考指南为 CommScope Ruckus 架构与 Purple WiFi 的集成提供了权威的配置指南。它详细介绍了 Guest WiFi Captive Portal、通过 802.1X 实现的 Secure Staff WiFi 以及使用 Ruckus Dynamic PSK 实现的多租户网络隔离的逐步部署过程。

阅读指南 →

Allied Telesis 接入点与 Purple WiFi 集成

本指南为 Allied Telesis TQ 系列接入点与 Purple WiFi 的集成提供了全面的配置手册。内容涵盖外部 Captive Portal 重定向、802.1X RADIUS 身份验证,以及使用专用预共享密钥 (PPSK) 进行动态 VLAN 引导,以实现安全的多租户部署。

阅读指南 →

Grandstream GWN Access Points Integration with Purple WiFi

本权威技术参考指南详细介绍了如何将 Grandstream GWN 接入点与 Purple 的访客 WiFi 和分析平台进行集成。它涵盖了 Grandstream Captive Portal 配置、RADIUS AAA 设置、围墙花园(walled garden)设置、带有动态 VLAN 引导的安全员工 802.1X 认证以及多租户 PPSK 细分——为大规模部署访客和员工 WiFi 的 MSP 及 IT 团队提供可操作的逐步指导。

阅读指南 →