跳至主要内容
简体中文

SonicWall TZ 和 SonicWave 与 Purple WiFi 的集成

本技术参考详细介绍了 SonicWall TZ 防火墙和 SonicWave AP 与 Purple WiFi 平台的集成。它提供了有关 Captive Portal 重定向、Walled Garden 豁免、802.1X 认证以及使用私有预共享密钥 (PPSK) 进行动态 VLAN 引导的操作配置步骤。

📖 6 分钟阅读📝 1,263 🔧 2 应用实例3 练习题📚 8 关键定义

收听本指南

查看播客转录
SONICWALL TZ AND SONICWAVE INTEGRATION WITH PURPLE WIFI Purple WiFi Intelligence Platform - Technical Briefing Series Duration: Approximately 10 minutes Voice: UK English, senior consultant tone - confident, conversational, authoritative --- SEGMENT 1: INTRODUCTION AND CONTEXT (approximately 1 minute) Welcome to the Purple Technical Briefing Series. Today we are covering one of the more technically involved integrations in the enterprise WiFi space: SonicWall TZ firewalls and SonicWave access points, deployed alongside Purple for guest authentication, staff access control, and multi-tenant network isolation. If you are an IT security engineer or an MSP managing venues - hotels, retail chains, conference centres, or mixed-use developments - this briefing is for you. We are going to move quickly through the architecture, the configuration steps, and the places where deployments go wrong. SonicWall is a strong choice in the SMB and mid-market space. The TZ series firewalls are widely deployed, and SonicWave APs integrate natively through SonicOS and the Wireless Network Manager. When you add Purple on top, you get a cloud-managed guest WiFi layer with branded splash pages, RADIUS-based authentication, and first-party data capture - all without replacing your existing SonicWall infrastructure. Let us get into the architecture. --- SEGMENT 2: TECHNICAL DEEP-DIVE (approximately 5 minutes) There are four distinct use cases to cover here, and each one has a different configuration path. Guest WiFi with captive portal redirection. Walled Garden exceptions. Secure Staff WiFi using 802.1X. And multi-tenant isolation using SonicWall Private Pre-Shared Keys - PPSK - with dynamic VLAN steering. Let us start with Guest WiFi and the SonicWall captive portal. SonicOS uses a mechanism called Lightweight Hotspot Messaging - LHM - to handle external captive portal redirects. When a guest connects to your guest SSID and opens a browser, the SonicWall intercepts that HTTP request and redirects it to Purple's splash page URL. The guest authenticates on Purple's platform - via social login, email, or a click-through - and Purple sends an LHM authorisation back to the SonicWall on TCP port 4043. The SonicWall then opens internet access for that device's MAC address. The configuration in SonicOS 7.x works like this. First, navigate to Object, then Match Objects, then Zones. Edit the zone assigned to your guest WiFi - typically a WLAN or custom zone. Under Guest Services, enable both "Enable Guest Services" and "External Guest Authentication." Then go to Configure, Guest Services, General. Set the Client Redirect Protocol to HTTP. Enter Purple's portal hostname as the web server address - that is portal.purple.ai. Set the redirect path to your venue's specific splash page URL, which Purple provides in the venue dashboard. The port is 4043. On the Auth Pages tab, set the login URL to Purple's external portal URL. Set the logout URL if you want to handle session termination. On the Advanced tab, enable "Allow unauthenticated users to access HTTPS sites" only if you need to support HTTPS-first devices - but be aware this weakens the redirect enforcement. Once saved, SonicOS automatically creates a NAT policy and a WAN-to-WAN access rule permitting TCP 4043. Do not delete these auto-generated rules. They are what allows the LHM handshake to complete. Now, Walled Garden configuration. Before a guest authenticates, their device needs to reach certain domains to make the splash page work. Purple's platform depends on its own CDN and API endpoints. The OS captive portal detection probes - captive.apple.com for iOS devices, connectivitycheck.gstatic.com for Android, and msftconnecttest.com for Windows - must all be whitelisted. If you are offering social login, add accounts.google.com, oauth2.googleapis.com, apis.google.com, and gstatic.com for Google. Add www.facebook.com, graph.facebook.com, connect.facebook.net, and the fbcdn.net CDN domain if you are offering Facebook login. In SonicOS, add these as FQDN address objects under Object, Match Objects, Addresses. Then create access rules in the guest zone that permit unauthenticated devices to reach these FQDNs. Use dynamic DNS resolution - SonicOS resolves FQDN objects at regular intervals - rather than static IP entries, which will drift as CDN IP ranges change. Moving on to Secure Staff WiFi with 802.1X. This is where SonicWave APs and Purple's RADIUS server work together. The SonicWave AP acts as the authenticator in the 802.1X exchange. The supplicant is the staff device. Purple's RADIUS server is the authentication server. The EAP method you choose depends on your identity provider. If you are using Microsoft Entra ID or Okta, PEAP-MSCHAPv2 is the most common choice because it works with username and password credentials. If you have deployed device certificates - which is the recommended approach for managed devices - use EAP-TLS. In the Wireless Network Manager, navigate to Policies, Policy Hierarchy, select your AP policy, and click the 802.1X tab. Enter Purple's RADIUS server IP address - available in your Purple venue dashboard under the RADIUS settings section. The shared secret is generated by Purple and must match exactly on both sides. Set the authentication port to 1812 and the accounting port to 1813. For EAP settings, select the method that matches your identity provider configuration. On the Purple side, create a RADIUS policy for staff authentication. Map the staff SSID to a specific VLAN - for example, VLAN 200 for staff. Purple's RADIUS server returns the VLAN assignment using three standard attributes: Tunnel-Type set to VLAN, Tunnel-Medium-Type set to 802, and Tunnel-Private-Group-ID set to the VLAN ID as a string - so "200" for VLAN 200. The SonicWall firewall and SonicWave AP honour these attributes and place the authenticated staff device into the correct VLAN automatically. Now, the most architecturally interesting use case: PPSK and multi-tenant isolation. Private Pre-Shared Keys allow you to run a single SSID and assign each tenant, resident, or user group a unique passphrase. When a device connects using a specific PPSK, the SonicWave AP sends that key to Purple's RADIUS server for validation. Purple looks up the key, identifies the associated tenant or user group, and returns the appropriate VLAN assignment via the Tunnel-Private-Group-ID attribute. The SonicWall then steers that device into the correct VLAN - completely isolated from other tenants on the same SSID. This is Identity-Based Networking in practice. You are not managing SSIDs per tenant. You are managing identities per tenant. In a mixed-use development with ten retail units, one SSID broadcasts across the entire building. Each tenant gets their own PPSK. Each PPSK maps to a dedicated VLAN and subnet. Tenant A's devices never see Tenant B's traffic, even though they are sharing the same physical access points. The PPSK configuration in SonicOS requires RADIUS-based PPSK mode on the SSID. In the Wireless Network Manager, edit the SSID, set the security mode to WPA2-Enterprise with PPSK, and point the RADIUS server at Purple. Purple manages the PPSK-to-VLAN mapping table centrally. When you add a new tenant, you create a new PPSK in Purple, assign it a VLAN, and the change propagates to all SonicWave APs in that venue without touching the firewall configuration. --- SEGMENT 3: IMPLEMENTATION RECOMMENDATIONS AND PITFALLS (approximately 2 minutes) Let me give you the three things that most commonly go wrong in SonicWall and Purple deployments. First: the LHM port. TCP 4043 must be open from the WAN to the SonicWall's WAN interface. If your ISP or upstream firewall blocks this port, the LHM authorisation handshake never completes, and guests get stuck on the splash page after authenticating. They see a successful login on Purple's side, but the SonicWall never receives the authorisation signal. Test this with a telnet or curl check to port 4043 from an external IP before go-live. Second: FQDN object resolution timing. SonicOS resolves FQDN address objects at boot and then at a configurable interval. If you add a new walled garden domain and the resolution has not refreshed yet, unauthenticated devices cannot reach it. Force a manual refresh after adding new FQDN objects, or set the DNS refresh interval to 60 seconds in high-traffic deployments. Third: VLAN sub-interface configuration. Dynamic VLAN assignment via RADIUS only works if the target VLANs exist as sub-interfaces on the SonicWall before the first device authenticates. If a RADIUS response returns Tunnel-Private-Group-ID 110 but VLAN 110 does not exist as a sub-interface on the SonicWall, the device either gets dropped or falls back to the default VLAN. Build and test all VLAN sub-interfaces before enabling RADIUS VLAN assignment. For MSPs managing multiple venues, Purple's cloud dashboard lets you manage RADIUS policies, PPSK tables, and splash page configurations centrally. You can push configuration changes to all venues from a single interface. That is the operational advantage of a cloud overlay approach - the SonicWall hardware stays in place, and Purple handles the identity and policy layer above it. --- SEGMENT 4: RAPID-FIRE Q&A (approximately 1 minute) A few questions that come up regularly. "Can I use SonicWave APs in standalone mode with Purple?" Yes, but you lose some functionality. In standalone mode, SonicWave APs manage their own RADIUS configuration locally. You can still point them at Purple's RADIUS server for 802.1X. But for PPSK with dynamic VLAN assignment, you need the SonicWall TZ as the RADIUS proxy or the Wireless Network Manager managing the AP policy centrally. "Does Purple support WPA3 on SonicWave?" WPA3 support on SonicWave depends on the firmware version and AP model. SonicWave 600 series APs support WPA3. For captive portal use cases, WPA3 with Opportunistic Wireless Encryption is compatible with Purple's LHM redirect flow, but test on your specific firmware version before deploying at scale. "How does Purple handle GDPR for guest data collected via the splash page?" Purple is ISO 27001 certified, GDPR compliant, and Cyber Essentials certified. Consent is captured at the splash page with configurable opt-in checkboxes. Purple stores first-party data in line with your data retention policy. Guests can access and delete their data via Purple's self-service portal. "What RADIUS attributes does Purple return for dynamic VLAN assignment?" Three attributes: Tunnel-Type with value VLAN, Tunnel-Medium-Type with value 802, and Tunnel-Private-Group-ID with the VLAN ID as a string. These are the standard RFC 2868 attributes supported by SonicOS and SonicWave. --- SEGMENT 5: SUMMARY AND NEXT STEPS (approximately 1 minute) To summarise. SonicWall TZ firewalls and SonicWave APs integrate with Purple via two primary mechanisms: LHM for guest captive portal redirection, and RADIUS for 802.1X staff authentication and PPSK-based multi-tenant isolation. The key configuration steps are: enable External Guest Authentication on the guest zone, configure the Purple portal URL on port 4043, build your walled garden FQDN objects, configure RADIUS on the SonicWave AP policy in Wireless Network Manager, and create your VLAN sub-interfaces on the SonicWall before enabling dynamic VLAN assignment. For multi-tenant deployments, PPSK with RADIUS-based VLAN steering is the architecture to use. One SSID, one set of APs, complete tenant isolation via identity-based VLAN assignment. If you are planning a deployment or reviewing an existing one, Purple's technical team can provide venue-specific RADIUS configuration files and walled garden domain lists. The Purple platform supports 80,000 live venues and has processed 440 million logins in 2024 - the integration patterns we have covered today are proven at scale. Thanks for listening. The full written guide with step-by-step configuration tables and Mermaid architecture diagrams is available on the Purple website. --- END OF SCRIPT

header_image.png

执行摘要

将 SonicWall 网络基础设施与 Purple 的云端覆盖网络相结合,可提供企业级访问控制以及先进的第一方数据捕获。本指南涵盖了四个不同用例的技术实现:具有 Captive Portal 重定向的访客 WiFi、Walled Garden 豁免、使用 802.1X 的安全员工 WiFi,以及使用 SonicWall 私有预共享密钥 (PPSK) 进行动态 VLAN 引导的多租户隔离。

我们每年在 80,000 多个活跃场所处理 4.4 亿次登录。下面详细介绍的架构在酒店、零售和公共部门环境中经过了大规模验证。它允许您保留现有的 SonicWall 硬件,同时将身份管理、欢迎页面托管和 RADIUS 认证卸载到 Purple 云。

技术深度解析

该集成依赖于两种主要机制:用于 Captive Portal 重定向的轻量级热点消息传递 (LHM),以及用于 802.1X 和 PPSK 认证的 RADIUS。

通过 LHM 进行 Captive Portal 重定向

SonicOS 使用 LHM 来处理外部 Captive Portal 重定向。当未经身份验证的访客设备尝试访问互联网时,SonicWall TZ 防火墙会拦截 HTTP 请求并将客户端重定向到 Purple 托管的欢迎页面。访客完成认证流程(例如社交登录、表单填写)。然后,Purple 通过 TCP 端口 4043 将 LHM 授权数据包发送回 SonicWall。收到该数据包后,SonicWall 会更新其内部访问控制列表,允许该设备的 MAC 地址访问互联网。

architecture_overview.png

Walled Garden 架构

在进行身份验证之前,访客设备会被保留在受限区域中。Walled Garden 是允许设备访问以渲染欢迎页面并完成登录过程的特定完全限定域名 (FQDN) 集合。这包括 Purple 的 CDN (cdn.purple.ai)、认证 API (api.purple.ai) 以及 Google Workspace、Microsoft Entra ID 和 Meta 等第三方身份提供商所需的域名。

SonicOS 使用 FQDN 地址对象来实现 Walled Garden。防火墙对这些对象执行动态 DNS 解析,自动更新允许的 IP 范围。这至关重要,因为身份提供商和 CDN 使用动态 IP 分配;静态 IP 白名单不可避免地会失效。

安全员工 WiFi 和 802.1X

对于员工网络,SonicWave AP 充当 802.1X 认证器,将请求代理到 Purple 的 RADIUS 服务器。我们建议对使用证书的托管设备使用 EAP-TLS,或者针对 Microsoft Entra ID 等目录的用户名/密码身份验证使用 PEAP-MSCHAPv2。身份验证成功后,Purple 会返回标准 RADIUS 属性(Tunnel-Type、Tunnel-Medium-Type 和 Tunnel-Private-Group-ID),以动态地将设备分配到正确的员工 VLAN。

使用 PPSK 的多租户隔离

基于身份的网络消除了对复杂的多 SSID 部署的需求。使用 SonicWall PPSK,单个 SSID(例如“Multi-Tenant-WiFi”)在场所内广播。每个租户都会收到一个唯一的密码。当设备使用特定的 PPSK 进行关联时,SonicWave AP 会向 Purple 的 RADIUS 服务器验证该密钥。Purple 识别租户并返回关联的 VLAN ID。然后,SonicWall 将流量引导至隔离的租户 VLAN。

ppsk_vlan_diagram.png

实施指南

1. 配置 SonicWall Captive Portal (LHM)

要在运行 SonicOS 7.x 的 SonicWall TZ 系列上配置外部 Captive Portal:

  1. 导航至对象 > 匹配对象 > 区域 (Zones)。编辑分配给您的访客网络的区域(例如 WLAN)。
  2. 访客服务 (Guest Services)选项卡下,启用启用访客服务 (Enable Guest Services)外部访客身份验证 (External Guest Authentication)
  3. 导航至配置 > 访客服务 > 常规 (Configure > Guest Services > General)
  4. 将**客户端重定向协议 (Client Redirect Protocol)**设置为 HTTP
  5. Web 服务器 (Web Server) 地址设置为 portal.purple.ai
  6. 将**端口 (Port)**设置为 4043
  7. 在**认证页面 (Auth Pages)选项卡下,将登录 URL (Login URL)**设置为 Purple 场所仪表板中提供的特定欢迎页面 URL。
  8. 保存配置。SonicOS 将自动生成一个 NAT 策略和一个 WAN 到 WAN 访问规则,以允许 TCP 端口 4043。请勿修改这些自动生成的规则。

2. 构建 Walled Garden

为所需的域名创建 FQDN 地址对象,并将它们添加到地址组中。将此组应用到访客区域中的允许规则。

所需的 Purple 域名:

  • *.purple.ai
  • *.purpleportal.net

操作系统 Captive Portal 探测:

  • captive.apple.com (iOS/macOS)
  • connectivitycheck.gstatic.com (Android)
  • msftconnecttest.com (Windows)

常用社交登录域名 (Google):

  • accounts.google.com
  • oauth2.googleapis.com
  • apis.google.com
  • *.gstatic.com

3. 为 SonicWave AP 配置 RADIUS

要通过无线网络管理器 (Wireless Network Manager) 将 SonicWave AP 与 Purple RADIUS 集成:

  1. 导航至**策略 > 策略层级 (Policies > Policy Hierarchy)**并选择您的 AP 策略。
  2. 选择 802.1X 选项卡。
  3. 输入 Purple RADIUS 服务器 IP 地址(可在您的 Purple 仪表板中找到)。
  4. 输入 Purple 生成的共享密钥。
  5. 将**认证端口 (Authentication Port)设置为 1812,将计费端口 (Accounting Port)**设置为 1813
  6. 根据您的身份提供商选择合适的 EAP 方法。

4. 配置动态 VLAN 引导

在启用动态分配之前,请确保目标 VLAN 作为子接口存在于 SonicWall TZ 防火墙上。

在 Purple 仪表板中,将用户组或 PPSK 映射到目标 VLAN ID。身份验证成功后,Purple 将返回以下属性:

  • Tunnel-Type = VLAN (13)
  • Tunnel-Medium-Type = 802 (6)
  • Tunnel-Private-Group-ID = [VLAN ID](例如 "110")

最佳实践

  • 测试 LHM 端口可见性:必须能够从互联网访问 SonicWall WAN 接口的 TCP 端口 4043。在上线前使用外部端口扫描工具进行测试。如果 ISP 屏蔽了此端口,授权数据包将被丢弃,访客将一直卡在展示页面上。
  • 预先配置 VLAN 子接口:如果在身份验证事件发生之前未在 SonicWall 上配置目标 VLAN 子接口,动态 VLAN 引导将静默失败。设备将回退到默认的未标记 VLAN。
  • 强制使用基于 Web 的 OAuth:确保您的展示页面配置强制使用基于 Web 的 OAuth 流程。深层链接到原生社交媒体应用(如 Facebook iOS 应用)通常会中断 Captive Portal 流程,因为原生应用流量会被围墙花园(walled garden)拦截。
  • 优化 DNS 刷新间隔:SonicOS 会定期解析 FQDN 对象。在体育场或交通枢纽等高流动性环境中,将围墙花园对象的 DNS 刷新间隔设置为 60 秒,以确保准确跟踪 CDN IP 的变化。

故障排除与风险规避

现象:访客完成了展示页面登录,但无法访问互联网。 原因:TCP 4043 上的 LHM 授权数据包未到达 SonicWall。 解决方法:验证是否存在自动生成的 WAN 到 WAN 访问规则。检查上游 ISP 路由器是否屏蔽了端口。确保 SonicWall WAN IP 已正确注册在 Purple 控制面板中。

现象:展示页面加载失败,或社交登录按钮返回 CORS 错误。 原因:围墙花园配置不完整。 解决方法:在未身份验证的状态下连接测试设备。使用浏览器开发者工具(“网络”选项卡)识别被拦截的 HTTPS 请求。在 SonicOS 中将失败的域名添加为 FQDN 地址对象。

现象:员工设备通过 802.1X 进行身份验证,但从默认 VLAN 而不是分配的 VLAN 获取 IP 地址。 原因:SonicWall 上不存在目标 VLAN 子接口,或者 RADIUS 属性格式错误。 解决方法:验证 VLAN 子接口是否处于活动状态。检查 Purple RADIUS 日志,确认 Tunnel-Private-Group-ID 是否作为与 VLAN ID 匹配的字符串值发送。

投资回报率与业务影响

将 SonicWall 基础设施与 Purple 结合部署,可将标准的网络成本中心转化为可衡量的业务资产。

对于拥有 200 家门店的零售连锁店,从通用的预共享密钥过渡到品牌化的 Captive Portal,通常能在六个月内使已知客户画像增加 40%。这些第一方数据可直接集成到 CRM 系统中,从而推动精准营销活动并提高复购客流量。

在联合办公空间或学生公寓等多租户环境中,结合动态 VLAN 引导的 PPSK 消除为每个租户管理专用硬件的运营开销。您只需部署一个物理网络,并通过身份进行逻辑隔离。这在降低高达 60% 的硬件资本支出的同时,还能保持严格符合 ISO 27001 标准的网络隔离。

关键定义

Lightweight Hotspot Messaging (LHM)

A protocol used by SonicWall to communicate with external captive portals. It handles the redirect and authorisation handshake.

Required for integrating SonicOS with cloud-managed guest WiFi platforms like Purple.

Walled Garden

A specific set of domains or IP addresses that unauthenticated devices are permitted to access.

Critical for allowing guest devices to load the splash page, access CDNs, and complete social login OAuth flows before gaining full internet access.

Private Pre-Shared Key (PPSK)

A security method where multiple unique passphrases are valid on a single SSID, with each passphrase tied to a specific user or policy.

Used in multi-tenant environments to isolate traffic without broadcasting multiple SSIDs.

Captive Network Assistant (CNA)

The built-in OS mechanism (on iOS, Android, Windows) that detects a captive portal and automatically opens a limited browser window for authentication.

If the OS probe domains (e.g., captive.apple.com) are not in the walled garden, the CNA will not trigger, and guests will think the WiFi is broken.

Dynamic VLAN Steering

The process of assigning a device to a specific VLAN based on its identity or credentials, rather than the SSID it connected to.

Managed by Purple RADIUS returning the Tunnel-Private-Group-ID attribute to the SonicWall.

FQDN Address Object

A firewall object based on a Fully Qualified Domain Name rather than a static IP address.

SonicOS resolves these objects dynamically, making them essential for robust walled garden configurations.

Identity-Based Network

A network architecture where access policies and segmentation are applied based on the authenticated user or device, rather than physical ports or SSIDs.

Achieved by combining Purple RADIUS with SonicWall PPSK and 802.1X.

Tunnel-Private-Group-ID

The standard RFC 2868 RADIUS attribute used to specify the VLAN ID for a connecting device.

Must be returned by Purple as a string value (e.g., '100') to instruct the SonicWall to steer the device.

应用实例

A 150-room hotel (Premier Inn) needs to provide free Guest WiFi via a splash page and a secure Staff WiFi network for housekeeping devices. They have a SonicWall TZ570 and 40 SonicWave APs. How should they segment this traffic?

Deploy two SSIDs. SSID 1: 'Guest-WiFi' mapped to VLAN 100. Configure the SonicWall WLAN zone for External Guest Authentication pointing to portal.purple.ai on TCP 4043. Configure the walled garden FQDNs for Purple and social logins. SSID 2: 'Staff-WiFi' mapped to VLAN 200 using 802.1X. Point the SonicWave AP policy to Purple's RADIUS server. Configure Purple to authenticate housekeeping devices via MAC address bypass (MAB) or PEAP-MSCHAPv2, returning Tunnel-Private-Group-ID '200'.

考官评语: This approach strictly isolates untrusted guest traffic from operational systems. Using Purple for both the captive portal and RADIUS authentication centralises identity management. MAB is appropriate for headless devices (like cleaning carts), while 802.1X secures staff phones.

A coworking space manages 15 different companies sharing one open-plan office. They want to provide secure, isolated networks for each company without broadcasting 15 different SSIDs from their SonicWave APs.

Deploy a single SSID named 'Workspace-Secure' using WPA2-Enterprise with PPSK. Create 15 VLAN sub-interfaces on the SonicWall TZ firewall (e.g., VLANs 101-115). In the Purple dashboard, generate a unique PPSK for each company and map it to their specific VLAN ID. When a user connects using their company's PPSK, Purple RADIUS returns the corresponding Tunnel-Private-Group-ID, and the SonicWall steers the device into the isolated VLAN.

考官评语: This Identity-Based Network design scales cleanly. Broadcasting 15 SSIDs would cause severe management frame overhead and degrade WiFi performance. PPSK provides the security of unique credentials and the isolation of dedicated VLANs without the RF penalty of multiple SSIDs.

练习题

Q1. You have configured the SonicWall guest zone for External Guest Authentication and set the web server to portal.purple.ai. Guests are redirected to the splash page and can log in successfully, but they never gain internet access. What is the most likely cause?

提示:Think about how Purple tells the SonicWall that the authentication was successful.

查看标准答案

The LHM authorisation packet is being blocked. TCP port 4043 must be open on the SonicWall WAN interface to receive the success signal from Purple. Check upstream firewalls or ISP configurations for port blocking.

Q2. A venue wants to offer Facebook login on their splash page. You add www.facebook.com to the walled garden FQDN address group. Guests report that the Facebook login page loads, but the styling is broken and the login button does not work.

提示:Modern web applications load assets from multiple domains.

查看标准答案

The walled garden is incomplete. You must also whitelist the domains that serve Facebook's CSS, JavaScript, and API calls, specifically graph.facebook.com, connect.facebook.net, and the CDN domain (e.g., *.fbcdn.net).

Q3. You are deploying PPSK for a multi-tenant office. You configure the SSID for WPA2-Enterprise with PPSK and point the RADIUS server to Purple. You create a PPSK in Purple mapped to VLAN 50. When a user connects with that PPSK, they receive an IP address from VLAN 10 instead. Why?

提示:The SonicWall needs to know where to send the traffic before the RADIUS request completes.

查看标准答案

VLAN 50 has not been created as a sub-interface on the SonicWall TZ firewall. Dynamic VLAN steering requires the target VLAN to exist on the firewall beforehand; if it does not, the device falls back to the default untagged VLAN (in this case, VLAN 10).

继续阅读本系列

Cambium Networks cnPilot 和 cnMaestro 与 Purple WiFi 的集成

本权威指南详细介绍了 Cambium Networks cnPilot 接入点和 cnMaestro 云控制器与 Purple WiFi 智能平台的集成。内容涵盖架构、Captive Portal 配置、围墙花园要求、802.1X 员工 WiFi,以及在多租户环境下使用 Cambium ePSK 进行的动态 VLAN 划分。

阅读指南 →

MikroTik RouterOS Captive Portal 与 Purple WiFi 集成指南

本技术指南提供了将 MikroTik RouterOS 与 Purple 的 WiFi 平台集成的分步说明。内容涵盖访客 WiFi Captive Portal 配置、员工 WiFi 802.1X 认证,以及使用私有 PSK 进行动态 VLAN 隔离的多租户 WiFi。

阅读指南 →

Alta Labs 与 Purple WiFi 的集成:设置与 Captive Portal 配置

本技术参考指南涵盖了 Alta Labs AP6 和 AP6 Pro 接入点与 Purple 云托管 Captive Portal 的端到端集成。它详细介绍了外部重定向配置、RADIUS 身份验证、围墙花园(walled garden)要求,以及使用 AltaPass 私有预共享密钥(Private Pre-Shared Keys)的多租户细分。场所运营商和 IT 团队将获得一份适用于酒店、零售和智能办公环境的可重复部署指南。

阅读指南 →