跳至主要内容
简体中文

RADIUS 配置助手与 802.1X 指南

配置与云身份提供商集成的安全 WPA2 和 WPA3 企业级无线网络。

配置您的 RADIUS 设置

1. Select your technology stack

PEAP-MSCHAPv2 requires users to input their active email and directory password. Easy to set up, but susceptible to credential harvesting.

RADIUS Server Specifications

Configure these cloud authentication servers on your wireless access point controllers.

Primary Server185.101.99.1Host: radius1.purple.ai
Secondary Server185.101.99.2Host: radius2.purple.ai
PortsAuth: 1812 | Acct: 1813Standard UDP ports
Shared Secret KeypUrpLeReSeArCh8021x

Access point controller settings

  1. Log in to the Meraki Dashboard and navigate to Wireless > SSIDs.
  2. Rename SSID to your secure network name and set Association to WPA2-Enterprise with 802.1X or WPA3-Enterprise.
  3. Set IP assignment to Bridge mode to handle dynamic client VLANs.
  4. Under RADIUS servers, click "Add a server" and enter the Primary IP (185.101.99.1) and Secondary IP (185.101.99.2), Port 1812, and your Shared Secret.
  5. Enable RADIUS Accounting, pointing to the same server IPs with Port 1813.
  6. Set RADIUS CoA (Change of Authorization) to Enabled. This is required for session termination and security policies.

Identity directory mapping

  1. Open the Microsoft Entra admin center (Azure Portal).
  2. Navigate to App registrations and register a new enterprise app for Purple WiFi.
  3. Configure API permissions to allow User.Read.All and GroupMember.Read.All.
  4. Set up SCIM provisioning pointing to https://api.purple.ai/scim/v2 using your tenant token to sync user status.
  5. Create security groups (e.g. "WiFi-Users") and assign users to control who can authenticate to the network.

Client device onboarding profiles

Client devices need configuration parameters to trust the RADIUS server certificate silently without displaying security warnings.

Apple macOS & iOS Configuration Profile (.mobileconfig)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Enterprise WiFi Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.purple.wifi.profile</string>
      <key>PayloadType</key>
      <string>com.apple.wifi.managed</string>
      <key>PayloadUUID</key>
      <string>A5E81A22-38D4-4903-BB1A-A6C18644A152</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>SSID_STR</key>
      <string>Enterprise-Secure</string>
      <key>HIDDEN</key>
      <false/>
      <key>EncryptionType</key>
      <string>WPA2</string>
      <key>EAPClientConfiguration</key>
      <dict>
        <key>AcceptEAPTypes</key>
        <array>
          <integer>25</integer> <!-- 25 = PEAP, 13 = TLS -->
        </array>
        <key>TLSTrustedServerNames</key>
        <array>
          <string>radius.purple.ai</string>
        </array>
      </dict>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Enterprise WiFi Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.purple.wifi</string>
  <key>PayloadUUID</key>
  <string>F2B8D432-84E3-40B1-B590-F28B020B0421</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>
Windows clients (Group Policy)Create a Group Policy Object (GPO) under Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (802.11) Policies. Configure SSID properties to connect automatically to Enterprise-Secure using WPA2-Enterprise or WPA3-Enterprise, EAP-PEAP, specify trust for Root CA certificate, and lock down trusted server domains to radius.purple.ai.
Android 11+ clients (CA trust)Android 11 and later versions enforce CA certificate validation. When connecting manually to Enterprise-Secure, users cannot select "Do not validate". They must: Select Use system certificates, set Domain validation to radius.purple.ai, and configure EAP method to PEAP or TLS.

企业级安全配置助手

部署 802.1X 企业级认证需要协调身份提供商、RADIUS 服务器和无线接入点。本助手提供安全设置所需的 IP 地址、端口和客户端 OS 配置文件设置。

支持的配置参数

  • 与 Microsoft Entra ID 和 Okta 的云身份提供商集成。
  • 用于认证和计费的 RADIUS 服务器配置详情。
  • 用于安全证书和静默入网的客户端配置文件参数。

Need a Cloud RADIUS?

Deploying 802.1X enterprise authentication doesn't require complex on-premises hardware. Purple's integrated Cloud RADIUS syncs directly with Entra ID, Okta, and Google Workspace.

Talk to a WiFi expert