跳至主要內容
ISO 27001
Purple certified since 2017
99.999%
authentication uptime SLA
WPA3
enterprise-ready across the platform
< 50ms
cloud RADIUS auth latency

TL;DR / Key Takeaways

  • Enterprise WiFi security is identity-first. A device joining the network proves it belongs to a known user or asset, against an identity provider, before traffic is allowed.
  • The three credible authentication models in 2026: WPA3 Enterprise with EAP-TLS (managed workforce), iPSK (IoT and contractors), captive portal with RADIUS (guests). Shared pre-shared keys do not belong in any of them.
  • Cloud RADIUS replaces on-prem Windows NPS for most organisations. The exceptions are estates where authentication has to survive WAN failure - distributed retail, remote sites, ships, aircraft.
  • The identity provider is the source of truth. Entra ID, Okta, and Google Workspace integrations are first-class; SCIM-driven group sync drives VLAN, ACL, and role assignment at the access point.
  • The compliance story (UK GDPR, PCI DSS 4.0, HIPAA, ISO 27001:2022) is satisfied by the same control set. Build the stack once; pass every audit that asks about wireless.

Most enterprise WiFi networks are still running on a credential model designed when employees worked from one building and IoT meant a wired printer. A single pre-shared key, shared across the workforce, rotated at variable intervals, written on a whiteboard near reception.

That model has been obsolete for a decade. Hybrid working, BYOD, contractor density, and the long parade of IoT make a shared password an unmanaged credential by definition. The leaver risk alone is enough to retire it; PCI DSS 4.0 and ISO 27001:2022 are now explicit that wireless authentication is in scope.

This guide is the technical and operational reference for what replaces the shared password. 802.1X and EAP-TLS for managed devices, iPSK for IoT and contractors, captive portal for guests, and a cloud RADIUS layer that ties all three back to your identity provider. Aimed at IT directors, security architects, and the network engineers who run the deployments.

The four properties of secure enterprise WiFi

A wireless network qualifies as enterprise-grade if it does four things. Networks that do three of them are common; networks that do all four are rare and worth working towards.

Identity-bound authentication

Every device that joins the network is tied to a known user or known asset, authenticated against your directory. No shared credentials, no anonymous joins.

Transmission encryption

WPA3 Enterprise as a minimum. AES-256, forward secrecy, protected management frames (802.11w) on. Transitional WPA2 fallback only where unavoidable.

Authorisation past join

Authentication grants network access; authorisation decides what that access is. Dynamic VLAN, ACL, or SGT assigned from RADIUS attributes - not flat-L2 trust after the password.

Auditable revocation

When a user leaves, when a device is lost, when a contract ends, network access stops within minutes. JML automation, certificate revocation, iPSK rotation - whichever the model is.

The six authentication models

Most organisations end up running two or three of these in parallel: one for managed workforce devices, one for IoT and contractors, one for guests. Mapping the right method to the right population is the first decision.

WPA3 Enterprise

Current standard. 192-bit suite-B mode for sensitive environments. Forward secrecy by default. The destination for any new enterprise SSID.

Use for: New builds. Refresh of existing 802.1X SSIDs.

EAP-TLS

Certificate-based, passwordless. The most secure method available; the one auditors prefer; the one with the highest user-experience score once provisioning is automated.

Use for: Managed workforce devices. BYOD with MDM-issued certs.

iPSK

Per-identity pre-shared key, looked up via RADIUS. No supplicant configuration. Per-identity isolation and revocation. Right answer where 802.1X is impractical.

Use for: IoT, contractors, multi-tenant residential, headless devices.

PEAP-MSCHAPv2

Username and password tunnelled inside TLS. Widely deployed, but only safe with strict server-certificate validation on every supplicant. Plan to retire.

Use for: Legacy estates during EAP-TLS migration only.

Captive portal + RADIUS

Authenticated guest WiFi. Identity comes through a portal sign-in, RADIUS records the session for accounting and policy. The right answer for visitors, not for staff.

Use for: Guests, contractors, partners. Never for managed devices.

Passpoint / OpenRoaming

Device-level certificate trust to a federated identity provider; joining is automatic. The future of public and large-venue WiFi; complementary to the above.

Use for: Large venues, transport hubs, federated education.

RADIUS: cloud or on-prem?

Every authentication model above runs through a RADIUS layer. RADIUS is the protocol; what changes between vendors and deployment models is where the RADIUS server sits and how it talks to your identity provider.

The dominant on-prem implementations - Microsoft Network Policy Server (NPS) and FreeRADIUS - were designed for an era when authentication latency over a leased line was tolerable and the identity provider was a domain controller in the same rack. Both still run a lot of corporate WiFi. Neither is a comfortable place to be in 2026.

Cloud RADIUS replaces the server-in-the-rack model with a managed service: anycast or multi-region active-active, sub-50ms authentication latency to anywhere, native connectors into Entra ID, Okta, and Google Workspace, automated certificate handling for EAP-TLS. The trade-off is that the WAN now sits between the access point and the auth server.

For most mid-market and a growing share of large-enterprise estates, the trade-off is worth taking. The exceptions are estates where authentication has to survive WAN failure: distributed retail with poor backhaul, remote industrial sites, ships, aircraft. There, on-prem RADIUS or a hybrid local-with-cloud-failover model still has a job. See Purple RADIUS-as-a-Service.

NPS to cloud RADIUS migration

  1. Export current NPS policy set; translate to the cloud-RADIUS policy model.
  2. Stand up cloud RADIUS in parallel, bound to the same identity provider.
  3. Migrate one SSID at a time, or one site at a time. Watch the auth-latency dashboards.
  4. Switch back-up routes from NPS to local-fallback (if used) before retiring NPS.
  5. Decommission NPS once the rollback window has closed.

The first three weeks are the entire risk. Plan a long quiet-period rollback option.

Identity provider integration

The identity provider is the source of truth. Group membership, employment status, device posture, and conditional-access policy all live there. The RADIUS layer is the bridge between the access point and the IdP; the value of the integration is what the IdP can decide about each authentication attempt.

Purple integrates natively with:

Microsoft Entra ID (Azure AD)
Okta
Google Workspace
JumpCloud
Ping Identity
Active Directory
OneLogin
Auth0

SCIM provisioning is the operational layer that makes the integration useful. When HR marks a leaver, SCIM propagates the change to the IdP, the IdP propagates to RADIUS, and the user’s WiFi access is removed within minutes. This is the JML automation that ISO 27001 auditors look for; it is also what saves the helpdesk from doing it manually.

Conditional Access (Entra ID) and equivalent policy engines apply at the WiFi join moment. Device posture (compliant, healthy, managed), location, and risk score are all available signals. Used well, they let you enforce “managed corporate devices only on this SSID” without writing a single ACL.

BYOD onboarding and the zero-trust LAN

Personal devices are the second-biggest population on most enterprise WiFi networks. Getting them onto WPA2/3 Enterprise without a helpdesk ticket is the difference between a workable security policy and one that gets routed around.

The pattern that scales is self-service certificate issuance through an onboarding portal. The user signs in with their corporate credentials, the portal generates a per-device certificate, the device installs it via a provisioning profile (iOS, macOS), Group Policy / Intune (Windows, Android), or MDM (corporate-managed devices). The certificate is bound to the user and the device, has a short lifetime, and auto-renews while the user remains an employee.

The zero-trust framing applies here. The WiFi join is the first authentication moment, not the only one. Device posture, network segmentation past the SSID, and continuous verification are the rest of the model. A modern WiFi stack contributes to a zero-trust LAN without needing to be marketed as such; the principles are identity-first authentication, micro-segmentation by role, and explicit-deny defaults. See WPA2 and WPA3 Enterprise and Staff WiFi.

Compliance and audit evidence

Wireless authentication has moved from a supporting control to an explicit, in-scope requirement across every major framework. The same stack satisfies all of them; the evidence just has to be available on demand. Pizza Express, AGS Airports, and the University of Sheffield run on Purple.

UK GDPR

Consent capture, data-subject rights, and breach notification all run through the guest WiFi data path, and the ICO can act on shared-credential exposure of personal data. Identity-bound access with an auditable log is the defensible position.

Reference ›

PCI DSS 4.0

Wireless requirements: 4.2.1 (strong cryptography), 11.2 (rogue-AP detection), 8.3 (unique user IDs - no shared passwords on the CDE WLAN). 802.1X with EAP-TLS is the cleanest control.

Reference ›

HIPAA Security Rule

§164.312(a)(1) unique user identification, §164.312(b) audit controls, §164.312(d) person or entity authentication. Certificate-based WiFi maps to all three.

Reference ›

ISO 27001:2022

Annex A.5.16 identity management, A.8.5 secure authentication, A.5.18 access rights. JML-tied WiFi access with audit trail is the evidence auditors look for.

Reference ›

Cyber Essentials

The UK government security baseline, which Purple holds. Secure configuration and access control both cover wireless authentication; certificate-based join is the cleanest evidence.

Reference ›

The three pieces of evidence that auditors ask for, in order: a current access log showing who has WiFi access and on what authentication method; a sample of leaver records demonstrating that access was removed within the documented SLA; and a configuration export of the RADIUS policy showing how each population is segregated. A WiFi stack that cannot produce these in minutes is not audit-ready, regardless of how secure it actually is.

Hardware compatibility

The authentication layer should be hardware-agnostic. Purple’s enterprise security stack runs on the access points you already own.

Cisco Meraki
Cisco Catalyst
HPE Aruba
Ruckus
Juniper Mist
Ubiquiti UniFi
Cambium Networks
Extreme Networks
Fortinet

Every current-generation enterprise access point supports the relevant standards: WPA3 Enterprise, EAP-TLS (RFC 5216), RADIUS (RFC 2865), and dynamic VLAN assignment via vendor-specific attributes. Older equipment (pre-Wave 2 802.11ac) may not; check before committing to an EAP-TLS rollout on it.

How to evaluate an enterprise WiFi security platform

An eight-item checklist for procurement, security, and network teams.

IdP-native integration

Direct authentication against Entra ID, Okta, or Google Workspace - not a brittle LDAP shim. SCIM-driven group sync.

Certificate lifecycle automation

SCEP / EST / Intune for issuance. Auto-renewal at 30 days, auto-revocation on leaver event. Manual cert handling does not scale past ~200 devices.

Cloud RADIUS with regional failover

Anycast or multi-region active-active. Authentication latency under 50ms. Survives WAN events without bringing the WLAN down.

Dynamic VLAN / role assignment

RADIUS VSAs that drive VLAN, ACL, or SGT. Authorisation must do real work; identity alone is not enough.

Passpoint / OpenRoaming readiness

Even if not deployed today, the platform should be Passpoint-capable. The transition is starting.

Auditable access log

Every join attempt, every failure reason, every policy decision. ISO 27001 and SOC 2 evidence in the dashboard, not a CSV export.

Hardware independence

Works with Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet. The authentication layer should outlive the AP refresh.

Migration tooling

Parallel-run support during NPS or legacy-RADIUS replacement. Cutover by SSID or by site, not all at once.

How to secure public WiFi for a venue

Securing public WiFi for a venue requires five layers working together: network isolation, session accountability, content filtering, encryption, and activity logging. Each layer addresses a distinct threat - from lateral movement into business systems to liability from unlogged traffic.

  1. Network segmentation. Place the guest SSID on a dedicated VLAN, completely isolated from your POS terminals, CCTV system, staff network, and any system holding cardholder or personal data. A guest who can reach your internal network is not a guest - they are a security incident. Most enterprise access points support this natively; the VLAN assignment can be driven from RADIUS so it applies automatically as guests associate.
  2. Captive portal with consent logging. Require sign-on before granting internet access. This creates an auditable session record - who connected, when, and from which device - and captures GDPR-compliant consent before any personal data is processed. A session log also deters misuse: anonymous access is the single biggest liability risk on a public network.
  3. DNS filtering and content blocking. Block malware domains, command-and-control infrastructure, peer-to-peer traffic, and illegal content at the DNS resolver - before any packet reaches the open internet. Category-based controls let you allow business browsing while blocking the traffic categories that create liability or consume disproportionate bandwidth.
  4. WPA2 or WPA3 encryption on the guest SSID. WPA2 is the minimum; WPA3 is available on all current-generation access points and removes the “unsecured network” warning that damages guest trust on iOS and Android. Passpoint (OpenRoaming) goes further - guests join automatically using a device certificate, with no password prompt and no splash page friction.
  5. Activity log retention. Retain connection logs for the period required by your jurisdiction. 12 months under the UK Investigatory Powers Act. Logs are both a legal obligation and your liability protection if you are ever required to assist an investigation. Ensure the logs capture session start and end times, the authenticating identity, and the assigned IP address.

Purple handles all five layers: Purple’s captive portal provides session accountability and consent capture; Purple Shield delivers DNS filtering and content controls; Purple SecurePass provides Passpoint-based WPA3 join. All three are hardware-agnostic and work across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, Ubiquiti UniFi, Cambium, Extreme, and Fortinet.

Frequently asked questions

What is enterprise WiFi security?

+

Enterprise WiFi security is the umbrella term for the standards, protocols, and operational practices that protect a wireless network used by employees, contractors, and managed devices. The defining difference from consumer WiFi is identity: each user or device is authenticated against a directory rather than sharing a single password.

What is the difference between WPA2 Personal and WPA2 Enterprise?

+

WPA2 Personal uses a single pre-shared key (PSK) - the office WiFi password everyone shares. WPA2 Enterprise uses 802.1X to authenticate each user or device against a RADIUS server backed by your identity provider. WPA3 is the current standard; WPA3 Enterprise replaces the older PSK fallback weaknesses and adds 192-bit suite-B mode for sensitive environments.

What is 802.1X?

+

802.1X is the IEEE port-based network access control standard. A supplicant (the device) authenticates to an authenticator (the access point) which passes credentials to an authentication server (RADIUS). It works the same way on wired and wireless, but enterprise WiFi is where most organisations meet it. EAP-TLS, PEAP, and EAP-TTLS are the methods that run inside the 802.1X envelope.

Is EAP-TLS the same as passwordless WiFi?

+

In practice, yes. EAP-TLS uses a per-user or per-device certificate instead of a password. The user never types a credential; the device presents its certificate to the network and is authenticated against the issuing CA. Most "passwordless WiFi" products are EAP-TLS with managed certificate issuance bolted on top.

Should we still use PEAP?

+

Only with caveats. PEAP-MSCHAPv2 is still widely deployed but has known weaknesses: if the supplicant skips server-certificate validation (a common misconfiguration), a rogue AP can capture credentials and brute-force them offline. PEAP is acceptable as a stopgap during EAP-TLS migration; it should not be a long-term destination for a security-conscious organisation.

What is cloud RADIUS?

+

A managed RADIUS authentication service hosted by a vendor, with the access points connecting over the public internet (TLS-protected, hardened). It replaces the operational burden of running Windows NPS or FreeRADIUS on-premises. The right answer for most mid-market and a growing share of large-enterprise estates; the wrong answer where you need authentication to survive WAN failure.

How do I integrate WiFi with Entra ID, Okta, or Google Workspace?

+

Through a RADIUS layer that speaks to the IdP. For Entra ID, that's typically a cloud RADIUS service authenticating against Entra ID via the OpenID Connect or modern Microsoft Graph integration, plus Intune-issued certificates for EAP-TLS. Okta and Google Workspace follow the same pattern with their respective directory APIs.

What is iPSK and how is it different from 802.1X?

+

iPSK (Identity Pre-Shared Key) issues a unique pre-shared key per user or device, looked up at the access point through RADIUS. It's simpler to deploy than 802.1X (no supplicant configuration on every device) but provides per-identity isolation. iPSK is the right authentication for IoT devices, contractor BYOD, and multi-tenant residential WiFi; 802.1X with EAP-TLS is the right authentication for managed workforce devices.

Does WiFi security have to be part of a zero-trust programme?

+

WiFi authentication is the LAN equivalent of the identity-first principle in zero trust. A modern WiFi stack contributes: identity verification at network join, device posture as a continuous signal, micro-segmentation past the SSID via dynamic VLAN assignment, and revocation tied to the JML process. Calling it 'zero trust' isn't necessary; getting these four right is.

How does this satisfy HIPAA, PCI DSS, and ISO 27001?

+

HIPAA technical safeguards require unique user identification and audit controls; certificate-based WiFi gives you both natively. PCI DSS 4.0 requires authentication for any wireless access to the cardholder data environment and prohibits shared accounts; 802.1X with EAP-TLS is the cleanest path. ISO 27001:2022 Annex A.5.16 (identity management) and A.8.5 (secure authentication) are both addressable with the same stack. We have a full control-mapping cluster post linked from this pillar.

How do I secure public WiFi for a venue?

+

Secure public WiFi for a venue with five layers: (1) Network segmentation - put the guest SSID on its own VLAN, isolated from your point-of-sale, CCTV, and corporate systems. (2) Captive portal - require sign-on to create an accountable session log and collect GDPR-compliant consent. (3) DNS filtering and content blocking - stop malware domains and peer-to-peer traffic at the resolver. (4) WPA2 or WPA3 encryption on the guest SSID; Passpoint removes the "unsecured network" warning on modern devices. (5) Activity log retention for your jurisdiction - 12 months under the UK Investigatory Powers Act. Purple Shield handles DNS and content filtering; Purple Connect provides the captive portal and consent flow; Purple SecurePass delivers Passpoint and WPA3.

Cluster guides in this series

Deep-dive guides that support this pillar. Each goes further on one part of the enterprise WiFi authentication stack.

WPA2 Personal 對比 Enterprise:有何不同以及您應該使用哪一個?

本技術參考指南提供 WPA2 Personal 與 WPA2 Enterprise 無線安全標準之間的權威性比較。其詳細說明了 IT 領導者保護企業網路所需的底層密碼編譯交握、架構需求和部署方法。讀者將學習如何從共享密碼過渡到個別化的憑證型驗證,以符合合規性架構並減輕內部威脅。

Read guide →

統治全場的三個 SSID:顧客、Passpoint 與 IoT WiFi 設定指南

本技術指南為企業場域實施三 SSID WiFi 設計提供了權威藍圖。書中詳細介紹了開放式 Guest WiFi 門戶、自動化 Passpoint 登入以及單一設備 xPSK 認證的設定,以實現完整的 VLAN 隔離與零信任網路存取。

Read guide →

Server RADIUS:企業的完整指南

本指南為 IT 經理、網路架構師和 CTO 提供企業級 WiFi 的 Server RADIUS 驗證權威技術參考。內容涵蓋 AAA 架構、802.1X 架構、EAP 方法選擇、雲端與地端部署權衡,以及動態 VLAN 分配。飯店、零售、活動和公共部門等場域營運商將能在此獲得實用的實作指南、真實案例研究,以及從不安全的預共用金鑰移轉至安全、識別導向之網路存取控制架構所需的決策框架。

Read guide →

Aruba ClearPass 對決 Purple WiFi:功能比較與協同部署

一份全面的技術指南,詳細介紹 Aruba ClearPass 與 Purple WiFi 的協同部署架構。內容涵蓋 RADIUS 代理設定、動態 VLAN 分配,以及在企業級 NAC 旁提供安全、數據分析驅動的訪客網路最佳實踐。

Read guide →

Cisco ISE 對比 Purple WiFi:兩者如何比較與協同工作

本指南說明 Cisco ISE 與 Purple WiFi 如何在企業網路中扮演不同但互補的角色。內容詳細介紹了如何使用 Cisco ISE 進行安全的 802.1X 企業存取,同時利用 Purple 進行符合 GDPR 規範的訪客 WiFi、行銷分析以及 CRM 整合。

Read guide →

EAP-TLS 對決 EAP-TTLS:您應該選擇哪種基於憑證的 WiFi 協定?

本指南針對 IEEE 802.1X 底下用於企業級 WiFi 驗證的 EAP-TLS 與 EAP-TTLS 進行了決定性的正面比較。它解釋了雙向憑證驗證與僅限伺服器端憑證通道之間的架構差異,並為 IT 經理、網路架構師和 CISO 提供了一個基於裝置管理能力和合規要求的明確決策框架。Purple 針對員工 WiFi 同時支援 EAP-TLS 與 EAP-TTLS 驗證路徑,本指南可協助企業在決定採用哪種方法之前,先瞭解基礎設施的權衡取捨。

Read guide →

什麼是 802.1X Supplicant(用戶端連線程式)?用戶端類型與裝置設定

本指南說明 802.1X Supplicant 在企業 WiFi 驗證中所扮演的角色。內容涵蓋技術架構、原生作業系統 Supplicant 與第三方用戶端的比較,並為部署 EAP-TLS 與 PEAP 的 IT 團隊提供實用的設定指南。

Read guide →

管理 EAP-TLS WiFi 驗證的數位憑證

本技術參考指南詳細說明了 EAP-TLS WiFi 驗證數位憑證的生命週期管理。它提供了實用的策略,以便在使用 SCEP 和 MDM 整合的大型企業網路中部署、更新和撤銷憑證。

Read guide →

無需 Active Directory 或地端伺服器的 Enterprise WiFi 驗證

本指南說明如何在沒有地端 Active Directory、Windows NPS 或 RADIUS 伺服器的情況下,部署安全的 WPA2/3-Enterprise WiFi 驗證。內容涵蓋雲端身分識別提供者與 802.1X 之間的協定不相容問題、採用 EAP-TLS 優於 PEAP-MSCHAPv2 的理由,以及如何針對 Microsoft Entra ID、Okta 或 Google Workspace,部署搭配 MDM 發行憑證的雲端 RADIUS。本指南專為準備淘汰地端基礎架構、以雲端優先且擁有大量 Mac/Chromebook 的企業 IT 主管所撰寫。

Read guide →

當員工離職時如何撤銷 WiFi 存取權限

本指南詳細介紹了當員工離職時如何撤銷 WiFi 存取權限,以每用戶 802.1X 憑證或 iPSK 取代不安全的共享密碼。內容涵蓋透過 SCIM 進行自動化停用,以滿足 ISO 27001 和 SOC 2 稽核要求。

Read guide →

EAP 方法比較:PEAP、EAP-TLS、EAP-TTLS 與 EAP-FAST

這份權威性的技術參考指南針對企業 WiFi 驗證的 PEAP、EAP-TLS、EAP-TTLS 和 EAP-FAST 進行了並列比較。它提供了有關安全態勢、部署複雜性和裝置相容性的可行指導,以協助 IT 經理和網路架構師選擇最佳的 802.1X 部署策略。

Read guide →

透過 SCEP 與 PKCS 進行 Microsoft Intune WiFi 憑證部署

本指南提供逐步技術參考,說明如何透過 Microsoft Intune 使用 SCEP 和 PKCS 部署 WiFi 驗證憑證。它專為實作無密碼 802.1X WiFi 的 IT 經理和網路架構師所設計,以確保跨企業環境的無縫、安全連線。

Read guide →