跳至主要內容
繁體中文

Alcatel-Lucent Enterprise (ALE) OmniAccess Integration with Purple WiFi

本指南詳細說明 Alcatel-Lucent Enterprise (ALE) OmniAccess Stellar 無線基地台與 Purple WiFi 之間的技術整合。內容涵蓋 Captive Portal 重新導向、RADIUS 驗證、Walled Garden 設定、安全的 802.1X 員工 WiFi,以及使用私有預先共用金鑰 (PPSK) 搭配動態 VLAN 導向的多租戶 WiFi 分割,為 IT 經理和網路架構師在 ALE 硬體上部署識別導向網路提供完整且具可行性的參考。

📖 9 分鐘閱讀📝 2,047 字數🔧 2 範例4 練習題📚 10 關鍵定義

收聽此指南

查看播客逐字稿
Welcome to the Purple technical briefing. Today we are covering the Alcatel-Lucent Enterprise OmniAccess Stellar integration with Purple WiFi. This briefing is for IT managers, network architects, and venue operations directors who need to deploy secure, scalable, and intelligent wireless networks. Let us start with the context. You have a venue. Maybe a hotel, a retail chain, or a stadium. You have invested in ALE OmniAccess hardware. Now you need to extract business value from that infrastructure. You need to capture first-party data, segment your users securely, and provide a seamless onboarding experience. That is where the Purple cloud overlay comes in. Purple operates across more than 80,000 live venues worldwide and processed over 440 million logins in 2024. It is hardware-agnostic, which means it sits on top of your existing ALE infrastructure without requiring any hardware replacement. The entire authentication and data-capture logic lives in the Purple cloud. The core of this integration relies on RADIUS. When a guest walks into your venue and connects to the open Guest WiFi SSID, the ALE AP intercepts their web traffic. Instead of letting them straight onto the internet, it redirects their browser to a Purple-hosted captive portal. This is your splash page. It is where you present your brand, collect email addresses, or offer social logins via Facebook, LinkedIn, or Google. Once the user submits their details, the Purple cloud RADIUS server authenticates them and sends an Access-Accept message back to the ALE AP. The AP then drops the firewall rules and grants internet access. The entire flow takes under three seconds. Now, let us get into the technical deep-dive. How do we actually configure this? First, you need to configure the RADIUS server settings in your OmniVista or Stellar management interface. You will input the Purple RADIUS IP addresses, set the authentication port to 1812, and the accounting port to 1813. Crucially, ensure RADIUS Accounting is enabled with an interval of 300 seconds. This is what feeds session data back to Purple for analytics and compliance logging. Next is the Walled Garden. This trips up a lot of deployments. Before a user is authenticated, they have no internet access. But they need to reach the Purple portal to log in. You must whitelist the Purple domains in your pre-authentication access list. The core domains are region1.purpleportal.net, venuewifi.com, and cloudfront.net. If you are using Facebook or LinkedIn login, you must whitelist their domains too. If the Walled Garden is wrong, the captive portal will not load. Full stop. For the SSID configuration, create a new wireless network, set the security level to Open, and enable the External Captive Portal option. Point the redirect URL to your specific Purple splash page URL, which you will find in the Purple portal under your venue's hardware settings. Let us move to a more advanced scenario: Multi-Tenant WiFi. Imagine a coworking space or student accommodation. You have multiple tenants who need their own secure, isolated networks. You do not want to broadcast 20 different SSIDs. That destroys your RF performance and creates a poor user experience. The solution is PPSK - Private Pre-Shared Keys - combined with dynamic VLAN steering. You broadcast one secure SSID. But every tenant gets a unique passphrase. When Tenant A enters their passphrase, the ALE AP sends that request to the Purple RADIUS server. Purple recognises the passphrase, authenticates the user, and sends back an Access-Accept message. But here is the important part. That message includes specific RADIUS attributes. Attribute 64 for Tunnel-Type, set to 13 for VLAN. Attribute 65 for Tunnel-Medium-Type, set to 6 for Ethernet. And Attribute 81, the Tunnel-Private-Group-ID, which contains the actual VLAN ID. The ALE AP receives this and drops Tenant A directly onto VLAN 30. When Tenant B logs in with a different passphrase, they land on VLAN 40. One SSID, total Layer 2 isolation. This is Identity-Based Networking in practice. Let us look at a real-world example. A 200-room hotel deployed this architecture across their existing ALE OmniAccess Stellar APs. They needed to serve hotel guests, back-of-house staff, and a ground-floor restaurant as three completely separate network segments. Rather than deploying three SSIDs, they used PPSK with dynamic VLAN steering. The result was a single SSID, three isolated VLANs, and a significant reduction in management overhead compared to their previous multi-SSID approach. Now let us discuss implementation recommendations and pitfalls. First, maintain a hardware-agnostic design. Build your policies in Purple, not on the local controller. This allows you to scale or swap hardware vendors later without rebuilding your security policies from scratch. Second, watch out for firmware versions. Ensure your ALE APs are running firmware that explicitly supports dynamic VLAN assignment via RADIUS. Older Stellar firmware versions may not fully support the Tunnel-Private-Group-ID attribute. Check the ALE release notes before deploying. Third, DNS is your friend and your enemy. If your captive portal is not appearing, check your DHCP scope first. If the client is not receiving a valid DNS server, they cannot resolve the portal URL, and the whole process stops. This is the single most common support issue in captive portal deployments. Fourth, for secure Staff WiFi using 802.1X, use PEAP with MSCHAPv2 for most environments, or EAP-TLS for certificate-based deployments. The Purple RADIUS server supports both. Staff devices authenticate against Microsoft Entra ID or Okta, and the RADIUS server returns the appropriate VLAN assignment for the staff network segment. Let us do a rapid-fire question and answer session. Question: Can I use this integration for PCI DSS compliance in a retail environment? Answer: Yes. By using dynamic VLAN steering, you can ensure that point-of-sale devices are always placed on an isolated VLAN, completely separated from guest traffic. This satisfies the network segmentation requirements under PCI DSS 4.0. Question: Does Purple require a hardware appliance on-site? Answer: No. Purple is a cloud overlay. It communicates directly with your existing ALE hardware via standard RADIUS over the internet. There is nothing to rack and stack. Question: What happens if the Purple cloud is unreachable? Answer: You can configure a fallback policy on the ALE AP. For guest networks, you can allow open access as a fallback. For staff networks, configure a deny-all fallback to maintain security. Question: Can I capture analytics data from the integration? Answer: Yes. Every authenticated session generates a visitor profile in the Purple platform. You get dwell time, visit frequency, device type, and demographic data from the registration form. This feeds directly into your CRM via Purple's library of over 400 connectors. To summarise the key takeaways from today's briefing. One: The ALE OmniAccess integration with Purple uses standard RADIUS on ports 1812 and 1813. No proprietary protocols required. Two: The Walled Garden is critical. Get it wrong and the captive portal will not load. Whitelist the Purple domains before anything else. Three: PPSK with dynamic VLAN steering is the right architecture for multi-tenant environments. One SSID, unique passphrases, isolated VLANs per tenant. Four: RADIUS Attributes 64, 65, and 81 are the three you need for dynamic VLAN assignment. If any one of them is missing, the steering fails. Five: Purple is hardware-agnostic. Your policies live in the cloud, not on the controller. This gives you flexibility to scale across different hardware vendors. Your next step is to log into your Purple portal, navigate to your venue's hardware settings, and retrieve your specific RADIUS credentials and splash page URL. Then follow the configuration steps in this guide to connect your ALE OmniAccess infrastructure to the Purple cloud. Thank you for listening to this Purple technical briefing. For more information, visit purple.ai.

header_image.png

執行摘要

Alcatel-Lucent Enterprise (ALE) OmniAccess Stellar 無線基地台使用標準 RADIUS 協定和外部 Captive Portal 重新導向與 Purple 進行整合。無需任何專有的中介軟體。Purple 以雲端重疊網路 (cloud overlay) 的方式運作,建置在您現有的 ALE 基礎架構之上,負責處理驗證、資料收集和工作階段原則,而無需變更硬體。

本指南涵蓋三種部署情境。第一,具有外部 Captive Portal 重新導向和 Walled Garden 設定的訪客 WiFi。第二,使用 802.1X 搭配 PEAP 或 EAP-TLS 的安全員工 WiFi。第三,使用私有預先共用金鑰 (PPSK) 並透過 RADIUS 屬性 64、65 和 81 進行動態 VLAN 導向的多租戶 WiFi 分割。

Purple 為超過 80,000 個實體場域提供服務,並在 2024 年處理了超過 4.4 億次登入 (Purple 內部數據,2024 年)。它擁有 ISO 27001、GDPR、CCPA 和 Cyber Essentials 認證。該平台的運作可用性達 99.999%,是企業部署中值得信賴的驗證後端。

如果您是 IT 經理或網路架構師,正在旅宿、零售、活動或公共部門環境中部署 ALE OmniAccess 硬體,本指南將為您提供確切的設定步驟,協助您將硬體轉化為完全運作的識別導向網路。

技術架構與整合流程

Purple 與 ALE OmniAccess Stellar 的整合依賴於兩種標準協定:用於驗證和計費的 RADIUS,以及用於傳遞 Captive Portal 的 HTTP/HTTPS 重新導向。ALE AP 作為網路存取伺服器 (NAS),將驗證請求轉發至 Purple 雲端 RADIUS 伺服器,並執行 Access-Accept 回應中傳回的原則。

architecture_overview.png

圖 1:訪客裝置、ALE OmniAccess Stellar AP 與 Purple 雲端 RADIUS 之間的驗證流程。

流程運作如下。訪客連線至開放的訪客 WiFi SSID。ALE AP 從驗證前 DHCP 位址池指派一個暫時的 IP 位址,並攔截訪客的第一個 HTTP 或 HTTPS 請求。AP 將瀏覽器重新導向至 Purple Captive Portal URL,並將用戶端的 MAC 位址和 AP 的 NAS 識別碼作為 URL 參數傳遞。訪客透過 Purple 迎賓頁面 (splash page) 進行驗證(使用電子郵件、社群登入或簡訊驗證)。Purple 的 RADIUS 伺服器驗證該工作階段,並向 ALE AP 傳回 Access-Accept 訊息。AP 授予網際網路存取權限,並開始依設定的間隔向 Purple 傳送 RADIUS 計費 (RADIUS Accounting) 更新。

對於使用 PPSK 和動態 VLAN 導向的進階部署,RADIUS Access-Accept 訊息還包含 VLAN 指派屬性。ALE AP 使用這些屬性將用戶端流量直接導向正確的 VLAN 區段,從而將其與同一實體基礎架構上的其他使用者隔離。

實作指南

第 1 部分:具有外部 Captive Portal 的訪客 WiFi

本節涵蓋 Alcatel-Lucent Captive Portal 的外部重新導向至 Purple 設定。這些步驟適用於透過 OmniVista Cirrus、OmniVista 2500 或 Stellar Express 網頁介面管理的 ALE OmniAccess Stellar AP。

步驟 1:取得 Purple RADIUS 憑證

登入您的 Purple 傳送門。導覽至 管理 > 場域 (Management > Venues),選擇您的場域,然後開啟 硬體 (Hardware) 區段。新增硬體項目,並選擇 Alcatel-Lucent OmniAccess Stellar 作為硬體類型。Purple 會為您的場域產生唯一的 RADIUS 共用金鑰、驗證伺服器 IP 和 Captive Portal URL。請在繼續之前記錄這些值。

步驟 2:在 ALE AP 上設定 RADIUS 伺服器

在您的 ALE 管理介面中,導覽至驗證設定並新增 RADIUS 伺服器設定檔。

參數
伺服器 IP / 主機名稱 如 Purple 傳送門中提供
驗證連接埠 1812
計費連接埠 1813
共用金鑰 如 Purple 傳送門中提供
RADIUS 計費 已啟用
計費間隔 300 秒

使用 Purple 傳送門中的備用 IP 啟用次要 RADIUS 伺服器。這可確保在主要伺服器暫時無法連線時進行容錯移轉。

步驟 3:設定 Walled Garden

Walled Garden 定義了裝置在完成驗證前可以存取的網域。請在驗證前存取清單中設定以下項目:

核心 Purple 網域 (必填):

網域 用途
region1.purpleportal.net Purple Captive Portal
venuewifi.com Purple 工作階段管理
cloudfront.net Portal 資源的 CDN
openweathermap.org 天氣小工具 (選填)
stripe.com 付費 WiFi 付款 (若適用)

社群登入網域 (依需求新增):

提供商 網域
Facebook facebook.com, fbcdn.net, connect.facebook.net
LinkedIn linkedin.com, licdn.net
Google accounts.google.com, googleapis.com

遺漏任何必要的網域都會導致對應的登入方法無聲失敗。設定後請測試每種登入方法。

步驟 4:設定訪客 WiFi SSID

建立具有以下設定的新 WLAN 設定檔:

參數
安全層級 開放 (Open)
Captive Portal 已啟用
Captive Portal 類型 外部
重新導向 URL 如 Purple 傳送門中提供
HTTPS 重新導向 已停用 (除非已安裝 SSL 憑證)
閒置逾時 1800 秒 (30 分鐘)
RADIUS 伺服器設定檔 Purple RADIUS 設定檔 (於步驟 2 建立)

如果您需要 HTTPS 重新導向,請在 ALE AP 的 系統 > 一般 > 憑證管理 (System > General > Certificate Management) 下安裝有效的 SSL 憑證。請注意,不支援萬用字元憑證由 Stellar AP 為此目的所支援。

步驟 5:將 SSID 指派至 AP 群組

將 WLAN 設定檔套用至 OmniVista 中相關的 AP 群組。在測試 Captive Portal 流程之前,請先確認 AP 正在廣播 SSID 且用戶端可以進行關聯。

第二部分:使用 802.1X 保護員工 WiFi 安全

針對員工 WiFi,請使用採用 802.1X 驗證的 WPA2-EnterpriseWPA3-Enterprise。這能消除共用密碼,並將存取權限與 Microsoft Entra ID、Okta 或 Google Workspace 中管理的個人使用者身分進行綁定。

步驟 1:設定 802.1X SSID

為員工建立獨立的 WLAN 設定檔。將安全性類型設定為 WPA2-EnterpriseWPA3-Enterprise,並將 Purple RADIUS 伺服器指派為驗證後端。Purple 的 RADIUS 伺服器會透過 LDAP 或 SAML 將驗證請求代理傳送至您的身分識別提供者。

步驟 2:選擇 EAP 方法

對於大多數部署,請使用 搭配 MSCHAPv2 的 PEAP。這僅需要伺服器端憑證,並可與標準 Windows、macOS、iOS 和 Android 請求端(supplicant)搭配運作。對於安全性要求較高的環境,請使用透過您的 PKI 核發用戶端憑證的 EAP-TLS

步驟 3:將員工指派至專屬 VLAN

設定 Purple RADIUS 伺服器,使其在 Access-Accept 回應中傳回 Tunnel-Private-Group-ID = 您的員工 VLAN ID。這可確保員工裝置進入企業網路區段,並在 Layer 2 與訪客流量隔離。

第三部分:使用 PPSK 與動態 VLAN 導向的多租戶 WiFi

PPSK(Private Pre-Shared Key,在某些廠商的文件中也稱為 iPSK 或 Identity PSK)允許單一 SSID 為多個隔離的使用者群組提供服務。每個群組都會收到一個專屬的金鑰。RADIUS 伺服器會將每個金鑰對應至特定的 VLAN,從而提供每個租戶的網路隔離,而不會產生多個 SSID 的射頻(RF)開銷。

ppsk_vlan_diagram.png

圖 2:單一 ALE OmniAccess SSID 上的 PPSK 多租戶 VLAN 分割。

步驟 1:建立 PPSK SSID

建立新的 WLAN 設定檔,並將驗證類型設定為 WPA2-PSK 搭配 RADIUS 支援的 PSK 驗證。在 Stellar 韌體版本 4.0.8.16 及以上(適用於 AP1301 及更高型號),Express 模式支援透過 RADIUS 進行動態 VLAN 指派。對於較舊的型號或較早的韌體,請使用 OmniVista 管理模式。

步驟 2:在 Purple 中定義租戶金鑰

在 Purple 入口網站中,為每個租戶建立一個 PPSK 群組。為每個租戶指派一個專屬金鑰,並將每個金鑰對應至相應的 VLAN ID。Purple 會將這些對應關係儲存在其 RADIUS 資料庫中。

步驟 3:設定用於 VLAN 導向的 RADIUS 屬性

確保 Purple RADIUS 伺服器在每次 Access-Accept 回應中傳回以下 IETF 標準屬性:

屬性編號 屬性名稱
64 Tunnel-Type 13 (VLAN)
65 Tunnel-Medium-Type 6 (IEEE 802 / 乙太網路)
81 Tunnel-Private-Group-ID VLAN ID(例如 "30")

這三個屬性必須同時存在。如果缺少任何一個,ALE AP 將忽略 VLAN 指派,並將用戶端置於預設 VLAN 中。

步驟 4:驗證上行鏈路上的 VLAN Trunking

確保 ALE AP 與分配交換器之間上行連接埠上的所有租戶 VLAN 皆已標記(tagged)。AP 無法將流量導向至其上行 Trunk 上未允許的 VLAN。

最佳實踐

以下建議反映了企業無線部署的標準實踐,並符合 IEEE 802.1X、PCI DSS 4.0 和 GDPR 的要求。

在 Layer 2 將訪客 WiFi 與員工 WiFi 隔離。 切勿將訪客和員工流量置於同一個 VLAN 中。使用 RADIUS 驅動的 VLAN 指派來自動強制執行此隔離,無論使用者連接到哪一個 AP。

所有 Captive Portal 重新導向皆使用 HTTPS。 在 ALE AP 上安裝有效的 SSL 憑證以啟用 HTTPS 重新導向。這可防止瀏覽器在登入頁面(splash page)上顯示安全性警告,從而降低流失率,並符合 GDPR 對安全資料處理的要求。

將 RADIUS Accounting 間隔設定為 300 秒。 這可為 Purple 提供定期的工作階段更新,以確保分析的準確性。如果間隔長於 600 秒,且用戶端在未進行乾淨取消驗證的情況下中斷連線,則可能面臨遺失工作階段資料的風險。

在正式上線前測試 Walled Garden。 將測試裝置連接至訪客 WiFi SSID,並嘗試存取各個社群登入提供者。如果登入失敗,則表示 Walled Garden 中缺少對應的網域。

使用 PPSK 隔離 IoT 裝置。 在零售和餐旅環境中,數位看板、付款終端和環境感測器等 IoT 裝置應各自取得對應至隔離 VLAN 的專屬 PPSK。這可防止受駭的 IoT 裝置存取更廣泛的網路。

如需深入了解企業 WiFi 安全標準與架構,請參閱我們的 企業 WiFi 安全指南

疑難排解與風險緩解

下表涵蓋了 ALE OmniAccess 與 Purple 整合中最常見的失敗模式。

症狀 最可能的原因 解決方案
Captive Portal 未出現 Walled Garden 設定錯誤或缺少 DNS 驗證 Purple 網域是否已列入白名單;檢查 DHCP 範圍是否包含有效的 DNS 伺服器
RADIUS 驗證失敗 共用金鑰不相符或防火牆阻擋 UDP 1812/1813 重新輸入來自 Purple 入口網站的共用金鑰;確認防火牆規則允許輸出 UDP 1812 和 1813
使用者進入錯誤的 VLAN 缺少 RADIUS Tunnel 屬性或 AP 韌體限制 確認是否傳回所有三個 RADIUS 屬性(64、65、81);檢查 ALE 韌體版本是否支援動態 VLAN
社群登入按鈕失效 Walled Garden 中缺少社群提供者網域 將所需的社群提供者網域新增至 t至預先驗證存取清單
HTTPS Captive Portal 顯示憑證警告 使用萬用字元憑證或未安裝憑證 透過「系統 > 一般 > 憑證管理」安裝特定網域的 SSL 憑證
Purple 分析中遺失工作階段資料 RADIUS Accounting 已停用或間隔過長 啟用 RADIUS Accounting;將間隔設定為 300 秒

若 RADIUS 問題持續存在,請在 ALE AP 上啟用偵錯記錄並擷取 RADIUS 交換資訊。尋找 Access-Reject 訊息並檢查拒絕原因代碼。常見代碼包括 16(驗證失敗)和 18(遺失屬性)。

ROI 與業務影響

在 ALE OmniAccess 硬體上部署 Purple,可將被動網路轉化為主動的數據資產。每個經過驗證的工作階段都會產生一個訪客設定檔:電子郵件地址、造訪頻率、停留時間和裝置類型。此第一方數據可透過 Purple 超過 400 個連接器的資料庫,直接匯入您的 CRM。

Harrods 透過使用 Purple 的數據擷取功能來推動忠誠度計畫註冊,使其 Guest WiFi 部署實現了 57 倍的行銷 ROI(Purple 案例研究,2023 年)。AGS Airports 透過在其園區內實施分級頻寬的 Paid WiFi,創造了 842% 的 ROI(Purple 案例研究,2022 年)。

對於 餐旅 營運商而言,Captive Portal 是擷取顧客數據的主要接觸點。對於 零售 環境,它能實現購物者行為分析和精準促銷。對於 交通 樞紐,它能提供旅客流量數據和符合合規要求的工作階段記錄。

Purple 的 Guest WiFi 平台和 WiFi Analytics 工具為您提供衡量這些成效的報表基礎架構。從單一儀表板追蹤驗證率、工作階段持續時間、重複訪客率和選擇加入轉換率。

如需相關整合指南,請參閱 WatchGuard Firebox 整合指南 ,該指南介紹了在不同硬體平台上類似的 RADIUS 架構。

關鍵定義

PPSK (Private Pre-Shared Key)

A security method where individual users or devices are issued unique passphrases for a single SSID, rather than sharing one global password. The RADIUS server maps each passphrase to a specific policy or VLAN.

Used in Multi-Tenant WiFi to isolate traffic between tenants, residents, or event groups without deploying multiple SSIDs.

RADIUS (Remote Authentication Dial-In User Service)

A networking protocol defined in RFC 2865 that provides centralised Authentication, Authorization, and Accounting (AAA) management for users connecting to a network service.

The core protocol Purple uses to communicate with ALE hardware. The ALE AP sends Access-Request messages; Purple responds with Access-Accept or Access-Reject.

Dynamic VLAN steering

The process of assigning a connected device to a specific VLAN based on RADIUS attributes returned during authentication, rather than a static VLAN configured on the SSID.

Essential for multi-tenant deployments where different user groups must be isolated on the same physical AP infrastructure.

Walled Garden

A controlled environment that restricts a device's internet access to a predefined set of domains before authentication is complete.

Required to allow devices to reach the Purple captive portal and external identity providers before the user has logged in.

Captive portal

A web page that intercepts a user's browser session and requires them to authenticate or accept terms before gaining full network access.

The primary interface where visitors provide consent and first-party data. Purple hosts this page in the cloud; the ALE AP performs the redirect.

Identity-Based Network

A network architecture where access policies, VLAN assignments, and bandwidth controls are determined by who the user is, rather than where or how they connect.

The architectural outcome of integrating ALE hardware with Purple's authentication overlay.

802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism for devices connecting to a LAN or WLAN. It requires a supplicant on the client device, an authenticator (the AP), and an authentication server (RADIUS).

The standard used for secure Staff WiFi deployments. Eliminates shared passwords and ties access to individual user identities.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

A certificate-based EAP method where both the client and the RADIUS server present digital certificates for mutual authentication.

The most secure 802.1X method. Requires a PKI infrastructure to issue client certificates, but eliminates password-based credential theft entirely.

PEAP (Protected Extensible Authentication Protocol)

An EAP method that tunnels the inner authentication exchange inside a TLS session, protecting credentials in transit. Commonly used with MSCHAPv2 as the inner method.

The most common 802.1X method in enterprise deployments. Requires only a server-side certificate and works with standard OS supplicants.

NAS (Network Access Server)

In RADIUS terminology, the device that enforces access control - in this case, the ALE OmniAccess Stellar AP. The NAS forwards authentication requests to the RADIUS server and enforces the policies returned.

The ALE AP acts as the NAS in the Purple integration. Its IP address and shared secret must be registered in the Purple portal as a trusted NAS client.

範例

A 200-room hotel in central London uses ALE OmniAccess Stellar APs throughout the property. They need to serve hotel guests, back-of-house staff, and a ground-floor restaurant as three completely separate network segments. They want to avoid broadcasting multiple SSIDs to preserve RF performance.

Deploy a single secure SSID using PPSK. Configure the ALE OmniAccess APs to authenticate against the Purple RADIUS server. In the Purple portal, create three PPSK groups: Hotel Guests (VLAN 10), Staff (VLAN 20), and Restaurant (VLAN 30). The RADIUS server returns Tunnel-Private-Group-ID = 10, 20, or 30 depending on which passphrase the device uses. The ALE AP dynamically steers each device to the correct VLAN. Hotel guests receive internet access only. Staff receive access to the property management system. The restaurant receives an isolated segment for their EPOS terminals.

考官評語: This approach eliminates three SSIDs and replaces them with one, reducing co-channel interference and management overhead. The key technical requirement is that all three VLANs must be tagged on the uplink trunk between the AP and the distribution switch. If any VLAN is missing from the trunk, devices using that passphrase will fail to receive a DHCP address.

A conference centre hosts 15 corporate events simultaneously. Each event organiser needs their own isolated WiFi network for attendees, but the venue only has a single ALE OmniAccess infrastructure. The venue IT team needs to provision and de-provision networks quickly between events.

Use Purple's PPSK management to create per-event passphrases mapped to dedicated event VLANs. The venue pre-configures 15 VLAN segments on the ALE infrastructure. For each event, the IT team creates a new PPSK entry in the Purple portal, assigns it to the correct VLAN, and provides the passphrase to the event organiser. At the end of the event, they revoke the passphrase in Purple. The ALE AP immediately stops accepting that passphrase, isolating the de-provisioned VLAN. No AP reconfiguration is required.

考官評語: This architecture separates the provisioning workflow from the hardware configuration. The ALE APs remain static; all changes happen in the Purple cloud. This is the practical advantage of a cloud overlay: you can add, modify, or revoke access without touching the physical infrastructure. For events environments, this reduces provisioning time from hours to minutes.

練習題

Q1. You have configured the Alcatel-Lucent captive portal on an ALE OmniAccess Stellar AP. Guests connect to the SSID and receive an IP address, but their devices show 'No Internet Connection' and the splash page does not appear. What are the two most likely causes, and how do you resolve each?

提示:Consider what must happen at the DNS and HTTP layer before the captive portal redirect can occur.

查看標準答案

Cause 1: The DHCP scope does not include a valid DNS server. Without DNS, the client cannot resolve the captive portal URL and the OS captive portal detection mechanism fails. Resolution: Add a valid DNS server (e.g., 8.8.8.8) to the DHCP scope on the guest VLAN. Cause 2: The Walled Garden does not include the Purple portal domains. Without these, the AP blocks the redirect request before it reaches the client. Resolution: Add region1.purpleportal.net, venuewifi.com, and cloudfront.net to the pre-authentication access list.

Q2. Your Multi-Tenant WiFi deployment uses PPSK on a single ALE OmniAccess SSID. Users authenticate successfully - the Purple portal shows successful logins - but all users receive IP addresses from VLAN 1 instead of their assigned tenant VLANs. What is the most likely cause?

提示:Check the communication between the RADIUS server and the AP, and the AP's uplink configuration.

查看標準答案

There are two likely causes. First, the Purple RADIUS server may not be returning all three required RADIUS tunnel attributes (64, 65, 81) in the Access-Accept message. Verify the enforcement policy includes Tunnel-Type = 13, Tunnel-Medium-Type = 6, and Tunnel-Private-Group-ID = the correct VLAN ID. Second, the tenant VLANs may not be tagged on the uplink trunk between the ALE AP and the distribution switch. If the VLAN does not exist on the trunk, the AP cannot steer traffic to it, even if the RADIUS attributes are correct.

Q3. A venue requires that guest sessions are automatically terminated after 60 minutes, and that guests who return within 24 hours are recognised and bypass the registration form. How should this be configured in the Purple and ALE architecture?

提示:Consider which system controls session lifetime and which system controls returning visitor recognition.

查看標準答案

Session termination is controlled via the RADIUS Session-Timeout attribute. Configure the Purple RADIUS server to include Session-Timeout = 3600 (seconds) in the Access-Accept message. The ALE AP will disconnect the client after 3600 seconds. Returning visitor recognition is controlled in the Purple portal. Enable the 'remember device' or MAC-based re-authentication setting for your venue. When a returning visitor connects within the configured window, Purple's RADIUS server recognises their MAC address and returns an Access-Accept without requiring the splash page interaction, providing a seamless reconnection experience.

Q4. You are deploying Staff WiFi using 802.1X on ALE OmniAccess Stellar APs. Your organisation uses Microsoft Entra ID as the identity provider. Staff devices are Windows 11 laptops managed via Intune. Which EAP method should you use, and what certificate requirements apply?

提示:Consider the balance between security, deployment complexity, and the capabilities of the existing infrastructure.

查看標準答案

Use PEAP with MSCHAPv2 as the EAP method. This requires only a server-side certificate on the Purple RADIUS server (already provisioned by Purple) and leverages the user's Entra ID credentials for authentication. No client certificates are required, which simplifies deployment on Intune-managed devices. Configure the Windows 11 supplicant via an Intune Wi-Fi profile, specifying the SSID, WPA2-Enterprise security, PEAP method, and the Purple RADIUS server certificate thumbprint for server validation. If your security policy requires certificate-based mutual authentication, upgrade to EAP-TLS and deploy client certificates via Intune SCEP profiles, but this adds significant PKI management overhead.

繼續閱讀本系列

CommScope Ruckus 與 Purple WiFi 整合:安裝與設定指南

本技術參考指南為 CommScope Ruckus 架構與 Purple WiFi 的整合提供了權威的設定指南。其中詳細介紹了使用 Guest WiFi Captive Portal、透過 802.1X 的安全員工 WiFi,以及使用 Ruckus Dynamic PSK 的多租戶網路隔離的逐步部署步驟。

閱讀指南 →

Allied Telesis Access Points Integration with Purple WiFi

本指南提供將 Allied Telesis TQ 系列無線基地台與 Purple WiFi 整合的完整設定指南。內容涵蓋外部 Captive Portal 重新導向、802.1X RADIUS 驗證,以及使用私有預共用金鑰 (PPSK) 進行動態 VLAN 導向,以實現安全的多租戶部署。

閱讀指南 →

Grandstream GWN Access Points Integration with Purple WiFi

本權威技術參考指南詳細說明如何將 Grandstream GWN 基地台與 Purple 的 Guest WiFi 及分析平台進行整合。內容涵蓋 Grandstream Captive Portal 設定、RADIUS AAA 設定、Walled Garden(圍牆花園)設定、支援動態 VLAN 導向的安全員工 802.1X 驗證,以及多租戶 PPSK 分割,為大規模部署訪客與員工 WiFi 的 MSP 和 IT 團隊提供具體可行的逐步指引。

閱讀指南 →