跳至主要內容
繁體中文

Arista Cognitive Wi-Fi 與 Purple WiFi 整合

本技術指南詳細介紹了 Arista Cognitive Wi-Fi (CV-CUE) 與適用於企業場域的 Purple 訪客 WiFi 平台的逐步整合過程。內容涵蓋 Arista Captive Portal 設定、Walled Garden ACL 設計、RADIUS 伺服器設定、安全的員工 802.1X 驗證,以及使用 Arista PPSK 搭配動態 VLAN 導向的多租戶 (Multi-Tenant) 隔離——為 IT 團隊和網路架構師提供決定性的部署藍圖。

📖 10 分鐘閱讀📝 2,486 字數🔧 3 範例3 練習題📚 10 關鍵定義

收聽此指南

查看播客逐字稿
Welcome to the briefing. Today, we are dissecting the integration of Arista Cognitive Wi-Fi with the Purple platform. This is a senior consultant briefing, aimed squarely at enterprise network architects and cloud systems administrators who need to get this deployed correctly, the first time. Let us set the scene. Arista Cognitive Wi-Fi, managed through the CloudVision Cognitive Unified Edge platform, is a cloud-managed wireless infrastructure that supports enterprise-grade guest and staff network deployments. Purple is a hardware-agnostic cloud overlay that provides the guest portal, identity capture, RADIUS authentication, and analytics layer. When you combine the two, you get a complete, compliant, and commercially valuable guest WiFi architecture. Let us get into the mechanics. The first thing to understand is the captive portal onboarding flow. When a guest device associates with the open guest SSID on an Arista access point, the AP immediately places that device into a pre-authentication VLAN. In this state, the device has a DHCP-assigned IP address, but its DNS and HTTP traffic is heavily restricted. The device operating system, whether iOS, Android, or Windows, performs a captive portal detection probe. iOS sends an HTTP request to captive.apple.com. Android probes connectivitycheck.gstatic.com. The Arista AP intercepts this request and returns a 302 redirect, pointing the device to the Purple splash page URL. Now, this is where most deployments go wrong. For that redirect to work, and for the splash page to actually render, you need to configure the Walled Garden correctly in Arista CV-CUE. The Walled Garden is an explicit allow-list. In the pre-authentication state, all traffic is dropped by default. You must whitelist every domain required to load the portal. At minimum, that means the core Purple domains: region1.purpleportal.net, venuewifi.com, and cloudfront.net. If you are offering social login via Google Workspace, you must add accounts.google.com and its associated CDN ranges. For Facebook, you need facebook.com, fbcdn.net, and akamaihd.net. Miss any one of these, and the guest sees a blank screen or a spinning login button. They walk away, and you lose the data capture opportunity. Let me walk you through the RADIUS configuration in CV-CUE. Navigate to Configure, then Network Profiles, then RADIUS. Click Add RADIUS Server. Enter the Purple primary RADIUS server IP address, set the Authentication Port to 1812, the Accounting Port to 1813, and enter the shared secret provided by Purple. Repeat this for the secondary server. This redundancy is critical. If the primary server is unreachable, the secondary takes over without interrupting guest access. Once the RADIUS profiles are saved, go to Configure, then WiFi, then SSID, and click Add New SSID. Name your SSID, set the type to Guest, and under the Security tab, set the security level to Open. This is correct for a captive portal deployment. Under the Captive Portal tab, enable the Captive Portal checkbox, select Third-Party Hosted from the Cloud Hosted drop-down, and check the With RADIUS Authentication box. Paste the Purple Splash Page URL into the Splash Page URL field. This is typically in the format https://region1.purpleportal.net/access/. Enter the shared secret. Then, in the Websites that users can access before login section, add your Walled Garden domains. Set the Called Station ID format to percent-m, which sends the MAC address in the format Purple expects. Set the Accounting Interval to 2 minutes. Clear the HTTPS Redirection checkbox. Save the SSID. It will propagate to your Arista APs within minutes. Now let us talk about what happens after the guest submits their details on the Purple portal. Purple acts as the RADIUS server. It validates the identity, captures the consent, and sends a RADIUS Access-Accept message back to the Arista AP. But here is the critical piece: that Access-Accept message contains Change of Authorization attributes, defined in RFC 3576. These attributes instruct the Arista AP to dynamically transition that specific client from the restricted pre-authentication state to the post-authentication VLAN with full internet access. Simultaneously, the AP sends a RADIUS Accounting-Start message to Purple on port 1813. This starts the session timer and feeds session duration data into the Purple analytics dashboard. Let us move to the more advanced use case: Multi-Tenant WiFi using Arista Private Pre-Shared Keys, or PPSK. This is the architecture you want for coworking spaces, retail malls, residential buildings, or any environment where you have multiple distinct user groups that need strict network isolation. The problem with traditional approaches is that broadcasting a separate SSID for each tenant creates massive RF overhead. Every SSID requires beacon frames. In a dense environment with 20 tenants, that is 20 SSIDs consuming airtime. PPSK solves this elegantly. You broadcast a single SSID. But in the Purple portal, each tenant is assigned a unique passphrase. When a user connects, the Arista AP authenticates that passphrase against the Purple RADIUS server. Purple looks up the passphrase, identifies the associated tenant, and returns an Access-Accept message. But critically, it appends three RADIUS attributes: Tunnel-Type, set to VLAN; Tunnel-Medium-Type, set to 802; and Tunnel-Private-Group-ID, set to the tenant's specific VLAN ID. The Arista AP reads these attributes and dynamically steers the client to the correct VLAN. Tenant A, using their passphrase, lands on VLAN 100. Tenant B lands on VLAN 200. They are completely isolated at Layer 2. They cannot see each other's devices, printers, or servers. This is Identity-Based Networking in practice. The identity of the passphrase determines the network segment. It is centrally managed through Purple, so when a tenant leaves, you revoke their passphrase in the Purple portal, and access is immediately terminated. No changes required on the Arista infrastructure. Now, let us cover Secure Staff WiFi using IEEE 802.1X. For your staff SSID, you should not be using a shared passphrase. You should be using 802.1X with EAP, Extensible Authentication Protocol. In CV-CUE, create a new Corporate SSID. Under the Security tab, select WPA2-Enterprise or WPA3-Enterprise. Select your RADIUS profile, which should point to your corporate identity provider, such as Microsoft Entra ID or Okta. When a staff member connects, their device presents credentials to the Arista AP, which forwards them to the RADIUS server via EAP. The identity provider validates the credentials and returns an Access-Accept. For certificate-based authentication using EAP-TLS, the device presents a client certificate rather than a username and password, eliminating credential theft as an attack vector entirely. Let me address the Arista Cloud WIPS integration. Arista's Wireless Intrusion Prevention System operates in the background, scanning for rogue access points and unauthorized clients. In CV-CUE, navigate to Configure, then WIPS, then Automatic Intrusion Prevention. You can configure the prevention level from Degrade through to Block. For enterprise deployments, we recommend the Disrupt level as a starting point, which disrupts unauthorized communication without completely blocking it, reducing false positive risk. You should also configure VLAN monitoring under Configure, then Device, then Access Point, selecting the Security tab. Enable SSID VLAN Monitoring so that APs actively monitor their assigned VLANs for rogue activity. Now, a few implementation pitfalls to avoid. First, DHCP pool exhaustion. In high-footfall environments like retail stores or stadiums, devices connect briefly and walk away. If your idle timeout is set too high, those sessions remain active, holding IP addresses. Set the idle timeout in CV-CUE to 10 minutes for retail, and as low as 5 minutes for event venues. This aggressively reclaims IPs and prevents the pool from exhausting. Second, MAC address randomization. Since iOS 14 and Android 10, devices randomize their MAC address per SSID by default. This breaks any architecture that relies on MAC addresses to identify returning guests. The correct response is to shift your identity model to authenticated credentials, the email address or social login captured through the Purple portal. For seamless reconnection without a portal, the long-term migration path is to Passpoint, also known as Hotspot 2.0, which uses certificate-based authentication and eliminates the captive portal entirely. Third, HTTPS redirection. When configuring the captive portal in CV-CUE, ensure the HTTPS Redirection checkbox is cleared. Purple handles the HTTPS session independently. Enabling HTTPS redirection on the Arista side can cause certificate mismatch errors that prevent the portal from loading. Let us do a rapid-fire question and answer on common scenarios. Question: A guest's portal page shows a blank screen. Where do you look first? Answer: The Walled Garden. A missing domain is almost always the cause. Check that all Purple domains and the relevant Identity Provider CDN domains are whitelisted in CV-CUE. Question: PPSK users are all landing on the default VLAN. What is wrong? Answer: The Purple RADIUS server is not returning the Tunnel-Private-Group-ID attribute. Check the RADIUS response in the CV-CUE troubleshooting logs and verify the VLAN mapping in the Purple portal. Question: The RADIUS accounting data in Purple is showing sessions of zero seconds. What is the issue? Answer: The Accounting Port is likely misconfigured or blocked. Verify that port 1813 is open on the firewall between the Arista APs and the Purple RADIUS servers, and that the accounting interval is set to 2 minutes in the SSID settings. To summarise the key takeaways from this briefing. One: the Walled Garden is an explicit allow-list. Maintain it as a recurring operational task, not a one-time setup. Two: RADIUS Change of Authorization is the mechanism that grants access. Without it, the portal completes but the guest remains blocked. Three: Arista PPSK with Purple RADIUS enables dynamic VLAN steering for multi-tenant isolation on a single SSID, eliminating beacon overhead. Four: always enable Client Isolation on Guest SSIDs to prevent lateral movement. Five: MAC address randomization requires a shift to identity-based authentication for accurate analytics. Six: proper integration satisfies GDPR consent requirements and captures first-party data that directly drives marketing ROI. Your next steps: retrieve the Purple RADIUS server IP addresses and shared secrets from the Purple portal hardware configuration page. Configure the RADIUS profiles in CV-CUE. Build your Walled Garden domain list. Deploy your Guest SSID. Test the full authentication flow from a mobile device before rolling out to production. And if you are deploying multi-tenant environments, map your tenant VLAN IDs in Purple before configuring the PPSK passphrases. That concludes this technical briefing. Thank you for listening.

header_image.png

執行摘要

為訪客存取部署 Arista Captive Portal 不僅僅是一項連線任務。它是網路安全、法規遵循和數據策略的重要交匯點。對於管理分散式場域的 IT 主管而言,將 Arista CloudVision Cognitive Unified Edge (CV-CUE) 與 Purple 整合,可將未受管理的訪客流量轉化為安全、隔離且可衡量的資產。

本指南為設定 Arista Cognitive Wi-Fi 與 Purple 提供了決定性的藍圖。我們詳細介紹了部署第三方託管的歡迎頁面 (splash pages)、建構精確的 Walled Garden 存取控制清單 (ACL) 以及實作 RADIUS 驗證所需的確切機制。我們還涵蓋了使用 Arista 私人預先共用金鑰 (PPSK) 和動態 VLAN 導向的進階多租戶 WiFi 隔離——這種架構消除了共同工作空間、零售商場和住宅大樓中 SSID 泛濫的問題。

Purple 在全球 80,000 多個實體場域運作,並在 2024 年處理了 4.4 億次登入(Purple 內部數據)。該平台已獲得 ISO 27001 認證,符合 GDPR 和 CCPA 規範,並擁有 Cyber Essentials 和 B Corp 認證。本指南反映了在餐旅、零售和公共部門部署中經過生產測試驗證的設定。

技術深度探討

Arista Captive Portal 上線架構

訪客上線流程決定了裝置在驗證前後如何與 Arista 無線基地台 (AP) 互動。當裝置與開放的訪客 SSID 建立關聯時,Arista AP 會將其分配到驗證前 VLAN。在此狀態下,AP 會將 DNS 和 HTTP 流量限制在定義的允許清單中。裝置作業系統會偵測 Captive Portal 並嘗試連線到已知的端點——iOS 會向 captive.apple.com 發送 HTTP 請求,Android 會向 connectivitycheck.gstatic.com 發送,而 Windows 則會向 www.msftconnecttest.com 發送。Arista AP 會攔截此請求並發出 HTTP 302 重新導向至 Purple 歡迎頁面 URL。

{{asset:captive_portal_flow.png}}

為確保此流程無誤執行,必須將 Arista CV-CUE 控制器設定為指向 Purple 作為第三方託管入口網站。這需要在 CV-CUE 網路設定檔 (Network Profiles) 中定義 Purple RADIUS 伺服器(驗證連接埠 1812,計費連接埠 1813)。一旦訪客在 Purple 入口網站上提交其憑證或接受條款,Purple 就會充當 RADIUS 伺服器,並將 Access-Accept 訊息傳回給 Arista AP。此訊息包含 RFC 3576 中定義的 RADIUS 授權變更 (CoA) 屬性,指示 AP 將用戶端 MAC 位址從受限的驗證前狀態轉換為驗證後 VLAN 上的完整網際網路存取。

architecture_overview.png

CV-CUE 中的 Walled Garden ACL 設計

Walled Garden 是網域和 IP 位址的白名單,未經驗證的裝置必須能夠連線到這些網域和 IP 位址,才能載入歡迎頁面並完成驗證。在 Arista CV-CUE 中,您可以在 Captive Portal 設定下的「Websites that users can access before login」(使用者在登入前可存取的網站)中進行此設定。

Walled Garden 是一個明確的允許清單。您必須包含核心 Purple 網域才能轉譯入口網站。如果您提供社群登入,還必須將身分識別提供者 (IdP) 網域加入白名單。未能維護此清單將導致訪客無法載入驗證提供者的登入畫面,從而導致立即放棄。

區域 允許的流量 實作方式
驗證前 DNS(受限)、DHCP、入口網站伺服器、Captive Portal 偵測端點 閘道 ACL - 拒絕除白名單以外的所有流量
Walled Garden Purple 入口網站網域、社群登入提供者、付款處理商 CV-CUE 中基於 FQDN 的 ACL
驗證後 完整的網際網路存取(受限於內容過濾和頻寬原則) 透過 RADIUS CoA 套用的每使用者 ACL

Purple 最低要求的 Walled Garden 項目:

  • region1.purpleportal.net
  • venuewifi.com
  • cloudfront.net
  • openweathermap.org
  • stripe.com(如果啟用了付費存取)

社群登入的其他項目:

  • Facebook: facebook.com, fbcdn.net, akamaihd.net, connect.facebook.net
  • Google Workspace: accounts.google.com, googleapis.com
  • Twitter/X: twitter.com, twimg.com
  • LinkedIn: linkedin.com, licdn.net

適用於多租戶隔離的 Arista PPSK 設定

對於共同工作空間、住宅大樓或零售商場等環境,標準的 802.1X 對於未受管理的裝置而言往往過於複雜,而開放式網路又缺乏必要的安全性。Arista 私人預先共用金鑰 (PPSK) 解決了這個問題,它允許在單一 SSID 上使用多個唯一的密碼組合,每個密碼組合都對應到不同的網路原則。

ppsk_vlan_diagram.png

與 Purple RADIUS 整合時,Arista PPSK 可實現動態 VLAN 導向。住戶或零售租戶使用其特定的 PPSK 連線到統一的 SSID。Arista AP 會向 Purple RADIUS 伺服器驗證該金鑰。Purple 會傳回標準的 Access-Accept,但會附加三個驅動 VLAN 分配的 RADIUS 屬性:

RADIUS 屬性 用途
Tunnel-Type 13 (VLAN) 指定通道類型
Tunnel-Medium-Type 6 (802) 指定媒介類型
Tunnel-Private-Group-ID 例如 "100" 要分配的特定 VLAN ID

Arista AP 會動態地將裝置分配到該 VLAN。這在租戶之間提供了嚴格的 Layer 2 隔離,而無需廣播數十個獨立的 SSID,從而最佳化了射頻 (RF) 利利用率,同時保持絕對的安全邊界。

使用 IEEE 802.1X 保護員工 WiFi

對於員工網路,共用密碼是一個安全隱患。IEEE 802.1X(定義於 IEEE Std 802.1X-2020)使用每位使用者的憑證提供基於連接埠的網路存取控制。在 CV-CUE 中,您可以使用 WPA2-EnterpriseWPA3-Enterprise 安全性設定企業 SSID。AP 作為驗證器,透過 EAP(可延伸驗證協定)將憑證轉發到 RADIUS 伺服器。Purple 支援用於使用者名稱/密碼驗證的 EAP-PEAP,以及用於憑證驗證的 EAP-TLS。」

對於 EAP-TLS 部署,您可與 Microsoft Entra ID、Okta 或 Google Workspace 整合做為憑證授權單位。當員工的裝置出示有效的用戶端憑證時,RADIUS 伺服器會根據目錄對其進行驗證並傳回 Access-Accept。這完全消除了憑證竊取這一攻擊管道。

Arista Cloud WIPS 整合

Arista 的無線入侵防禦系統 (WIPS) 在背景持續運作,掃描惡意存取點、設定錯誤的 AP 和未授權的用戶端。在 CV-CUE 中,導覽至 Configure > WIPS > Automatic Intrusion Prevention 以設定防禦等級。Arista 提供四個等級:Degrade、Interrupt、Disrupt 和 Block。對於企業部署,請從 Disrupt 開始,這會中斷未授權的通訊而不會完全封鎖它,從而降低初始部署期間的誤判風險。

啟用 Configure > Device > Access Point > Security 頁籤下的 SSID VLAN Monitoring,以確保 AP 主動監控其分配的 VLAN 是否有惡意活動。Arista AP-3xx 系列型號支援同時監控多達 42 個 VLAN(Arista WIPS 文件,2025 年)。

實作指南

階段 1:網路分段與 RADIUS 設定

  1. 登入 Arista CV-CUE 並導覽至 Configure > Network Profiles > RADIUS
  2. 按一下 Add RADIUS Server
  3. 輸入主要 Purple RADIUS 伺服器詳細資訊:IP 位址、驗證連接埠 (1812)、計費連接埠 (1813),以及來自 Purple 入口網站硬體設定頁面的共用金鑰 (Shared Secret)。
  4. 對次要 Purple RADIUS 伺服器重複此步驟以確保高可用性。
  5. 驗證防火牆上 Arista AP 與 Purple RADIUS 伺服器之間的 UDP 連接埠 1812 和 1813 是否已開啟。

階段 2:訪客 SSID 與 Captive Portal 設定

  1. 導覽至 Configure > WiFi > SSID 並按一下 Add New SSID
  2. 定義 SSID 名稱(例如 Guest_WiFi)並將 SSID 類型設定為 Guest
  3. Security 頁籤下,將安全性等級設定為 Open
  4. Network 頁籤下,使用專用 DHCP 範圍設定預先驗證 VLAN(例如 VLAN 10)。
  5. Captive Portal 頁籤下,勾選啟用 Captive Portal 核取方塊。
  6. 從 Cloud Hosted 下拉式選單中選擇 Third-Party Hosted
  7. 勾選 With RADIUS Authentication 並選擇 Purple RADIUS 設定檔。
  8. 輸入 Purple 歡迎頁面 (Splash Page) URL(例如 https://region1.purpleportal.net/access/)和重導向 URL(例如 https://region1.purpleportal.net/access/?res=success)。
  9. Called Station ID 格式設定為 %m(Purple 所需的 MAC 位址格式)。
  10. Accounting Interval 設定為 2 分鐘。
  11. 取消勾選 HTTPS Redirection 核取方塊。

階段 3:Walled Garden 部署

  1. 在 Captive Portal 頁籤中,找到 Websites that users can access before login 區段。
  2. 新增上述所有必要的 Purple 網域和身分識別提供者 (Identity Provider) 網域。
  3. 儲存 SSID 設定並將其套用至目標 Arista AP 群組。

階段 4:PPSK 多租戶設定

  1. 在 Purple 入口網站中,導覽至場域硬體設定並取得 PPSK RADIUS 設定。
  2. 在 CV-CUE 中,建立一個具有 WPA2-Personal 安全性的新 SSID,並啟用 PPSK 模式。
  3. 設定 SSID 以針對 Purple RADIUS 設定檔進行驗證。
  4. 在 Purple 入口網站中,為每個租戶建立一個 PPSK 密碼,並將其對應到對應的 VLAN ID。
  5. 驗證連接到 Arista AP 的交換器連接埠是否已設定為主幹 (trunk) 所需的租戶 VLAN。

階段 5:保護員工 WiFi (802.1X)

  1. 在 CV-CUE 中建立一個新的企業 SSID。
  2. 在 Security 頁籤下,選擇 WPA2-EnterpriseWPA3-Enterprise
  3. 選擇指向您企業身分識別提供者(Microsoft Entra ID、Okta 或 Google Workspace)的 RADIUS 設定檔。
  4. 設定 EAP 類型:使用者名稱/密碼使用 PEAP,憑證驗證使用 EAP-TLS。
  5. 將員工 SSID 分配給與訪客 VLAN 隔離的專用 VLAN(例如 VLAN 20)。

最佳實踐

自動化 Walled Garden 更新。 身分識別提供者經常變更其 CDN 網域。請安排每季審查您的 Arista CV-CUE Walled Garden 設定,並與 Purple 更新的網域清單進行比對。只要遺漏一個 CDN 項目,就會導致所有訪客的社群登入功能失效。

根據場域類型最佳化工作階段計時器。 在 Arista CV-CUE 中設定閒置逾時,以符合您場域的流量特性。零售環境適合使用 10 分鐘的閒置逾時,以便從已離開商店的裝置中收回 IP 位址。飯店部署應使用較長的逾時時間(4-8 小時),以避免在訪客住宿期間重複觸發入口網站。

強制執行用戶端隔離 (Client Isolation)。 請務必在 Arista CV-CUE 內的訪客 SSID 上啟用用戶端隔離。這可以防止訪客裝置之間互相通訊,從而降低橫向移動風險,並滿足 PCI DSS 網路分段要求。

啟用 RADIUS Accounting。 確保啟用 RADIUS Accounting,並將間隔設定為 2 分鐘。這可為 Purple 提供準確的工作階段持續時間和資料傳輸指標,並匯入至 WiFi Analytics 儀表板,從而實現準確的訪客停留時間分析。

依 SSID 類型而非 AP 進行分段。 將訪客、員工和多租戶 SSID 套用至相同的 AP 群組。Arista CV-CUE 會處理每個 SSID 的 VLAN 標記,因此 您不需要為每種使用者類型配置獨立的 AP。這在簡化硬體部署的同時,還能保持嚴格的邏輯隔離。

如需深入了解企業 WiFi 安全架構,請參閱我們的 企業 WiFi 安全:2026 年完整指南

案例研究

案例研究 1:擁有 350 間客房的連鎖飯店

一家擁有 12 家分店的中型連鎖飯店在所有站點部署了 Arista Wi-Fi 6E AP,並透過單一 CV-CUE 執行個體進行管理。其需求是提供具備品牌形象的顧客 Guest WiFi,並透過收集電子郵件進行行銷,同時與物業管理系統 (PMS) 網路隔離,且必須支援員工裝置的 802.1X 驗證。

該團隊為每家分店配置了三個 SSID:指向 Purple 的顧客 Guest SSID (VLAN 10)、針對 Microsoft Entra ID 使用 802.1X 的員工 Staff SSID (VLAN 20),以及用於大樓管理裝置的 IoT SSID (VLAN 30)。Purple portal 在辦理入住時收集顧客的電子郵件地址和同意書。在 90 天內,該連鎖飯店已從 68% 的顧客中收集到經過驗證的第一方數據(Purple 內部數據),從而能夠進行精準的二次行銷活動。PMS 網路保持完全隔離,符合持卡人資料環境分割的 PCI DSS 要求。

案例研究 2:多租戶共享工作空間

一家管理八個據點的共享空間營運商需要為每個站點的 35 家會員企業提供隔離的 WiFi,但又不能廣播 35 個 SSID。當時的射頻 (RF) 環境已經非常擁擠,SSID 氾濫導致所有會員的網路效能下降。

解決方案是每個站點使用單一 SSID,並結合 Arista PPSK 與 Purple RADIUS。每家會員企業都會收到一個專屬的 PPSK 密碼。Purple 將每個密碼對應到專用的 VLAN(VLAN 100 至 VLAN 3500)。當會員連線時,Arista AP 會根據 Purple RADIUS 回傳的 Tunnel-Private-Group-ID,動態將其引導至對應的 VLAN。結果是每個站點的 SSID 從 35 個減少到 1 個,顯著提升了空口時間 (airtime) 效率,並實現了會員企業之間完全的 Layer 2 隔離。當會員合約結束時,營運商只需在 Purple portal 中撤銷其密碼,即可在數秒內終止其存取權限。

疑難排解與風險緩釋

問題:Apple 裝置無法載入歡迎頁面 (Splash page)。 iOS 使用特定機制來偵測 captive portals。如果歡迎頁面無法自動載入,請確認 Arista Walled Garden 已包含所有 Purple CDN 網域。如果 Walled Garden 限制過於嚴格,iOS 裝置將無法載入 portal 資源並會中斷連線。

問題:MAC 位址隨機化導致無法識別回訪顧客。 iOS 14+ 和 Android 10+ 裝置會針對每個 SSID 隨機化其 MAC 位址。這會使 Purple 無法僅憑 MAC 位址識別回訪顧客。請依賴已驗證的身分(電子郵件或社群登入)進行長期追蹤。若要實現無 captive portal 的無縫、安全重新連線,請移轉至 Passpoint/Hotspot 2.0 架構。

問題:PPSK 的動態 VLAN 引導失敗。 如果租戶被分配到預設 VLAN 而非其專屬 VLAN,請使用 Arista CV-CUE 疑難排解工具驗證 RADIUS 回應。確保 Purple 回傳了正確的 Tunnel-Private-Group-IDTunnel-TypeTunnel-Medium-Type 屬性,且指定的 VLAN 存在於連接到 Arista AP 的交換器連接埠上。

問題:Guest VLAN 上的 DHCP 位址池耗盡。 在人流量高的環境中,將閒置逾時時間縮短至 5-10 分鐘。如果場地的位址池使用率經常超過 80%,請擴大 DHCP 範圍 (scope) 大小。對於體育場或會議中心等高密度場地,請考慮使用 /22 或更大的子網路。

問題:RADIUS 計費數據顯示為 0 秒工作階段。 請確認 Arista AP 與 Purple RADIUS 伺服器之間的防火牆已開啟 UDP 連接埠 1813。確認 CV-CUE SSID 設定中的計費間隔 (Accounting Interval) 已設為 2 分鐘。

如需企業環境中無線顯示和協定最佳實作的相關指引,請參閱 什麼是無線顯示:2026 年協定與最佳實作

ROI 與商業影響

部署結合 Purple 的 Arista Cognitive Wi-Fi,能將網路成本中心轉化為可衡量的商業資產。透過強制執行符合規範的 captive portal,您可以降低違反 GDPR 罰款的風險(罰款最高可達全球年營業額的 4%)。更重要的是, Guest WiFi portal 可以收集經過驗證的第一方數據。Purple 已在其網路中收集了 290 億個數據點(Purple 內部數據),這展現了妥善部署的顧客 WiFi 架構所能產生的巨大價值。

對於 零售 場所,這些數據會直接匯入 CRM 系統,從而能夠根據造訪頻率和停留時間進行精準的行銷活動。對於 旅宿 營運商,它能實現與回訪顧客的個人化二次互動。對於 交通 樞紐,它能提供準確的旅客流量數據,為營運決策提供依據。對於 醫療保健 機構,它能確保病患和訪客獲得適當的網路存取權限,同時保持臨床系統完全隔離。

Purple 平台以 99.999% 的正常執行時間運作(Purple 內部數據),確保顧客存取絕不會因平台可用性問題而中斷。結合 Arista 的雲端管理基礎架構,您將獲得一個端到端的架構,無需更改架構即可從單一場地擴展到 80,000 多個據點。

如需更多整合背景資訊,請參閱我們的指南: NETGEAR Insight 與企業級存取點與 Purple WiFi 整合 。對於正在評估問卷調查工具以搭配其 WiFi 分析的場域營運商,請參閱 問卷設計:場域實用指南

關鍵定義

Arista CV-CUE

CloudVision Cognitive Unified Edge. The centralized cloud management platform used to configure, monitor, and manage Arista Wi-Fi access points, switches, and network profiles including RADIUS and SSID settings.

IT teams use CV-CUE to define SSIDs, configure RADIUS servers, set Walled Garden rules, and manage WIPS policies across all Arista APs from a single interface.

Captive portal

A web page that intercepts unauthenticated network traffic, requiring the user to interact (login, accept terms, or pay) before granting internet access. Implemented at the wireless controller or gateway level.

The primary interface for capturing first-party data and enforcing GDPR consent on Guest WiFi networks. In Arista deployments, the captive portal function is delegated to Purple as a third-party hosted service.

Walled Garden

A restricted network environment that allows access only to a specific whitelist of domains or IP addresses prior to authentication. Implemented as an ACL on the wireless controller.

Essential for allowing devices to reach the Purple splash page and Identity Providers before they have full internet access. Must be maintained as a recurring operational task as CDN IP ranges change.

PPSK (Private Pre-Shared Key)

A security mechanism that allows multiple unique passphrases to be used on a single SSID, with each passphrase mapped to a different network policy or VLAN via RADIUS authentication.

Used in multi-tenant environments to provide secure, isolated networks without broadcasting numerous SSIDs. Arista PPSK with Purple RADIUS enables dynamic VLAN steering per passphrase.

Dynamic VLAN steering

The process of assigning a client device to a specific VLAN based on RADIUS attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) returned during authentication, rather than a static SSID-to-VLAN mapping.

Crucial for Multi-Tenant WiFi, allowing a single SSID to serve multiple isolated user groups. Requires the switch ports connected to APs to trunk all possible tenant VLANs.

RADIUS CoA (Change of Authorization)

An extension to the RADIUS protocol (RFC 3576) that allows a RADIUS server to dynamically modify the authorization attributes of an active session without requiring re-authentication.

Used by Purple to instruct the Arista AP to grant full internet access immediately after the user completes the portal login, without requiring the device to re-associate with the SSID.

IEEE 802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism for devices connecting to a LAN or WLAN. Uses EAP (Extensible Authentication Protocol) to pass credentials between the client, authenticator, and authentication server.

The correct authentication standard for Staff WiFi. Eliminates shared passphrases and enables per-user credential management integrated with corporate identity providers like Microsoft Entra ID or Okta.

MAC address randomization

A privacy feature in modern operating systems (iOS 14+, Android 10+) where the device generates a random MAC address for each Wi-Fi network it connects to, rather than using the hardware-burned MAC address.

Impacts the ability to track returning guests based solely on hardware identifiers. Requires a shift to identity-based authentication (email, social login) for accurate visitor analytics and CRM integration.

Client Isolation

A wireless network setting that prevents client devices connected to the same AP from communicating directly with each other at Layer 2, forcing all traffic through the gateway.

A mandatory security configuration for Guest WiFi to prevent lateral movement and device-to-device attacks. Also required for PCI DSS compliance when guest networks share physical infrastructure with payment systems.

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

A certificate-based EAP method where both the client and the authentication server present X.509 certificates for mutual authentication. Considered the most secure EAP method for enterprise WiFi.

The recommended authentication method for Staff WiFi in high-security environments. Eliminates password-based credential theft by requiring a valid client certificate issued by a trusted certificate authority.

範例

A 40-site retail chain needs to deploy Guest WiFi across all locations using Arista APs. They require guests to authenticate via Google Workspace or Facebook, and need to ensure the corporate network remains completely isolated from guest traffic. They also need GDPR-compliant consent capture.

The network architect creates a dedicated Guest VLAN (VLAN 50) on the core switches and trunks it to the Arista APs. In CV-CUE, a new Guest SSID is created, mapped to VLAN 50, with Client Isolation enabled. The Captive Portal is set to Third-Party Hosted, pointing to Purple. The Walled Garden is configured to include Purple's domains, plus accounts.google.com, facebook.com, and their associated CDNs. Purple RADIUS servers are configured for authentication on ports 1812 and 1813. The Purple portal is configured with an unchecked GDPR consent checkbox and plain-language terms. When a shopper connects, they are isolated on VLAN 50, authenticate via the Purple portal using Google or Facebook, and are granted access via RADIUS CoA. Consent is logged with a timestamp and terms version in Purple, satisfying GDPR Article 7 requirements.

考官評語: This approach ensures absolute Layer 2 isolation between corporate and guest traffic. By relying on Purple for the identity and consent layer and Arista for the enforcement layer, the retailer achieves compliance and security without complex on-premise infrastructure. The key decision here is using VLAN segmentation at the switch level rather than relying solely on the AP firewall, which provides defense in depth.

A coworking space requires Multi-Tenant WiFi for 40 member companies. They want a single SSID broadcasted, but need each member company to be isolated on their own VLAN for security. When a member's contract ends, access must be revoked immediately.

The IT manager deploys Arista APs and configures a single SSID using Arista PPSK. The SSID is configured to authenticate against Purple RADIUS. In the Purple portal, each member company is assigned a unique passphrase and a specific VLAN ID (VLAN 100 through VLAN 4000). When a user from Company A connects using their passphrase, the Arista AP queries Purple RADIUS. Purple returns an Access-Accept containing Tunnel-Type (13), Tunnel-Medium-Type (6), and Tunnel-Private-Group-ID (100). The AP dynamically steers the user to VLAN 100. When a member's contract ends, the operator revokes the passphrase in the Purple portal. The next connection attempt by any device using that passphrase receives a RADIUS Access-Reject, terminating access immediately.

考官評語: This is the optimal architecture for multi-tenant environments. It reduces SSID overhead from 40 SSIDs to one per site, directly improving airtime efficiency and client roaming performance. The centralized revocation through Purple RADIUS eliminates the need to modify any Arista configuration when a tenant leaves, reducing operational overhead significantly.

A conference centre hosts 10 events per week, each with a different organiser who needs their own branded splash page and isolated guest network. The IT team cannot reconfigure the Arista infrastructure for each event.

The conference centre deploys a permanent Multi-Tenant WiFi architecture using Arista PPSK. Each event organiser is pre-provisioned in the Purple portal with a unique PPSK passphrase, a dedicated VLAN (e.g., VLAN 200 for Event A, VLAN 201 for Event B), and a branded splash page template. The Arista APs broadcast a single SSID year-round. The event organiser distributes their PPSK to attendees. Attendees connect, authenticate against Purple RADIUS, receive their VLAN assignment, and see the organiser's branded portal. The IT team enables and disables event passphrases in the Purple portal on a schedule, with no changes required to the Arista CV-CUE configuration.

考官評語: This architecture separates the operational concerns cleanly: Arista handles the RF and enforcement layer, Purple handles the identity and policy layer. The conference centre IT team manages one stable infrastructure configuration. Event-specific customisation is entirely handled through the Purple portal, which can be delegated to event organisers or venue operations staff without requiring network engineering skills.

練習題

Q1. A hotel guest connects to the Guest WiFi SSID, but the portal login page displays a blank screen or a timeout error on their iPhone. The corporate WiFi works perfectly. The Arista AP is online and the Purple RADIUS servers are reachable. What is the first configuration element you should verify in Arista CV-CUE, and what specific entries are you looking for?

提示:Consider what network access the device has before authentication completes, and what the device needs to load the portal page.

查看標準答案

Verify the Walled Garden configuration under the Captive Portal settings in CV-CUE. The Walled Garden must explicitly whitelist the Purple portal domains: region1.purpleportal.net, venuewifi.com, and cloudfront.net. If these are missing, the device cannot load the portal assets. Additionally, check that the captive portal detection endpoints (captive.apple.com for iOS) are not being blocked. A blank screen typically indicates the portal HTML is loading but the JavaScript or CSS assets from a CDN are being blocked.

Q2. You are deploying Multi-Tenant WiFi using Arista PPSK for a coworking space with 30 member companies. Users report they can connect to the SSID and receive an IP address, but they are all landing on the default management VLAN (VLAN 1) rather than their assigned tenant VLANs. What RADIUS attributes are likely missing or misconfigured, and how do you verify this?

提示:Think about how RADIUS instructs the AP to assign a specific network segment, and what three attributes work together to achieve this.

查看標準答案

The Purple RADIUS server is likely failing to return the dynamic VLAN attributes in the Access-Accept message. Three attributes must be present: Tunnel-Type (value 13, meaning VLAN), Tunnel-Medium-Type (value 6, meaning 802), and Tunnel-Private-Group-ID (the specific VLAN ID as a string, e.g., '100'). To verify, use the Arista CV-CUE troubleshooting tools to capture the RADIUS exchange for a test connection. Check the Access-Accept packet for these three attributes. Also verify that the switch port connecting the Arista AP is configured to trunk all required tenant VLANs - if the VLAN is not trunked, the AP cannot place the client on it even if the RADIUS attribute is correct.

Q3. A retail venue with 200 daily visitors notices that Purple Analytics shows a high number of very short sessions (under 1 minute), and the DHCP scope on the Guest VLAN is constantly exhausted by mid-morning, preventing new shoppers from connecting. The DHCP scope is a /24 (254 usable addresses). What are the two most likely causes, and what specific configuration changes do you make in Arista CV-CUE and the DHCP server?

提示:Consider how the network determines when a device has left the venue, and how modern devices behave when scanning for networks.

查看標準答案

The two most likely causes are: first, an idle timeout that is too long, keeping sessions active for devices that have left the store; and second, MAC address randomization causing devices to appear as new clients on each visit, consuming additional IP leases. To address the idle timeout, reduce it to 10 minutes in the CV-CUE SSID session settings. This ensures stale sessions are cleared and IPs are returned to the pool. To address pool exhaustion, increase the DHCP scope to a /22 (1022 usable addresses) to accommodate the volume of unique MAC addresses generated by randomization. Additionally, reduce the DHCP lease time to 30 minutes to accelerate IP reclamation from disconnected devices.

繼續閱讀本系列

MikroTik RouterOS Captive Portal 與 Purple WiFi 整合指南

本技術指南提供將 MikroTik RouterOS 與 Purple 的 WiFi 平台整合的逐步說明。內容涵蓋訪客 WiFi Captive Portal 設定、員工 WiFi 802.1X 驗證,以及使用 Private PSK 進行動態 VLAN 切割的多租戶 WiFi。

閱讀指南 →

Alta Labs 與 Purple WiFi 整合:設定與 Captive Portal 配置

本技術參考指南涵蓋了 Alta Labs AP6 和 AP6 Pro 基地台與 Purple 雲端託管 Captive Portal 的端到端整合。本指南詳細介紹了外部重新導向配置、RADIUS 驗證、Walled Garden 需求,以及使用 AltaPass 私有預先共用金鑰(PPSK)的多租戶區隔。場地營運商和 IT 團隊將獲得一份適用於餐旅、零售和智慧辦公環境的可重複部署指南。

閱讀指南 →

WatchGuard Firebox 與 Purple WiFi 整合:設定與組態指南

本指南是為部署 WatchGuard Firebox 和 Access Points 與 Purple 整合的 IT 經理和網路架構師提供的逐步整合手冊。內容涵蓋 Guest WiFi 的外部 Captive Portal 重新導向、Staff WiFi 的安全 802.1X 驗證,以及使用 WatchGuard 私有預先共用金鑰 (PPSK) 搭配動態 VLAN 導向的多租戶區隔,為您在所有存取層級提供單一、整合的架構。

閱讀指南 →