Grandstream GWN and guest WiFi: captive portal setup with Purple

Welcome to the Purple Technical Briefing Series. I'm your host, and today we're covering a deployment pattern that's becoming increasingly common across hospitality, retail, and multi-tenant properties: integrating Grandstream GWN access points with Purple's guest WiFi platform. If you're an MSP, an in-house IT team, or a network architect who's been handed a Grandstream GWN deployment and asked to bolt on a branded captive portal with analytics, this episode is for you. We'll cover the full stack: guest splash page redirection, walled garden configuration, secure staff WiFi using 802.1X, and multi-tenant segmentation using Grandstream's Private Pre-Shared Key feature. Let's get into it. --- First, some context. Grandstream's GWN series is a solid mid-market access point range. You've got the GWN7600 and GWN7630 for indoor deployments, the GWN7660 and GWN7664 for Wi-Fi 6 environments, and the GWN7610 as a ceiling-mount option for higher-density spaces. They're managed either through GWN Manager, which is an on-premise controller you install on a Linux or Windows server, or through GWN dot Cloud, which is Grandstream's cloud-hosted management platform, now rebranded as GDMS Networking. The good news for MSPs is that both management platforms support captive portal configuration natively. You can build the portal policy, customise the splash page, and associate it with an SSID entirely within GWN Manager or GWN dot Cloud. But for enterprise deployments where you need GDPR-compliant data capture, marketing automation, and real-time analytics, you're going to replace that native portal with an external platform. That's where Purple comes in. Purple operates as a cloud overlay. It sits above your hardware and provides the captive portal, the RADIUS authentication layer, the analytics engine, and the marketing tools. Purple supports 80,000 live venues and has processed 440 million logins in 2024 alone, so the platform is well-proven at scale. The integration with Grandstream GWN follows the same standards-based approach Purple uses across Cisco Meraki, HPE Aruba, Ruckus, Juniper Mist, and Ubiquiti UniFi. --- Let's get into the technical architecture. The guest WiFi flow on Grandstream GWN with Purple works like this. A guest connects to your guest SSID. Their device sends an HTTP request to any website. The GWN access point intercepts that request and issues an HTTP 302 redirect to the Purple portal URL. The guest lands on your branded splash page, hosted by Purple. They authenticate, whether that's via email, social login, SMS verification, or a custom form. Purple's platform validates that authentication, records the consent and data in line with GDPR, and then sends a RADIUS Access-Accept back to the GWN access point. The AP grants internet access. The whole flow takes around three to five seconds from connection to internet access. Now, the key configuration components on the Grandstream side are: the captive portal policy, the splash page settings, the walled garden, and the SSID association. Let me walk through each one. --- Step one: configure the captive portal policy in GWN Manager or GWN dot Cloud. Navigate to Captive Portal, then Policy List, and create a new policy. Give it a descriptive name, something like "Purple-Guest-Portal". Set the Authentication Type to RADIUS Server. You'll then see fields for RADIUS Server Address, RADIUS Server Port, and RADIUS Server Secret. Enter Purple's RADIUS server IP address and port 1812 for authentication. Your shared secret comes from the Purple portal admin console, under the venue's hardware configuration section. Set the RADIUS Authentication Method to PAP, which is what Purple's captive portal flow uses. Under Landing Page, set this to Redirect to External Page, and enter your Purple portal redirect URL. This is the URL that guests will be sent to when they first connect. Again, this comes from your Purple admin console. Set the Expiration time to match your venue's session policy. For a hotel, 24 hours is typical. For a conference venue, you might set this to the duration of the event. For a retail environment, two to four hours is common. Enable Failsafe Mode. This is important. If the GWN access point can't reach Purple's RADIUS server, failsafe mode grants internet access anyway rather than blocking all guests. For most hospitality and retail deployments, a brief RADIUS outage should not result in all guests losing connectivity. --- Step two: configure the walled garden. The walled garden is the list of domains and IP addresses that guests can access before they've authenticated through the portal. If you get this wrong, guests will see a blank page or a broken portal, and they'll blame the WiFi. In GWN Manager, the walled garden is configured under the captive portal policy as Pre-Authentication Rules. Add the following domains as allow rules: the Purple portal domain, which is portal dot purple dot ai; any CDN domains that Purple's splash page loads assets from, including cloudfront dot net using a wildcard entry; Apple's captive portal detection endpoint, captive dot apple dot com; and Google's connectivity check endpoint, connectivitycheck dot gstatic dot com. Purple's support portal has a dynamic walled garden generator at support dot purple dot ai. Select Grandstream from the hardware list, choose your authentication methods, and it generates the exact domain list you need. Use that list. Don't try to build it manually from scratch. One decision you need to make: do you include captive dot apple dot com in the walled garden or not? If you include it, iOS devices will not show the Captive Network Assistant mini-browser automatically. Guests will need to open a browser manually to reach the portal. If you exclude it, iOS fires the mini-browser automatically when the device connects. For most hospitality deployments, you want the mini-browser to appear, so leave captive dot apple dot com out of the walled garden. --- Step three: configure the SSID. In GWN Manager, navigate to SSID and edit your guest SSID. Enable Captive Portal and select the policy you just created. Set the SSID to WPA2-Personal with a simple open password, or configure it as an open SSID if your venue prefers that approach. The security in this flow comes from the portal authentication, not the WiFi password. Enable Client Isolation. This prevents guests from seeing each other's devices on the network. It's a basic security requirement and a PCI DSS consideration if your venue processes card payments on the same infrastructure. Assign the SSID to your guest VLAN. VLAN 10 is a common convention for guest traffic. Make sure your upstream switch and router are configured to route that VLAN to the internet with appropriate firewall rules. --- Now let's talk about Staff WiFi using 802.1X. IEEE 802.1X is the standard for port-based network access control. For staff WiFi, it replaces the shared pre-shared key with per-user credentials, validated against an identity provider. When a staff member connects, the GWN access point acts as the authenticator, their device is the supplicant, and Purple's RADIUS server is the authentication server. In GWN Manager, create a separate SSID for staff. Set the Security Mode to WPA2-Enterprise, which enables 802.1X. Configure the RADIUS server settings with Purple's RADIUS IP, port 1812, and your shared secret. Enable RADIUS Accounting on port 1813 so you get a full audit trail of who connected, when, and for how long. This audit trail is what you need for GDPR compliance and for responding to any security incidents. For the EAP method, you have two main options. EAP-TLS uses digital certificates on both the server and the client device. It's the most secure option, but it requires a Mobile Device Management platform to push certificates to staff devices. If you have Microsoft Intune or Jamf, EAP-TLS is the right choice. PEAP, which stands for Protected EAP, uses a username and password inside an encrypted TLS tunnel. It's easier to deploy, particularly for BYOD environments, but you must ensure staff are trained not to accept certificate warnings. A rogue access point can harvest PEAP credentials if users click through certificate errors. Enable Dynamic VLAN assignment in the SSID settings. When this is on, the RADIUS server can return a VLAN ID in the Access-Accept packet, and the GWN AP will place the connecting device on that VLAN. This means you can have a single staff SSID but automatically segment IT staff onto VLAN 20, management onto VLAN 21, and point-of-sale devices onto VLAN 40, all based on the user's identity in Purple's directory. The RADIUS attributes for dynamic VLAN are: Tunnel-Type set to VLAN, which is attribute value 13; Tunnel-Medium-Type set to IEEE-802, which is attribute value 6; and Tunnel-Private-Group-ID set to the VLAN number as a string. These three attributes in the Access-Accept packet are all the GWN AP needs to steer the device to the correct VLAN. --- Now for the feature that's particularly relevant for multi-tenant properties: Grandstream Private Pre-Shared Keys, or PPSK. PPSK is a mechanism that allows a single SSID to support multiple unique passwords, each mapped to a different VLAN or network policy. Think of a build-to-rent apartment block, a co-working space, or a serviced office building. You want one SSID visible to everyone, but each tenant gets their own password that puts them on their own isolated network segment. In GWN Manager, PPSK is configured under the SSID settings. Set the Security Mode to WPA2-Personal, then enable PPSK. You can then create individual PSK entries, each with a unique password and an associated VLAN ID. When a device connects using Tenant A's password, the AP places it on VLAN 31. When a device uses Tenant B's password, it lands on VLAN 32. The tenants share the same SSID but are completely isolated from each other at the network layer. For larger deployments, Grandstream also supports PPSK with RADIUS backend. In this mode, the AP sends the PSK as a RADIUS attribute to the authentication server, which validates it and returns the appropriate VLAN assignment. This is where Purple's Identity-Based Networks feature integrates directly. Purple can manage the PPSK database, validate keys against its directory, and return dynamic VLAN assignments, giving you centralised management of hundreds of tenant credentials from a single platform. The RADIUS attribute used for PPSK validation is typically the Tunnel-Password attribute, or a vendor-specific attribute depending on firmware version. Check Grandstream's release notes for your specific firmware, as the attribute mapping has evolved across GWN Manager versions. --- Let me cover the two most common failure modes I see in Grandstream deployments with external portals. The first is the redirect not firing. A guest connects to the SSID, opens a browser, and gets a "site can't be reached" error instead of the portal page. The most likely cause is a walled garden misconfiguration. The portal page itself is being blocked pre-authentication. Open your browser developer tools on a test device connected to the guest SSID, look at the network tab, and identify which requests are failing. Add those domains to your pre-authentication rules. The second failure mode is RADIUS timeout. The AP sends an Access-Request to Purple's RADIUS server and gets no response. This usually means a firewall is blocking UDP port 1812 outbound from the AP's management VLAN to Purple's RADIUS IP range. Check your firewall rules. Purple's RADIUS IP addresses are documented in the Purple admin console under venue settings. Make sure both the primary and secondary RADIUS IPs are permitted. A third one worth mentioning: Dynamic VLAN not working. Staff connect and land on the wrong VLAN. The most common cause is that Enable Dynamic VLAN is not checked in the SSID settings in GWN Manager. It's a single checkbox that's easy to miss. The second cause is a shared secret mismatch. If the shared secret on the AP doesn't match the one configured in Purple, the AP silently drops the RADIUS response and falls back to the default VLAN. --- Let me give you two real-world scenarios to make this concrete. Scenario one: a 120-room hotel. The hotel runs GWN7660 access points managed through GWN dot Cloud. They need a branded guest portal for guests, a secure staff network for front desk and housekeeping, and a separate management VLAN for the property management system. The configuration uses three SSIDs: Guest WiFi on VLAN 10 with the Purple captive portal policy; Staff WiFi on VLAN 20 with WPA2-Enterprise and PEAP authentication against Purple's RADIUS; and a hidden Management SSID on VLAN 30 for PMS terminals. Dynamic VLAN assignment on the staff SSID means housekeeping devices land on VLAN 21 with restricted internet access, while front desk devices land on VLAN 20 with full access. Purple's analytics dashboard shows the hotel operator daily guest counts, session durations, and opt-in rates for marketing, giving the marketing team the data they need to run targeted campaigns. Scenario two: a 40-unit build-to-rent apartment block. The operator runs GWN7630 access points with GWN Manager on-premises. Each apartment needs its own isolated network. The operator uses PPSK with RADIUS backend. Purple manages 40 unique tenant credentials, each mapped to a dedicated VLAN. Residents connect to the single "BuildingConnect" SSID using their unit's password. Purple's portal handles the initial onboarding flow, captures resident consent, and provides the operator with occupancy analytics and engagement data. When a resident moves out, the operator revokes their PPSK credential in Purple's admin console, and access is immediately terminated. No need to change the SSID password or reconfigure the APs. --- Rapid fire. Three questions I get asked constantly on Grandstream deployments. Question one: Can I use GWN dot Cloud instead of GWN Manager for the Purple integration? Yes. The captive portal configuration in GWN dot Cloud is functionally identical to GWN Manager. The menu paths are the same. The RADIUS and walled garden settings are in the same locations. GWN dot Cloud is the better choice for MSPs managing multiple sites, since you get a single pane of glass across all deployments. Question two: Does Purple support Grandstream's native analytics alongside its own? Purple replaces the native captive portal analytics with its own, more detailed dataset. You get session counts, dwell times, opt-in rates, demographic data from form fields, and integration with marketing platforms. The native GWN analytics for RF performance, AP health, and client counts remain available in GWN Manager or GWN dot Cloud alongside Purple's portal analytics. Question three: What firmware version do I need on the GWN APs for PPSK with RADIUS? PPSK with RADIUS backend requires GWN firmware 1.0.19 or higher on the GWN76xx series. Check Grandstream's release notes before deployment. Running outdated firmware is the single most common cause of unexpected behaviour in PPSK deployments. --- To wrap up. Integrating Grandstream GWN access points with Purple is a straightforward deployment when you follow the right sequence. Configure your RADIUS server settings in the captive portal policy first. Build your walled garden using Purple's domain generator tool. Associate the policy with your guest SSID and enable client isolation. For staff WiFi, enable WPA2-Enterprise with dynamic VLAN assignment. For multi-tenant properties, use PPSK with RADIUS backend and manage credentials centrally through Purple. The five things to get right: RADIUS on UDP 1812 with a matching shared secret; the walled garden covering all portal asset domains; client isolation enabled on the guest SSID; dynamic VLAN enabled in the SSID settings; and PPSK firmware at version 1.0.19 or higher. Get those five right, and you have a solid, scalable deployment that will serve your venue for years. Purple's onboarding team can validate your configuration before go-live, and the platform's 99.999% uptime means you're not going to be explaining portal outages to hotel guests at two in the morning. Thanks for listening. For more technical guides on enterprise WiFi integrations, visit purple dot ai. Next episode, we'll be covering dynamic VLAN assignment with Microsoft Entra ID and Purple's SecurePass feature. Until then.