跳至主要內容
繁體中文

MikroTik RouterOS Captive Portal 與 Purple WiFi 整合指南

本技術指南提供將 MikroTik RouterOS 與 Purple 的 WiFi 平台整合的逐步說明。內容涵蓋訪客 WiFi Captive Portal 設定、員工 WiFi 802.1X 驗證,以及使用 Private PSK 進行動態 VLAN 切割的多租戶 WiFi。

📖 4 分鐘閱讀📝 872 字數🔧 2 範例3 練習題📚 8 關鍵定義

收聽此指南

查看播客逐字稿
MikroTik RouterOS Captive Portal and Purple WiFi Integration Guide - Podcast Script [INTRO - approximately 1 minute] Welcome. If you're managing WiFi infrastructure at a hotel, a retail chain, a stadium, or a conference centre, and you're running MikroTik RouterOS, this episode is for you. I'm going to walk you through exactly how to integrate MikroTik's Hotspot Gateway with Purple's guest WiFi platform - covering three distinct use cases: guest WiFi with a captive portal and walled garden, secure staff WiFi using 802.1X, and multi-tenant network segregation using MikroTik's Private Pre-Shared Key feature. This isn't a theoretical overview. By the end of this, you'll have the specific CLI commands, RADIUS attributes, and configuration logic you need to deploy or audit these setups yourself. Let's get into it. [TECHNICAL DEEP-DIVE - approximately 5 minutes] Part one: Guest WiFi and the MikroTik captive portal. MikroTik's Hotspot Gateway is the engine behind guest WiFi redirection on RouterOS. When a visitor connects to your guest SSID, the Hotspot Gateway intercepts their HTTP traffic and redirects them to a splash page - that's your captive portal. Purple hosts that splash page. Your MikroTik router acts as the Hotspot Gateway and RADIUS client. Purple's platform acts as the RADIUS server. Here's how you set it up. First, run the Hotspot Setup wizard from the IP menu in Winbox or via the CLI. You'll assign it to your guest-facing interface - typically a VLAN interface or a bridge port. Set your local address pool, configure your DNS servers, and give the hotspot a DNS name. That DNS name is what guests see in their browser before they authenticate. Once the wizard completes, you need to point the hotspot profile at Purple's RADIUS server. In the CLI, that looks like this: /radius add service=hotspot address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET authentication-port=1812 accounting-port=1813 Then enable RADIUS on the hotspot profile: /ip hotspot profile set default use-radius=yes Purple will provide you with the RADIUS IP address, the shared secret, and the splash page URL when you set up your venue in the Purple dashboard. Now, the walled garden. This is critical. Before a guest authenticates, their device needs to be able to reach Purple's splash page and any OAuth providers you're using - Google, Facebook, and so on. Without walled garden entries, the redirect loop breaks and guests can't log in. In RouterOS, you add walled garden entries under IP, Hotspot, Walled Garden. You need to add Purple's splash page domain, any social login domains, and any CDN hosts that serve the login page assets. Purple's documentation lists the exact domains for your region. Add them as IP entries or hostname entries - hostname entries are more resilient when IP addresses change. The key RADIUS attributes Purple returns on a successful authentication include the session timeout, which controls how long a guest stays connected before being prompted again, and optionally a bandwidth rate limit using the Mikrotik-Rate-Limit vendor-specific attribute. This lets you enforce fair-use policies per guest session directly from the Purple dashboard without touching the router config. Part two: Secure Staff WiFi with 802.1X. This is where you move away from shared passwords entirely. IEEE 802.1X is the standard for port-based network access control. On a MikroTik wireless interface, you enable WPA2-Enterprise or WPA3-Enterprise authentication, which means the access point becomes an authenticator - it passes EAP credentials from the staff device to a RADIUS server, which validates them and returns an Access-Accept or Access-Reject. Purple's Staff WiFi product integrates with Microsoft Entra ID, Okta, and Google Workspace as identity providers. When a staff member's device connects, it presents a certificate or username and password via PEAP-MSCHAPv2. Purple's RADIUS server validates that credential against your identity provider in real time. On the MikroTik side, you configure the wireless security profile with authentication-types set to wpa2-eap, and you point the RADIUS client at Purple's server with service=wireless. In CAPsMAN - that's MikroTik's centralised access point management system - you set this at the security configuration level so it applies across all your managed access points consistently. The RADIUS server can return the Mikrotik-Wireless-VLANID attribute to place authenticated staff on a specific VLAN. This is how you enforce network segmentation - finance staff land on VLAN 10, operations on VLAN 20, and so on - all from a single SSID, all driven by identity. For automatic revocation - when a staff member leaves - Purple's integration with your identity provider means that when you disable the account in Entra ID or Okta, the next re-authentication attempt fails and the device is disconnected. No manual router config changes required. Part three: Multi-Tenant WiFi with Private Pre-Shared Keys. This is the most architecturally interesting of the three. Private PSK - sometimes called PPSK or iPSK - lets you run a single SSID where each tenant, resident, or device group connects with a unique passphrase, and each passphrase maps to a different VLAN. On MikroTik, this works through MAC-based RADIUS authentication on the wireless interface. When a device connects, the access point sends the device's MAC address to the RADIUS server as the username. The RADIUS server - either MikroTik's own User Manager in RouterOS 7, or FreeRADIUS - looks up that MAC address and returns two vendor-specific attributes: Mikrotik-Wireless-Psk, which is the per-device passphrase, and Mikrotik-Wireless-VLANID, which places the device on the correct VLAN. The wireless security profile needs radius-mac-authentication set to yes, and the RADIUS client needs service=wireless. In practice, for a build-to-rent property with 200 apartments, you'd pre-register each resident's device MAC addresses in Purple's platform when they move in. Purple maps each MAC to a unique PSK and a VLAN corresponding to that apartment's network segment. The resident connects using their apartment passphrase. Their devices land on an isolated VLAN. Their neighbour's devices are on a completely separate VLAN. Neither can see the other's traffic. For devices that don't support 802.1X - smart TVs, games consoles, IoT devices - this approach is the practical alternative. The device just needs to support WPA2-PSK, which everything does. [IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - approximately 2 minutes] Let me give you the four things that most commonly go wrong in these deployments. First: walled garden gaps. If Purple's splash page fails to load, check your walled garden entries. The most common culprit is a missing CDN domain or a social login redirect that isn't whitelisted. Use the MikroTik torch tool or packet sniffer to watch what DNS queries are being blocked before authentication. Second: RADIUS timeout mismatches. MikroTik's default RADIUS timeout is 1,100 milliseconds. If Purple's RADIUS server is geographically distant or the network path has latency, you'll see intermittent authentication failures. Increase the timeout to 3,000 milliseconds and configure a backup RADIUS server for resilience. Third: VLAN filtering not enabled on the bridge. Dynamic VLAN assignment via RADIUS only works if bridge VLAN filtering is enabled. This is a RouterOS requirement. If you're seeing all clients land on the default VLAN regardless of what RADIUS returns, check that vlan-filtering=yes is set on your bridge interface. Fourth: CAPsMAN version mismatch. If you're running a mix of CAPsMAN version 2 and version 3 managed access points, VLAN tagging behaviour can differ. Standardise on RouterOS 7 with CAPsMAN version 3 across your AP estate before deploying dynamic VLAN features. One architectural recommendation: run your guest, staff, and management traffic on separate VLANs from day one, even if you're not using all three Purple use cases immediately. Retrofitting VLAN segmentation onto a flat network is significantly more disruptive than building it in from the start. [RAPID-FIRE Q AND A - approximately 1 minute] Can I use MikroTik's built-in User Manager instead of an external RADIUS server? Yes, for smaller deployments. User Manager in RouterOS 7 supports PEAP-MSCHAPv2 for wireless 802.1X and can return the Mikrotik-Wireless-VLANID attribute. For production deployments with Purple, you'll use Purple's hosted RADIUS infrastructure, which handles the identity provider integration and session management for you. Does Purple support MikroTik CAPsMAN? Yes. Purple is hardware-agnostic. The integration works at the RADIUS and hotspot redirect level, so it's compatible with standalone MikroTik access points and CAPsMAN-managed deployments equally. What RouterOS version do I need? RouterOS 7.x is recommended for all three use cases covered in this guide. Dynamic VLAN assignment via wireless RADIUS and the updated User Manager are RouterOS 7 features. RouterOS 6.x supports hotspot and basic RADIUS authentication but lacks some of the wireless VLAN capabilities. [SUMMARY AND NEXT STEPS - approximately 1 minute] To summarise: MikroTik RouterOS gives you three distinct integration points with Purple. The Hotspot Gateway handles guest WiFi redirection and captive portal authentication. The wireless 802.1X configuration with RADIUS handles secure staff WiFi with identity-based access. And MAC-based RADIUS authentication with Private PSK handles multi-tenant network segregation for residential and mixed-use properties. The common thread across all three is RADIUS. Get your RADIUS client configuration right - correct IP, correct shared secret, correct service type, correct timeout - and the rest follows. Your next steps: log into your Purple dashboard, navigate to the venue configuration, and grab your RADIUS credentials. Then follow the CLI commands in the written guide to configure your hotspot profile, your wireless security profile, and your walled garden entries. Test with a single access point before rolling out to your full estate. If you're deploying this at scale - multiple sites, hundreds of access points - Purple's Professional Services team can support the rollout. Purple runs across 80,000 live venues globally, with 99.999% uptime, and is certified to ISO 27001, GDPR, and Cyber Essentials. Thanks for listening. The full written guide with all CLI commands, RADIUS attribute tables, and worked examples is linked in the show notes.

header_image.png

執行摘要

將 MikroTik RouterOS 與 Purple 整合,可在訪客、員工和多租戶環境中建立統一且以身分為導向的網路。本指南提供在 MikroTik 硬體上部署 Purple 雲端重疊網路所需的具體設定邏輯。您將學習如何設定 RouterOS Hotspot Gateway 以進行 Guest WiFi 重新導向、實作 IEEE 802.1X 以提供安全的 Staff WiFi,以及部署 Private Pre-Shared Keys (PPSK) 來隔離 Multi-Tenant WiFi 流量。

透過遵循這些部署模式,您可以在安全分割網路的同時,收集 WiFi 分析 的第一方數據。Purple 在 2024 年處理了 4.4 億次登入,可用性達 99.999%,使此架構非常適合 零售餐旅交通運輸 等高密度環境。

技術深入探討

Guest WiFi:Captive Portal 與 Walled Garden

MikroTik Hotspot Gateway 會攔截未經驗證的 HTTP 流量,並將其重新導向至 Purple 託管的 Captive Portal。Purple 充當 RADIUS 伺服器,處理驗證和工作階段管理。

為確保 Captive Portal 正確載入,您必須設定 walled garden。這允許在驗證前存取 Purple 的歡迎頁面(splash page)網域、內容傳遞網路 (CDN) 和 OAuth 供應商(例如 Google Workspace 和 Microsoft Entra ID)。若沒有這些項目,重新導向迴圈將會中斷。

驗證成功後,Purple 的 RADIUS 伺服器會傳回標準屬性,包括用於強制執行連線限制的 Session-Timeout,以及可選擇用於直接從 Purple 儀表板強制執行頻寬限制的 Mikrotik-Rate-Limit

Staff WiFi:802.1X 驗證

對於 Staff WiFi,您可透過部署 IEEE 802.1X 來消除共用密碼。MikroTik 存取點充當驗證器,將 EAP 憑證傳遞給 Purple 的 RADIUS 伺服器。Purple 與 Microsoft Entra ID、Okta 和 Google Workspace 原生整合,透過 PEAP-MSCHAPv2 或 EAP-TLS 驗證憑證。

當員工連線時,Purple 的 RADIUS 伺服器可以傳回 Mikrotik-Wireless-VLANID 屬性。這會指示 MikroTik 路由器將已驗證的裝置分配到特定的 VLAN,從而透過單一 SSID 實現基於角色的網路分割。如需更廣泛的安全標準概述,請參閱 企業 WiFi 安全:2026 年完整指南

Multi-Tenant WiFi:Private PSK (PPSK)

多租戶環境需要安全隔離,而無需 802.1X 的複雜性,因為許多消費級裝置(例如智慧電視和遊戲主機)並不支援它。MikroTik 透過基於 MAC 的 RADIUS 驗證支援 Private PSK (PPSK)。

當裝置連線到 SSID 時,MikroTik 路由器會將裝置的 MAC 位址傳送給 Purple。Purple 會傳回 Mikrotik-Wireless-Psk 屬性(該租戶的唯一密碼金鑰)和 Mikrotik-Wireless-VLANID 屬性。此架構允許數百個租戶共用單一 SSID,同時保持在完全隔離的網路泡泡中。

architecture_overview.png

實作指南

1. 設定 RADIUS 用戶端

首先,在 RouterOS 中將 Purple 定義為 RADIUS 伺服器。這適用於所有三種使用案例。

/radius
add address=YOUR-PURPLE-RADIUS-IP secret=YOUR-SHARED-SECRET service=hotspot,wireless authentication-port=1812 accounting-port=1813 timeout=3000ms

2. Guest WiFi Hotspot 設定

在您的訪客 VLAN 介面上執行 Hotspot 設定精靈,然後在產生的設定檔中啟用 RADIUS 驗證。

/ip hotspot profile
set [ find default=yes ] use-radius=yes radius-accounting=yes

設定 walled garden 以允許存取 Purple 的基礎設施。

/ip hotspot walled-garden
add action=allow dst-host=*purple.ai
add action=allow dst-host=*purpleportal.net

3. Staff WiFi 802.1X 設定

將無線安全性設定檔設定為使用 WPA2-Enterprise,並將其指向 RADIUS 伺服器。

/interface wireless security-profiles
add authentication-types=wpa2-eap eap-methods=passthrough mode=dynamic-keys name=staff-8021x radius-mac-authentication=no

確保已啟用橋接 VLAN 篩選,以支援動態 VLAN 分配。

/interface bridge
set bridge1 vlan-filtering=yes

4. Multi-Tenant PPSK 設定

對於 PPSK,請在無線安全性設定檔上啟用 MAC 驗證,並設定 MAC 位址格式。

/interface wireless security-profiles
add authentication-types=wpa2-psk mode=dynamic-keys name=multi-tenant-ppsk radius-mac-authentication=yes radius-mac-format=XX:XX:XX:XX:XX:XX

ppsk_vlan_diagram.png

最佳實踐

  • 標準化使用 RouterOS 7:與 RouterOS 6 相比,透過無線 RADIUS 進行的動態 VLAN 分配在 RouterOS 7 中要穩定得多。
  • 增加 RADIUS 逾時時間:預設的 MikroTik RADIUS 逾時時間為 1100ms。將此值增加到 3000ms,以防止因網路延遲引起的間歇性驗證失敗。
  • 使用主機名稱 Walled Garden 項目:對於 walled garden 項目,請一律使用 dst-host 代替 dst-address,因為雲端基礎設施的 IP 位址會變經常變更。
  • 啟用橋接 VLAN 過濾:透過 RADIUS (Mikrotik-Wireless-VLANID) 進行的動態 VLAN 分配需要在橋接介面上設定 vlan-filtering=yes

疑難排解與風險緩釋

如果 Captive Portal 無法載入,幾乎可以肯定圍牆花園(walled garden)設定不完整。請使用 MikroTik Torch 工具監控訪客 VLAN 上未經身分驗證之用戶端被丟棄的 DNS 查詢。將缺失的網域新增至圍牆花園中。

如果 802.1X 用戶端無法通過驗證,請驗證共用金鑰,並確保 RADIUS 用戶端已配置 service=wireless。檢查 Purple 控制面板記錄,以確認 Access-Reject 是源自 Purple 還是您的身分識別提供者。

如果用戶端已通過驗證但取得錯誤的 IP 位址,請確認已啟用橋接 VLAN 過濾,且 DHCP 伺服器已正確繫結至動態分配的 VLAN 介面。

投資報酬率 (ROI) 與業務影響

在您的 MikroTik 基礎架構中部署 Purple,能將成本中心轉化為營收來源。透過收集第一方數據,場所可以建立詳細的數位輪廓並自動執行行銷活動。例如,Avanti West Coast 透過掌握回頭客與追加銷售機會,創造了 463% 的投資報酬率。

此外,身分導向的網路運作可降低 IT 開銷。透過 Entra ID 自動化 Staff WiFi 的入職與離職流程,可免除手動密碼管理的麻煩;而適用於 Multi-Tenant WiFi 的 PPSK 則能讓物業經理在無需為每個單元部署專用硬體的情況下,配置隔離的網路。

關鍵定義

Hotspot Gateway

A RouterOS feature that intercepts unauthenticated HTTP traffic and redirects it to a captive portal splash page.

Used to capture guest data and enforce terms of service before granting internet access.

Walled Garden

A list of allowed destinations that unauthenticated users can access.

Critical for allowing guests to reach the Purple splash page, CDNs, and OAuth providers (like Google) to complete the login process.

802.1X

An IEEE standard for port-based network access control that provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.

Used for secure Staff WiFi, allowing authentication via Entra ID or Okta instead of a shared password.

Private PSK (PPSK)

A security architecture where multiple unique Pre-Shared Keys are used on a single SSID, often tied to specific MAC addresses and VLANs.

Ideal for Multi-Tenant WiFi, providing isolated network bubbles for residents and their consumer devices.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorization, and Accounting (AAA) management.

The core protocol linking MikroTik hardware to Purple's cloud platform for identity validation.

VLAN Filtering

A RouterOS bridge setting that enforces VLAN tagging and untagging rules on bridge ports.

Must be enabled for dynamic VLAN assignment via RADIUS to function correctly.

CAPsMAN

Controlled Access Point system Manager. MikroTik's centralised wireless management system.

Used to deploy consistent wireless security profiles and RADIUS settings across multiple access points.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security. A highly secure authentication method requiring client-side certificates.

Supported by Purple for zero-trust Staff WiFi deployments where passwordless authentication is required.

範例

A 200-room hotel needs to deploy secure Staff WiFi across their MikroTik access points. They want finance staff on VLAN 10 and operations staff on VLAN 20, using their existing Microsoft Entra ID credentials.

  1. Integrate Purple with Microsoft Entra ID in the Purple dashboard.
  2. Configure the MikroTik RADIUS client to point to Purple with service=wireless.
  3. Create a MikroTik wireless security profile with authentication-types=wpa2-eap.
  4. Enable vlan-filtering=yes on the MikroTik bridge.
  5. In Purple, map the Entra ID 'Finance' group to return Mikrotik-Wireless-VLANID=10 and the 'Operations' group to return Mikrotik-Wireless-VLANID=20.
考官評語: This approach uses IEEE 802.1X for secure, passwordless authentication. By relying on Entra ID groups and RADIUS attributes, the network dynamically segments traffic at the edge, reducing the attack surface and eliminating manual VLAN configuration on the router.

A build-to-rent property manager needs to provide isolated WiFi networks for 50 apartments using a single SSID broadcast from MikroTik CAPsMAN.

  1. Configure the MikroTik wireless security profile for the SSID with authentication-types=wpa2-psk and radius-mac-authentication=yes.
  2. Ensure the RADIUS client is configured with service=wireless pointing to Purple.
  3. In the Purple dashboard, register the MAC addresses of the residents' devices.
  4. Assign a unique PSK and VLAN ID to each apartment in Purple.
  5. When a device connects, Purple returns the Mikrotik-Wireless-Psk and Mikrotik-Wireless-VLANID attributes, placing the device in its isolated network bubble.
考官評語: This Private PSK (PPSK) architecture provides enterprise-grade isolation while supporting consumer devices that lack 802.1X capabilities. It scales efficiently and allows centralised management via Purple.

練習題

Q1. You have configured the MikroTik Hotspot Gateway and pointed it to Purple's RADIUS server. Guests connect to the SSID, but their browsers display a timeout error instead of the Purple splash page. What is the most likely configuration error?

提示:Consider what must happen before the guest authenticates.

查看標準答案

The walled garden is misconfigured or missing entries. Without allowing access to Purple's splash page domains and associated CDNs in the /ip hotspot walled-garden, the unauthenticated guest cannot load the login page, resulting in a timeout.

Q2. A retail chain wants to deploy Staff WiFi using 802.1X and Entra ID. They configure `authentication-types=wpa2-eap` and set up the RADIUS client. However, authentication fails. You check the RADIUS client configuration and see `service=hotspot`. How do you resolve this?

提示:Different wireless authentication methods require different RADIUS service types in RouterOS.

查看標準答案

Change the RADIUS client configuration to include service=wireless. The hotspot service type is only used for captive portal authentication. 802.1X and MAC authentication require the wireless service type.

Q3. You are deploying Multi-Tenant WiFi using Private PSKs. Purple successfully returns the `Mikrotik-Wireless-Psk` and `Mikrotik-Wireless-VLANID` attributes, and the device connects. However, the device receives an IP address from the default management subnet, not the isolated tenant subnet. What RouterOS setting is missing?

提示:Dynamic VLAN assignment requires the bridge to process VLAN tags.

查看標準答案

Bridge VLAN filtering is disabled. You must set vlan-filtering=yes on the bridge interface. Without this, the bridge ignores the dynamic VLAN tag assigned by RADIUS, and the traffic falls back to the default untagged PVID.

繼續閱讀本系列

Alta Labs 與 Purple WiFi 整合:設定與 Captive Portal 配置

本技術參考指南涵蓋了 Alta Labs AP6 和 AP6 Pro 基地台與 Purple 雲端託管 Captive Portal 的端到端整合。本指南詳細介紹了外部重新導向配置、RADIUS 驗證、Walled Garden 需求,以及使用 AltaPass 私有預先共用金鑰(PPSK)的多租戶區隔。場地營運商和 IT 團隊將獲得一份適用於餐旅、零售和智慧辦公環境的可重複部署指南。

閱讀指南 →

Arista Cognitive Wi-Fi 與 Purple WiFi 整合

本技術指南詳細介紹了 Arista Cognitive Wi-Fi (CV-CUE) 與適用於企業場域的 Purple 訪客 WiFi 平台的逐步整合過程。內容涵蓋 Arista Captive Portal 設定、Walled Garden ACL 設計、RADIUS 伺服器設定、安全的員工 802.1X 驗證,以及使用 Arista PPSK 搭配動態 VLAN 導向的多租戶 (Multi-Tenant) 隔離——為 IT 團隊和網路架構師提供決定性的部署藍圖。

閱讀指南 →

WatchGuard Firebox 與 Purple WiFi 整合:設定與組態指南

本指南是為部署 WatchGuard Firebox 和 Access Points 與 Purple 整合的 IT 經理和網路架構師提供的逐步整合手冊。內容涵蓋 Guest WiFi 的外部 Captive Portal 重新導向、Staff WiFi 的安全 802.1X 驗證,以及使用 WatchGuard 私有預先共用金鑰 (PPSK) 搭配動態 VLAN 導向的多租戶區隔,為您在所有存取層級提供單一、整合的架構。

閱讀指南 →