跳至主要內容
繁體中文

RADIUS 設定組態小幫手與 802.1X 指南

設定與雲端身分識別提供者整合的安全 WPA2 和 WPA3 Enterprise 無線網路。

配置您的 RADIUS 設定

1. Select your technology stack

PEAP-MSCHAPv2 requires users to input their active email and directory password. Easy to set up, but susceptible to credential harvesting.

RADIUS Server Specifications

Configure these cloud authentication servers on your wireless access point controllers.

Primary Server185.101.99.1Host: radius1.purple.ai
Secondary Server185.101.99.2Host: radius2.purple.ai
PortsAuth: 1812 | Acct: 1813Standard UDP ports
Shared Secret KeypUrpLeReSeArCh8021x

Access point controller settings

  1. Log in to the Meraki Dashboard and navigate to Wireless > SSIDs.
  2. Rename SSID to your secure network name and set Association to WPA2-Enterprise with 802.1X or WPA3-Enterprise.
  3. Set IP assignment to Bridge mode to handle dynamic client VLANs.
  4. Under RADIUS servers, click "Add a server" and enter the Primary IP (185.101.99.1) and Secondary IP (185.101.99.2), Port 1812, and your Shared Secret.
  5. Enable RADIUS Accounting, pointing to the same server IPs with Port 1813.
  6. Set RADIUS CoA (Change of Authorization) to Enabled. This is required for session termination and security policies.

Identity directory mapping

  1. Open the Microsoft Entra admin center (Azure Portal).
  2. Navigate to App registrations and register a new enterprise app for Purple WiFi.
  3. Configure API permissions to allow User.Read.All and GroupMember.Read.All.
  4. Set up SCIM provisioning pointing to https://api.purple.ai/scim/v2 using your tenant token to sync user status.
  5. Create security groups (e.g. "WiFi-Users") and assign users to control who can authenticate to the network.

Client device onboarding profiles

Client devices need configuration parameters to trust the RADIUS server certificate silently without displaying security warnings.

Apple macOS & iOS Configuration Profile (.mobileconfig)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>PayloadDisplayName</key>
      <string>Enterprise WiFi Profile</string>
      <key>PayloadIdentifier</key>
      <string>com.purple.wifi.profile</string>
      <key>PayloadType</key>
      <string>com.apple.wifi.managed</string>
      <key>PayloadUUID</key>
      <string>A5E81A22-38D4-4903-BB1A-A6C18644A152</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>SSID_STR</key>
      <string>Enterprise-Secure</string>
      <key>HIDDEN</key>
      <false/>
      <key>EncryptionType</key>
      <string>WPA2</string>
      <key>EAPClientConfiguration</key>
      <dict>
        <key>AcceptEAPTypes</key>
        <array>
          <integer>25</integer> <!-- 25 = PEAP, 13 = TLS -->
        </array>
        <key>TLSTrustedServerNames</key>
        <array>
          <string>radius.purple.ai</string>
        </array>
      </dict>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Enterprise WiFi Configuration</string>
  <key>PayloadIdentifier</key>
  <string>com.purple.wifi</string>
  <key>PayloadUUID</key>
  <string>F2B8D432-84E3-40B1-B590-F28B020B0421</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>
Windows clients (Group Policy)Create a Group Policy Object (GPO) under Computer Configuration > Policies > Windows Settings > Security Settings > Wireless Network (802.11) Policies. Configure SSID properties to connect automatically to Enterprise-Secure using WPA2-Enterprise or WPA3-Enterprise, EAP-PEAP, specify trust for Root CA certificate, and lock down trusted server domains to radius.purple.ai.
Android 11+ clients (CA trust)Android 11 and later versions enforce CA certificate validation. When connecting manually to Enterprise-Secure, users cannot select "Do not validate". They must: Select Use system certificates, set Domain validation to radius.purple.ai, and configure EAP method to PEAP or TLS.

企業安全組態小幫手

部署 802.1X 企業驗證需要協調身分識別提供者、RADIUS 伺服器和無線基地台。此小幫手提供安全設定所需的 IP 位址、連接埠和用戶端 OS 設定檔設定。

支援的組態參數

  • 與 Microsoft Entra ID 和 Okta 的雲端身分識別提供者整合。
  • 用於驗證和計費的 RADIUS 伺服器組態詳細資訊。
  • 用於安全憑證和自動上線的用戶端設定檔參數。

Need a Cloud RADIUS?

Deploying 802.1X enterprise authentication doesn't require complex on-premises hardware. Purple's integrated Cloud RADIUS syncs directly with Entra ID, Okta, and Google Workspace.

Talk to a WiFi expert