Security and Hardware Compatibility

  • Updated
Back to SecurePass overview

This article covers SecurePass security architecture and which networking hardware supports it. Before enabling SecurePass, confirm your access points meet the Passpoint / Hotspot 2.0 requirements listed below.

Security architecture

SecurePass uses WPA2/WPA3-Enterprise with 802.1X mutual authentication - the same security standard used in corporate and cellular networks.

Radio-layer encryption
All traffic is encrypted between the device and access point using 802.1X. Unlike open networks, data is never transmitted in the clear.
Mutual authentication
Both the device and the network verify each other using digital certificates. Devices only connect to networks presenting a valid, trusted certificate.
Evil twin prevention
Rogue or spoofed access points are blocked at the authentication stage. Visitors cannot be tricked into joining a malicious network on your premises.
Encryption: WPA2/WPA3-Enterprise Auth protocol: 802.1X (EAP-TLS / EAP-TTLS) RADIUS primary: rad1-secure.purple.ai RADIUS secondary: rad2-secure.purple.ai Auth port: 2083 (RADSEC) or 1812 (RADIUS) Acct port: 2083 (RADSEC) or 1813 (RADIUS) Realm: securewifi.purple.ai Domain/FQDN: securewifi.purple.ai

SSID configuration

SecurePass requires a dedicated SSID - separate from your existing captive portal SSID. Key requirements:

WPA2/WPA3-Enterprise
Set the SSID security mode to WPA2/WPA3-Enterprise, not WPA2-Personal or Open.
Hotspot 2.0 / Passpoint enabled
Enable Hotspot 2.0 on the SSID. Without this, devices will not auto-discover the network.
Do not hide the SSID
If the SSID is hidden, enrolled devices will not auto-connect. The SSID must be broadcast for Passpoint discovery to work.

For step-by-step vendor configuration, see Hardware vendor guides

Hardware requirements

SecurePass requires your access points to support Passpoint / Hotspot 2.0. The table below lists certified vendors and their minimum firmware requirements.

Vendor Models Minimum requirement Status
Cisco Meraki MR Series APs Any firmware Certified
Cisco Catalyst IOS-XE WLC IOS-XE v16.10+ or AireOS v8.2.100.0+ Certified
Aruba (HP) Instant (IAP) or Controller v6.5.0.0+ Certified
Ubiquiti UniFi UniFi Controller / UDM Controller v7.0+ · AP firmware v6.6.75+ Certified
Ruckus SmartZone / ZoneDirector SmartZone v3.0+ or ZoneDirector v9.8+ Certified
TP-Link Omada EAP Controller v3.1.13+ or v4/v5 Certified
Juniper Mist Mist-managed APs All models Certified
Fortinet FortiGate / FortiCloud FortiGate v5.6.0+ Certified

Not on the list? If your AP supports Passpoint / Hotspot 2.0 and WPA2/WPA3-Enterprise, it is likely compatible. View all supported hardware

Share online:
Was this article helpful?
0 out of 0 found this helpful