Not sure which Purple WiFi access solution is right for your network?
This interactive wizard guides you through a few quick questions about your setup and recommends the best fit, whether you need guest access, staff WiFi, or something else. Answer a few questions, get a personalised recommendation, and discover exactly how to set it up.
Who or what needs to get online?
What do you want this network to do for you?
How should people log in?
How do they get connected today?
Do people move between different buildings or sites?
Do you already run a RADIUS server, or plan to?
What wifi hardware are you running?
Roughly how many people or devices do you expect to connect?
Do these devices keep the same address on your network, or does it change?
A shopping centre runs a weekend campaign. Shoppers tap connect, leave an email for a discount code, and the marketing team walks away with a few thousand new contacts by Monday.
A public library needs people to accept its acceptable use policy before browsing. Everyone sees the terms first, and there is a clear record of who agreed and when.
A local cafe just wants customers online fast, with a friendly welcome screen and nothing to fill in.
This means setting up login through Facebook and Google directly, so people get sent through that provider's sign-in screen before landing on your wifi.
Codes need an email or text service wired into the login page. It takes a little more setup, but you get the most reliable contact details out of the three options.
This is the easiest one to set up. No sign-in provider, nothing stored beyond a simple record of who agreed and when.
A stadium's matchday app quietly connects fans as they walk through the gates. No password prompts, no queuing at a help desk.
Hospital staff sign in automatically on their work laptops and phones, so IT never has to hand out or reset a shared wifi password.
With the app, authentication happens silently in the background - the app makes the calls without prompting users, so WiFi connects automatically every time.
Without an app, this usually runs on a certificate-based login rather than a shared password, so nobody is typing anything in. Alternatively, you can use the Purple App for a ready-made solution with built-in SecurePass support.
Since people are moving between sites, make sure that login trust is shared across every location, not just set up building by building, otherwise roaming breaks.
Since you're not sure about RADIUS yet, here's the setup assuming you don't have one, that's the safer starting point until you confirm.
Since it checks the key itself rather than the device, this holds up fine no matter how many people are connecting. The heavy lifting happens on the RADIUS server, not the access point, so changing addresses do not trip it up.
One thing worth knowing on Catalyst: this only works in local mode, not FlexConnect, so keep that in mind when you plan the setup.
At this size, you can just set this up locally on the Catalyst. No RADIUS needed.
Worth flagging: Catalyst only allows 5 keys locally without RADIUS, so that will not stretch far enough for {sizeLabel}. Adding a RADIUS server (Purple RADIUS is a solid option) removes that limit and lets you set different rules per key too.
Meraki can handle around 5,000 keys locally, so a group this size is going to bump against that ceiling. RADIUS removes the limit entirely.
Meraki handles this fine locally, no RADIUS required, comfortably up to around 5,000 keys, each with its own rules if you need that.
Since you already have RADIUS in place, this scales well past any local limits, and you can push different network rules to each device automatically as it connects.
Most other wifi gear has its own cap on how many keys it can hold locally, so unless this is a really small group, RADIUS is the safer long-term option.
a handful of people
a couple hundred people
a few thousand people
more than a few thousand people
Recommended solution
Recommendation
← Back
Start over
Why this fits
Worth knowing
What this looks like in practice
Other names for this
What's required?
Read more ↗
Copy summary
Copied
Copy this summary:
Book a demo
Purple AI network wizard summary
Recommendation:
https://www.splashaccess.com/request-demo/
https://www.purple.ai/en-gb/speak-to-an-expert
Open guest network
A captive portal splash page is the standard way to welcome public visitors and control network access. It lets you collect their details for marketing, display terms and compliance notices, or simply offer frictionless free WiFi. Visitors see a landing page before they browse-no setup, no passwords, no apps needed. Works on every device out of the box.
- Dedicated Guest SSID
- Access point MAC address
- Supported WiFi hardware (full list here) or Purple Hub
Most people just call this a captive portal or splash page. Cisco calls it Central Web Authentication, Aruba calls it Captive Portal, Ruckus calls it Guest Pass. Same idea, different name depending who you ask.
SecurePass
Your staff and app users get seamless, automatic WiFi access through your custom app using SecurePass. It installs a digital profile once, then connects automatically on every visit - no login screens, no re-authentication. Everything is encrypted and locked down with WPA2/WPA3-Enterprise. Implement via our mobile SDK for full control over the authentication experience.
- An App with SDK capability
- WiFi hardware that supports Passpoint/Hotspot 2.0
- WPA2/WPA3-Enterprise authentication capability
You will also hear this called Passpoint or Hotspot 2.0, which is the industry standard behind it, or see similar tools from Aruba (ClearPass) and Cisco (ISE).
SecurePass
Your staff and app users get an automatic login experience that works seamlessly across your sites. SecurePass uses Passpoint (Hotspot 2.0), an industry standard that installs a digital WiFi profile once-then your device connects automatically on every visit, no login screen, no re-authentication. It keeps everything encrypted and locked down with WPA2/WPA3-Enterprise, perfect for organisations that want enterprise security without the login hassle. Works at home, the office, and 80,000+ OpenRoaming hotspots worldwide.
- WiFi hardware that supports Passpoint/Hotspot 2.0
- WPA2/WPA3-Enterprise authentication capability
- A dedicated SSID (cannot reuse your existing captive portal SSID)
You will also hear this called Passpoint or Hotspot 2.0, which is the industry standard behind it, or see similar tools from Aruba (ClearPass) and Cisco (ISE).
EasyPSK
Modern phones and tablets randomize their WiFi MAC addresses for privacy, so device-based tracking won't work. EasyPSK (or DPSK) solves this by validating the key itself through a RADIUS server, not the device address. Each person or group gets a unique key, and their devices automatically join their own isolated network-no registration needed, no device tracking required. It scales effortlessly as you grow. The RADIUS server handles all the heavy lifting, so changing MAC addresses don't trip it up.
- A RADIUS server for authentication and policy enforcement
- WiFi hardware that supports EasyPSK/DPSK
- Understanding that randomized MAC addresses require RADIUS-based validation
Most of the industry calls this DPSK, a term that came from Ruckus and CommScope. Some vendors just lump it in with iPSK under the broader term MPSK.
A 400 room student halls building hands each resident a unique key at check in. Their phone, console and smart TV all join the same private network automatically, no front desk registration needed, even as their phones quietly change address in the background.
iPSK
For devices with fixed MAC addresses-printers, IoT devices, smart TVs, headless equipment-iPSK gives each device its own identity pre-shared key and puts it on its own isolated network. No login screens, no shared passwords, no cross-device interference. Each key can have its own VLAN and security policies, creating true micro-segmentation. The access point remembers the MAC address and automatically applies the right key and network rules when the device connects. With RADIUS, it scales to thousands of keys with per-device policies; without RADIUS, most hardware can handle 5-5000 keys locally depending on the vendor.
- WiFi hardware that supports iPSK/PPSK
- The ability to register and track fixed MAC addresses for each device
- A RADIUS server (optional for small deployments, required for scale and per-device policies)
Cisco calls this Identity PSK. Aruba and Extreme call the same idea PPSK. You will also see MPSK used as a catch all term covering both this and EasyPSK.
A managed office building hands each tenant company its own wifi key, so their printers, badge readers and staff laptops all sit in their own private network, invisible to everyone else in the building.