Security on a multi-tenant site

  • 1
  • Question
  • Updated 4 years ago
  • Answered
Looking for configuration design assistance with a multi-tenant site (in this case, a block of apartments, so low-tech users, and I don't want them to have to authenticate every time they connect, so I would like to build something around PPSK ).  

I plan to have one campus-wide SSID, so that tenants can connect from anywhere in the campus.  

I then plan to separate client traffic by having multiple PPSK user groups, one for each tenant, with likely just one PPSK user for each tenant/user group, so they can have as many devices as they like.  Each Local User Group  will be tied to a separate VLAN.   (e.g VLANs 11 through 30 for twenty tenants) So the users within one VLAN should be able to communicate with other users on the same VLAN, but not be aware of other tenants.  The APs will all feed to an Aerohive switch which will go to a simple router which will host the VLANs and DHCP, and be the gateway to the Internet.

My concern is that if a tenant/intruder in one area of the campus should disconnect their AP and connect a laptop directly in its place, they will by-pass the PPSK authentication.   If they then send traffic tagged with (say) VLAN 20, they would be able to reach any other tenant also on VLAN20, thereby compromising the integrity of that tenant.

Any suggestions as to how to get around this?  For example, can anyone suggest a way to ensure that an Aerohive switch port will only accept traffic coming from an Aerohive AP? 




Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes

Posted 4 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I think that you are looking for something like an 802.1X supplicant for the wired interfaces, which would at least ensure that the port could require authorisation if something connects to it... even if it is not truely secure in lieu of 802.1X-2010 / MACsec (802.1ae) support:

https://community.aerohive.com/aerohive/topics/implement_and_offer_802_1x_supplicant_for_the_wired_i...

(Unfortunately, this feature has not been implemented yet and I don't know if Aerohive have plans to do so or not. The port that the access point connects to would need to be configured to operate on a whole port rather than MAC-address controlled basis.)

Otherwise, you would be looking for some form of VPN, which would also offer stronger security guarantees.
(Edited)
Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes
Hi Nick, thanks, I think that might do the trick, and have signed up to follow your post requesting this as a Feature Request.


Photo of Terence Fleming ThinkWireless

Terence Fleming ThinkWireless, Champ

  • 79 Posts
  • 27 Reply Likes
FYI, this is what I have come up with so far.

One PPSK User/ Local User Group/User profile/VLAN for each apartment.  

A GRE tunnel policy in the User Profile to send all traffic from a PPSK authenticated user to a HiveAP 330 which acts as tunnel destination.  

 A VLAN for each apartment configured on the DMZ, together with a DHCP server (either on the AP or the firewall/router).

I will not use the AP330 as a router because prior experience suggests that it would become a traffic bottleneck.

All users from Apartment 1 will be able to see the other users on the same VLAN and so will be able to print wirelessly, stream to a TV, etc.  They will not be able to see the users in Apartment 2 who will be on a different VLAN.

If a mischievous tenant unplugs an AP he will get an IP on the native VLAN of the switch port, which will either be null routed, (thanks Crowdie for this part) or else will be the rate limited Internet only VLAN that guests will be able to be use through a "Passcode of the Day" .  

All the APs will be on their own VLAN so that they can see each other.

This way if an intruder connects a laptop  in place of an Access Point they will not be able to reach the client devices in the other apartments by simply attaching the appropriate VLAN tag to their frames.  They will also have to establish a GRE tunnel to the terminating AP.

I still think this is overly complicated, so can anyone see a flaw in this plan, or a simpler method?