跳至主要內容
繁體中文

Designing WiFi Networks for Multi-Tenant Office Buildings

本指南為 IT 經理、網路架構師和 CTO 提供了一個與廠商無關的藍圖,用於在多租戶辦公大樓中設計具備可擴充性、安全且隔離的 WiFi 網路。內容涵蓋 IEEE 802.1Q 下的 VLAN 區段劃分、透過 802.1X 和 RADIUS 進行的動態 VLAN 分配、高密度環境的射頻(RF)規劃,以及 GDPR 和 PCI DSS 下的合規性考量。場地營運商和建築經理將能從中獲得具體可行的架構指導、實際案例研究,以及在部署前應避免的配置陷阱。

📖 9 分鐘閱讀📝 2,022 字數🔧 2 範例4 練習題📚 10 關鍵定義

收聽此指南

查看播客逐字稿
PURPLE TECHNICAL BRIEFING Designing WiFi Networks for Multi-Tenant Office Buildings Full Transcript [SECTION 1: INTRODUCTION AND CONTEXT - 1 MINUTE] Welcome to the Purple Technical Briefing. I'm a Senior Solutions Architect at Purple, and today we're getting into one of the most technically demanding deployment scenarios in enterprise networking: designing WiFi networks for multi-tenant office buildings. Whether you're responsible for a grade-A commercial tower with fifteen independent tenants, a mixed-use development combining retail and office space, or a flexible coworking campus, the challenge is fundamentally the same. You need to deliver reliable, secure, isolated connectivity to multiple independent organisations over a single shared physical network. And you need to do it in a way that satisfies compliance requirements, keeps your support desk quiet, and doesn't require a full-time engineer to maintain. Let's get into the technical architecture. [SECTION 2: TECHNICAL DEEP-DIVE - 5 MINUTES] The foundation of any multi-tenant WiFi design is network segmentation. The primary mechanism for achieving that is VLAN tagging, standardised under IEEE 802.1Q. The concept is straightforward: you assign each tenant, or each traffic class, to a distinct virtual LAN. Traffic on VLAN 10 cannot reach traffic on VLAN 20 unless you explicitly permit it through a firewall policy. That logical isolation is your first line of defence. Now, here's where architects often make their first mistake. They conflate VLAN segmentation with security. VLANs provide isolation, not security. You still need firewall policies between VLANs. You still need access control lists. And you still need to think carefully about what inter-VLAN routing you permit. A misconfigured trunk port can collapse your entire segmentation model in seconds. In a multi-tenant office building, you typically have a shared physical infrastructure: cabling, switch fabric, and access points serving multiple tenants. The access points broadcast multiple SSIDs, each mapped to a different VLAN. Tenant A connects to their SSID, their traffic is tagged with VLAN 10 at the access point, traverses the shared switch fabric on a trunk port, and arrives at the distribution layer where it's routed into Tenant A's isolated subnet. Tenant B's traffic follows the same physical path but is completely isolated at Layer 2. Now, historically, network engineers segmented environments by creating a unique SSID for every tenant. But SSID proliferation is a performance killer. Every SSID you broadcast must transmit management frames, called beacons, at the lowest basic mandatory data rate. If you're broadcasting six or seven SSIDs on an access point, you can easily consume twenty to thirty percent of your available wireless airtime just on management overhead. That's before a single byte of actual user data is transmitted. The modern enterprise standard is Dynamic VLAN Assignment. Instead of multiple SSIDs, you broadcast one secure SSID using IEEE 802.1X authentication. When a user connects, their device exchanges credentials with a RADIUS server. The RADIUS server authenticates the user and sends an Access-Accept message back to the access point. Critically, this message includes specific IETF standard attributes: the Tunnel-Type, the Tunnel-Medium-Type, and the Tunnel-Private-Group-ID, which contains the specific VLAN ID for that user's organisation. The access point receives these attributes and dynamically drops that user's traffic directly into their dedicated VLAN. A corporate executive and an IoT device can connect to the exact same SSID, but their traffic is completely isolated at Layer 2. For authentication, WPA3-Enterprise is now the recommended encryption standard. It provides 192-bit security mode and eliminates the vulnerabilities associated with WPA2's four-way handshake. Identity providers like Microsoft Entra ID, Okta, or Google Workspace integrate with your RADIUS infrastructure to manage credentials centrally. Now let's talk about RF planning, because this is where multi-tenant office deployments get genuinely complex. When you have multiple tenants in adjacent spaces, you have a high-density RF environment. Co-channel interference is your enemy. You need a proper RF planning exercise before deployment: an active site survey that maps signal propagation, identifies interference sources, and informs your channel allocation strategy. The 2.4 GHz band gives you three non-overlapping channels in most regulatory domains: channels 1, 6, and 11. The 5 GHz band gives you significantly more capacity. WiFi 6E extends this into the 6 GHz band, giving you clean spectrum largely free from legacy device interference. For new multi-tenant deployments, specifying WiFi 6E capable access points from vendors like Cisco Meraki, HPE Aruba, Ruckus, or Juniper Mist is the right call. The additional spectrum headroom pays dividends in dense environments. IoT is the other dimension you cannot ignore. In a modern multi-tenant building, you have building management systems, HVAC controllers, smart lighting, access control, and CCTV. These must be on their own isolated VLAN, completely separated from both tenant traffic and guest traffic. IoT devices are notoriously difficult to patch and represent a significant attack surface. Segment them, monitor them, and apply strict egress filtering. [SECTION 3: IMPLEMENTATION RECOMMENDATIONS AND PITFALLS - 2 MINUTES] Let me share the three most common pitfalls I see in multi-tenant deployments. The first is insufficient trunk port configuration. Architects design a beautiful VLAN scheme and then forget to explicitly permit the relevant VLANs on every trunk link in the path. Traffic silently drops, tenants complain, and the support team spends days tracing the issue. Document your trunk configurations meticulously and validate them during commissioning. The second pitfall is SSID proliferation. Keep your SSID count to no more than four per radio. Use Dynamic VLAN Assignment via RADIUS attributes rather than separate SSIDs to serve multiple tenants. The third pitfall is neglecting the management plane. Your management VLAN, the one your access points, switches, and controllers communicate on, must be completely isolated from all tenant and guest VLANs. If a tenant can reach your management plane, you have a critical security vulnerability. I'd also add a fourth: neglecting DHCP lease time management on guest VLANs. In high-turnover environments, devices hold leases after disconnecting. Set guest VLAN lease times to one to two hours to prevent IP address exhaustion. [SECTION 4: RAPID-FIRE Q AND A - 1 MINUTE] Let me run through a few questions that come up consistently in these deployments. Do you need separate physical access points per tenant? No. That's the whole point of VLAN-based multi-tenancy. Multiple tenants share the same access point, with traffic isolation enforced at the network layer. How do you handle legacy IoT devices that don't support 802.1X? Use MAC Authentication Bypass combined with WPA3-SAE. The RADIUS server identifies the device by its MAC address and assigns it to an isolated IoT VLAN. Apply strict firewall rules to this segment. Does Dynamic VLAN Assignment affect roaming? Not if you configure it correctly. Enable 802.11r for Fast BSS Transition and Opportunistic Key Caching. Authentication state is cached across your access points, and users roam seamlessly without re-authentication delays. [SECTION 5: SUMMARY AND NEXT STEPS - 1 MINUTE] To bring this together: a well-designed multi-tenant WiFi architecture for an office building is built on four pillars. First, rigorous VLAN segmentation with enforced firewall policies between segments. Second, centralised controller-based management that gives you operational visibility and policy control at scale. Third, a proper RF planning exercise that accounts for the physical environment and the density of the deployment. And fourth, a security model that addresses authentication, encryption, IoT isolation, and compliance requirements from day one. The organisations that get this right see measurable outcomes: reduced support overhead, faster tenant onboarding, demonstrable compliance posture for audits, and the ability to monetise connectivity as a service rather than treating it as a cost centre. If you're planning a multi-tenant deployment and want to explore how Purple's platform can provide the analytics, Guest WiFi management, and tenant-level reporting layer on top of your network infrastructure, visit purple dot ai. The resources linked in the guide are a good starting point. Thanks for listening. Until next time.

header_image.png

執行摘要

對於管理多租戶辦公大樓的 CTO 和網路架構師而言,挑戰顯而易見:如何在單一共享的實體網路上,為多個獨立組織提供可靠、安全且隔離的連線。在多租戶環境中,扁平式網路架構是一個嚴重的隱患。它會擴大您在 GDPR 和 PCI DSS 下的合規範圍,使租戶面臨橫向安全威脅,並產生隨著租戶數量增加而急劇上升的維運負擔。

本指南提供了一個與廠商無關的藍圖,用於設計多租戶 WiFi 架構。透過實作 IEEE 802.1Q VLAN 區段劃分、經由 802.1X 的動態 VLAN 分配以及嚴格的射頻(RF)規劃,您可以消除 SSID 激增問題、減少高達 20% 的空口時間(airtime)開銷,並確保租戶之間嚴格的 Layer 2 隔離。我們詳細介紹了技術標準、跨廠商(包括 Cisco Meraki、HPE Aruba、Ruckus 和 Juniper Mist)的硬體考量,以及保護基礎設施安全所需的路由策略。只要實作得當,此架構可降低支援開銷、簡化合規性稽核,並使您能夠將網路連線轉化為可獲利的服務(connectivity as a service)。

技術深度解析

為什麼不應使用扁平式網路

扁平式網路會將所有設備(不論租戶、流量類型或安全級別)置於單一廣播網域中。每個設備都會接收到所有的廣播封包。一旦訪客設備遭到入侵,即可掃描並存取 POS 終端、建築管理系統和企業工作站。這會使您的整個網路都落入 PCI DSS 的稽核範圍內。這並非理論上的風險。這是許多在無線網路密度成為設計考量之前就已完成佈線的多租戶大樓的預設狀態。

解決方案是邏輯分割。您不需要為每個租戶提供獨立的實體基礎設施。您需要的是設計正確的 VLAN 架構、配置妥當的防火牆以及集中式管理平台。

IEEE 802.1Q 與 VLAN 標記

虛擬區域網路(VLAN)在 IEEE 802.1Q 標準下進行了規範,允許您將單一實體交換器架構分割為多個隔離的邏輯網路。當用戶端連線到 WiFi 存取點(AP)時,AP 會使用 12 位元的 VLAN 識別碼(VID)來標記該用戶端的資料訊框。交換器會讀取此標記,並確保來自某個 VLAN 的流量絕不會被轉發到另一個 VLAN 的連接埠,除非防火牆有明確的路由規則。

一棟標準的多租戶辦公大樓至少需要四個 VLAN:

VLAN 流量類別 路由策略
VLAN 10 企業租戶 A 僅限網際網路 + 租戶專屬資源
VLAN 20 企業租戶 B 僅限網際網路 + 租戶專屬資源
VLAN 30 訪客 WiFi (Captive Portal) 僅限網際網路,完全無法存取任何租戶 VLAN
VLAN 40 IoT 與 BMS 僅限流向指定的管理平台

對於租戶較多的建築,您可以擴充此模型。每個新增的租戶都會分配到一個專屬的 VLAN 和對應的防火牆策略。實體基礎設施則維持共享。

vlan_architecture_diagram.png

透過 802.1X 和 RADIUS 進行動態 VLAN 分配

過去,網路工程師會為每個租戶建立獨立的 SSID。這種方法會降低效能。每個 SSID 都會以最低的基本強制資料速率廣播管理訊框(信標,beacons),以確保舊型設備能夠連線。在單一存取點上廣播六或七個 SSID,在傳輸任何使用者資料之前,就可能消耗 20% 到 30% 的可用無線空口時間。在高密度的多租戶大樓中,這是無法接受的。

現代標準是動態 VLAN 分配。您可以使用 IEEE 802.1X 驗證來廣播單一安全的 SSID。當使用者連線時,其設備(要求端,supplicant)會透過存取點(驗證端,authenticator)與 RADIUS 伺服器交換憑證。RADIUS 伺服器會向身分識別提供者(如 Microsoft Entra ID、Okta 或 Google Workspace)驗證憑證,並將 Access-Accept 訊息傳回給存取點。此訊息包含三個 IETF 標準 RADIUS 屬性:

  • Tunnel-Type (屬性 64):設定為 VLAN
  • Tunnel-Medium-Type (屬性 65):設定為 802
  • Tunnel-Private-Group-ID (屬性 81):該使用者所屬組織的特定 VLAN ID

存取點接收這些屬性,並動態地將使用者的流量分配到其專屬的 VLAN 中。租戶 A 的員工和租戶 B 的員工連線到同一個 SSID。他們的流量在 Layer 2 被完全隔離。交換器處理它們的方式,就像它們插在完全獨立的實體網路上。

對於訪客區段,請將流量透過專屬的訪客 VLAN 路由至 Captive Portal。Purple 的 Guest WiFi 平台可在隔離的區段上處理符合 GDPR 規範的同意管理、安全上網引導以及 WiFi Analytics ,且完全無法路由存取企業網路。如需存取控制架構的更廣泛概述,請參閱我們的 網路存取控制系統指南

WPA3-Enterprise 與加密標準

WPA3-Enterprise 是多租戶部署推薦的加密標準。它提供 192 位元安全性模式,消除了 WPA2 四向交握中的漏洞,並強制執行 IEEE 802.11w 規範下的保護管理訊框(PMF)。對於處理付款卡資料或敏感企業資訊的環境,WPA3-Enterprise 搭配 EAP-TLS(基於憑證的雙向驗證)能完全消除憑證遭竊的管道。

對於不適合部署憑證的訪客區段,WPA3-SAE (Simultaneous Authentication of Equals) 可提供正向加密(forward secrecy),確保即使工作階段金鑰遭到破解,也不會洩露歷史流量。

高密度環境中的射頻(RF)規劃

同頻干擾 (CCI) 是多租戶辦公大樓中 WiFi 效能不佳的主要原因。當相鄰的無線基地台(AP)在相同的頻段通道上進行廣播時,裝置必須等待空閒的空中傳輸時間(airtime)才能進行傳送。在擁有多個租戶且裝置密度極高的建築物中,未經規劃的通道分配會造成擁擠的 RF 環境,這是再多頻寬也無法解決的。

在部署之前,必須進行實地的動態 RF 場地勘測(site survey)。廠商提供的訊號覆蓋圖通常過於樂觀。您需要在實體空間中進行實際的訊號測量,並將牆壁材質、地板結構以及鄰近建築物的 RF 環境納入考量。

rf_planning_heatmap.png

在大多數法規網域中,2.4 GHz 頻段提供三個不重疊的通道(1、6 和 11)。5 GHz 頻段則提供顯著更多的容量。WiFi 6E 延伸至 6 GHz 頻段,提供乾淨且基本上不受舊版裝置干擾的頻譜。對於新的多租戶部署,指定使用支援 WiFi 6E 的 Cisco Meraki、HPE Aruba、Ruckus、Juniper Mist 或 Ubiquiti UniFi 無線基地台,可提供高密度環境所需的頻譜餘裕。

物聯網(IoT)隔離

現代辦公大樓包含建築管理系統、HVAC 控制器、智慧照明、門禁控制和 CCTV。這些裝置眾所周知難以修補漏洞,且構成了龐大的攻擊面。它們必須被隔離在具有嚴格輸出過濾(egress filtering)的專用 VLAN 中,僅允許向其指定的管理平台進行外網通訊。對任何租戶 VLAN 的路由存取權限必須為零。對訪客 VLAN 的路由存取權限也必須為零。無論是從安全性還是 GDPR 的角度來看,這都是不可妥協的。

實作指南

步驟 1:在接觸硬體之前,先設計您的邏輯架構。 規劃您的租戶數量、流量類別(企業、訪客、IoT、付款、管理),並分配 VLAN。記錄您的 IP 位址規劃方案。定義您的跨 VLAN 路由原則:哪些可以互相通訊,而哪些是絕對禁止的。

步驟 2:委託進行動態 RF 場地勘測。 不要依賴廠商的訊號覆蓋圖。您需要在實體空間中進行實際的訊號測量,以作為 AP 部署和通道分配的依據。

步驟 3:使用「預設拒絕」(Default-Deny)原則設定您的核心防火牆。 預設封鎖所有跨 VLAN 路由。僅新增明確且針對特定連接埠的例外狀況。每個跨 VLAN 路徑都必須有合理依據並記錄在案。

步驟 4:在所有 Trunk 連接埠上停用 VLAN 1。 將 Trunk 連接埠上的 Native VLAN 變更為未使用的、不可路由的 VLAN ID。這可以防止利用預設 Native VLAN 的 VLAN 跳躍攻擊(VLAN hopping attacks)。

步驟 5:驗證 Trunk 連接埠設定。 在從無線基地台到分佈層(distribution layer)路徑上的每個 Trunk 連結上,明確允許所有必要的 VLAN ID。遺失 VLAN 標籤會導致無聲的流量丟棄(silent traffic drops),這需要花費大量時間進行診斷。

步驟 6:部署集中式雲端管理。 來自 Cisco Meraki、HPE Aruba、Juniper Mist 和 Ruckus 的平台提供了針對每個 SSID 的頻寬原則、針對每個租戶的報表,以及與您的 RADIUS 基礎架構的整合。在沒有控制器的情況下管理分散式 AP 資產,其營運開銷在規模擴大時是無法承受的。

步驟 7:設定每個區段的 DHCP 租期。 企業 VLAN:8 到 24 小時。訪客 WiFi VLAN:1 到 2 小時。訪客區段的短租期可防止在高流動率環境中出現 IP 位址耗盡的情況。

步驟 8:隔離管理層面(management plane)。 您的管理 VLAN 必須與所有租戶和訪客 VLAN 完全隔離。對管理流量套用嚴格的 ACL。如果租戶可以連入您的管理層面,代表您存在嚴重的安全性漏洞。

最佳實踐

下表總結了符合規範的多租戶 WiFi 部署之關鍵設定標準。

控制措施 標準 原理
VLAN 分割 IEEE 802.1Q 租戶之間的 Layer 2 隔離
驗證 搭配 WPA3-Enterprise 的 IEEE 802.1X 消除憑證遭竊的管道
動態 VLAN 分配 搭配 Tunnel 屬性的 RADIUS 減少 SSID 數量,保留空中傳輸時間
訪客登入 包含 GDPR 同意書的 Captive Portal 合規性與數據收集
IoT 隔離 具有輸出 ACL 的專用 VLAN 限制未修補裝置的攻擊面
RF 規劃 動態場地勘測 減輕同頻干擾
漫遊 802.11r 快速 BSS 切換 跨 AP 的無縫切換
Native VLAN 不可路由、未使用的 VLAN ID 防止 VLAN 跳躍攻擊

對於 旅宿業 部署,訪客 VLAN 隔離至關重要。對於 零售業 環境,將 POS 終端隔離在專用 VLAN 上可直接縮小 PCI DSS 稽核範圍。對於 交通運輸 樞紐和 醫療保健 機構,適用相同的分割原則,但需額外注意同時連線的數量和裝置類型的多樣性。

對於考慮使用衛星 WAN 上行鏈路的場域,Purple 的 如何在 Starlink 上設定 Captive Portal 指南涵蓋了針對偏遠和海洋環境的特定考量事項。

疑難排解與風險緩釋

無聲流量丟棄。 多租戶部署中最常見的故障模式。由 Trunk 連接埠上遺失 VLAN 標籤所引起。使用者透過 802.1X 成功通過驗證, RADIUS 伺服器會將其分配至 VLAN 40,但 trunk 連接埠不允許 VLAN 40。流量因而中斷。使用者無法取得 IP 位址。請務必仔細記錄 trunk 設定,並在啟用偵錯時進行驗證。

SSID 激增。 您廣播的每個 SSID 都會消耗信標框架(beacon frames)的無線電傳輸時間。在密集環境中,每個 AP 廣播 8 到 10 個 SSID 會降低所有人的網路效能。請將每個無線電頻段的 SSID 數量控制在不超過 4 個。請使用透過 RADIUS 屬性的動態 VLAN 分配(Dynamic VLAN Assignment),而非使用獨立的 SSID 來服務多個租戶。

管理層面暴露。 如果您的管理 VLAN 未隔離,取得其存取權限的租戶就可以修改 AP 設定、中斷服務或攔截管理流量。請盡可能使用頻外管理(out-of-band management)。對所有管理介面套用嚴格的 ACL。

IoT 裝置激增。 大樓營運商經常在未通知網路團隊的情況下新增 IoT 裝置。請實施網路存取控制 (NAC) 策略,要求在任何新裝置於 IoT VLAN 上取得 IP 位址之前,必須獲得明確授權。

訪客 VLAN 上的 DHCP 耗盡。 在高流動性的環境中,裝置在斷開連線後仍會保留 DHCP 租約。一個 /24 子網路提供 254 個位址。在繁忙的會議中心或共享工作空間中,這些位址很快就會耗盡。請將租約時間設定為 1 到 2 小時,並調整訪客 VLAN 子網路的大小以容納高峰期的同時連線裝置數量。

投資報酬率 (ROI) 與業務影響

妥善分割的多租戶 WiFi 架構可在三個維度上帶來可衡量的成效。

降低合規成本。 根據 Purple 的實際部署數據,將 POS 和付款終端機隔離在具有嚴格防火牆控制的專用 VLAN 上,可將 PCI DSS 稽核範圍縮減約 70%。這直接降低了年度稽核成本以及 IT 團隊編寫合規文件所需的時間。

營運效率。 集中式雲端管理可降低與管理分散式 AP 資產相關的營運成本 (OpEx)。零接觸部署(Zero-touch provisioning)、全域策略執行以及針對每個租戶的報表,免除了現場修改設定的需求。新租戶的啟用時間從幾天縮短到幾小時。

創造營收。 安全、高效能的網路使大樓營運商能夠將連線能力轉化為服務並從中獲利。分級頻寬方案、針對每個租戶的服務層級協定 (SLA) 以及由數據分析驅動的洞察,將 WiFi 從成本中心轉變為營收來源。Purple 在全球超過 80,000 個實體場域營運,並在 2024 年處理了 4.4 億次登入(Purple 內部數據,2024 年),為大規模支援此模式提供了分析基礎架構。

如需進一步瞭解 WiFi 連線如何支援更廣泛的數位包容目標,請參閱我們關於 World WiFi Day 2026 的文章。如需瞭解與多站點部署相關的 WAN 架構考量入門知識,請參閱我們的 WAN 電腦定義指南

關鍵定義

IEEE 802.1Q

The networking standard that defines VLAN tagging for Ethernet frames. It adds a 4-byte tag to each frame containing a 12-bit VLAN Identifier (VID), allowing switches to maintain multiple isolated broadcast domains over shared physical infrastructure.

The foundational protocol for multi-tenant network segmentation. Every enterprise switch and access point supports 802.1Q. Without it, logical isolation between tenants is impossible.

Dynamic VLAN Assignment

A method where a RADIUS server assigns a specific VLAN to a user or device upon successful 802.1X authentication, using IETF RADIUS attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) to instruct the access point which VLAN to place the user into.

The standard approach for serving multiple tenants from a single SSID. Eliminates SSID proliferation and preserves wireless airtime while maintaining full Layer 2 isolation between tenants.

IEEE 802.1X

The IEEE standard for port-based Network Access Control (PNAC). It defines a three-party authentication model: the supplicant (client device), the authenticator (access point or switch), and the authentication server (RADIUS). The authenticator blocks all traffic until the supplicant is authenticated.

The authentication framework used to enforce Dynamic VLAN Assignment. Required for WPA3-Enterprise deployments. Integrates with identity providers including Microsoft Entra ID, Okta, and Google Workspace.

RADIUS

Remote Authentication Dial-In User Service. A networking protocol that provides centralised Authentication, Authorisation, and Accounting (AAA) management. In WiFi deployments, the RADIUS server validates user credentials and returns VLAN assignment attributes to the access point.

The server infrastructure that enforces Dynamic VLAN Assignment. Can be deployed on-premises or as a cloud service. Integrates with identity providers via LDAP, SAML, or SCIM.

Co-channel interference (CCI)

Interference caused when two or more access points broadcast on the same frequency channel within range of each other. Devices must wait for clear airtime before transmitting, reducing effective throughput for all users on that channel.

The primary cause of poor WiFi performance in dense multi-tenant buildings. Mitigated through active RF site surveys and careful channel allocation across the 2.4 GHz, 5 GHz, and 6 GHz bands.

Native VLAN

The VLAN on an 802.1Q trunk port that carries untagged traffic. By default, most switches use VLAN 1 as the native VLAN, creating a well-known attack vector for VLAN hopping.

A security risk that must be addressed in every multi-tenant deployment. Change the native VLAN on all trunk ports to an unused, non-routable VLAN ID to prevent VLAN hopping attacks.

Captive portal

A web page that a user must interact with before being granted network access. In WiFi deployments, the user connects to an open or WPA2-Personal SSID, is redirected to a splash page for authentication or terms acceptance, and is then granted internet-only access on an isolated VLAN.

The standard onboarding mechanism for Guest WiFi segments. Enables GDPR-compliant consent collection, identity verification, and analytics. Must be deployed on a VLAN with zero routing access to corporate or tenant networks.

WPA3-Enterprise

The latest WiFi security protocol for enterprise networks, standardised by the Wi-Fi Alliance. Provides 192-bit cryptographic strength (CNSA suite), requires 802.1X authentication, mandates Protected Management Frames (PMF) under IEEE 802.11w, and eliminates the vulnerabilities in WPA2's four-way handshake.

The recommended encryption standard for multi-tenant corporate WiFi segments. Required for environments handling payment card data or sensitive corporate information. Supported by all major enterprise AP vendors.

EAP-TLS

Extensible Authentication Protocol - Transport Layer Security. A certificate-based 802.1X authentication method that requires both the client and the RADIUS server to present X.509 digital certificates, providing mutual authentication and eliminating password-based credential theft.

The most secure 802.1X authentication method. Used in high-security multi-tenant environments where credential theft is a primary concern. Requires a Public Key Infrastructure (PKI) to issue and manage client certificates.

MAC Authentication Bypass (MAB)

A fallback authentication method that uses a device's MAC address as its identity when the device does not support 802.1X. The RADIUS server looks up the MAC address and assigns the device to a predefined VLAN.

Used for IoT devices, printers, and other equipment that cannot perform 802.1X authentication. Because MAC addresses can be spoofed, MAB must always be combined with strict firewall rules on the assigned VLAN.

範例

A 350-room hotel group with 12 properties needs to secure its network. Currently, guest smartphones, staff laptops, POS terminals, and building management systems all share a single flat network. The IT team spends 40 hours monthly on PCI DSS compliance documentation because the entire network is in scope. The CTO wants to reduce compliance overhead and improve security posture before the next audit.

Deploy a four-VLAN architecture using IEEE 802.1Q across all 12 properties via a centralised cloud management platform. Assign VLANs as follows: VLAN 10 for Staff Corporate (802.1X authenticated, routed to internal resources and internet), VLAN 20 for Guest WiFi (captive portal, internet only), VLAN 30 for POS Terminals (802.1X authenticated, routed only to payment processor endpoints), and VLAN 40 for IoT and BMS (MAC Authentication Bypass, egress to BMS management platform only). Configure a Default-Deny firewall policy between all VLANs. Integrate Purple's Guest WiFi platform on VLAN 20 for GDPR-compliant consent management and analytics. Validate trunk port configurations on every switch in the path during commissioning.

考官評語: This approach reduces PCI DSS audit scope by approximately 70% by isolating the POS segment. The strict firewall policy prevents lateral movement from a compromised guest device to payment infrastructure. The IT team recovers the 40 hours monthly previously spent on compliance documentation. The centralised cloud management platform enables consistent policy enforcement across all 12 properties without on-site visits.

A coworking operator manages a 15-floor office building with 40 independent member companies. Each company needs its own isolated WiFi network. The current architecture broadcasts a separate SSID per company, resulting in 40 SSIDs per floor. WiFi performance is poor across the building despite a 10 Gbps fibre uplink. The network team wants to resolve performance issues without replacing hardware.

Consolidate to a single secure SSID using WPA3-Enterprise and IEEE 802.1X authentication. Deploy a RADIUS server integrated with the building's identity provider (Microsoft Entra ID or Okta). Configure the RADIUS server to return Dynamic VLAN Assignment attributes (Tunnel-Type, Tunnel-Medium-Type, Tunnel-Private-Group-ID) for each authenticated user, placing them into their company's dedicated VLAN. Retain a separate Guest WiFi SSID with a captive portal for visitor access. This reduces the SSID count from 40 to two per radio. Conduct an active RF site survey to validate channel allocation and AP placement following the SSID consolidation.

考官評語: Reducing the SSID count from 40 to two per radio eliminates the beacon management overhead that was consuming 20% to 30% of available airtime. Average client throughput increases significantly. The Dynamic VLAN Assignment approach maintains full Layer 2 isolation between all 40 member companies without any change to the physical infrastructure. The RF site survey ensures channel allocation is optimised following the configuration change.

練習題

Q1. You are deploying WiFi for a new mixed-use building with 20 independent retail tenants on the ground floor and 10 office tenants on floors 1 to 5. The building owner wants each tenant to have their own secure WiFi network, plus a shared Guest WiFi network for visitors. What is the most efficient architectural approach, and what is the maximum number of SSIDs you should broadcast per access point?

提示:Consider the impact of broadcasting 30 separate SSIDs on wireless airtime. Think about how Dynamic VLAN Assignment can serve multiple tenants from a single SSID.

查看標準答案

Deploy a single secure SSID using WPA3-Enterprise and IEEE 802.1X authentication for all corporate tenants. Use a RADIUS server integrated with the building's identity provider to perform Dynamic VLAN Assignment, placing each tenant's devices into their own isolated VLAN upon authentication. Deploy a second SSID for Guest WiFi with a captive portal. This results in two SSIDs per radio, well within the four-SSID maximum. Each of the 30 tenants receives a dedicated VLAN with a corresponding Default-Deny firewall policy. The Guest WiFi VLAN has zero routing access to any tenant VLAN.

Q2. During a post-deployment audit of a multi-tenant office building, you discover that traffic from the Guest WiFi VLAN (VLAN 30) can successfully ping devices on the IoT VLAN (VLAN 40). Both are on separate VLANs. What is the most likely cause, and what is the immediate remediation step?

提示:VLANs separate broadcast domains at Layer 2. What handles traffic routing between different subnets at Layer 3?

查看標準答案

The core router or firewall is missing a Default-Deny inter-VLAN routing policy. By default, routers pass traffic between all connected subnets. The immediate remediation is to configure an explicit Deny rule on the firewall blocking all traffic from VLAN 30 to VLAN 40. Audit all other inter-VLAN routing policies at the same time to confirm no other unintended paths exist. The long-term fix is to implement a Default-Deny policy across all VLANs with only explicit, documented exceptions permitted.

Q3. A tenant in a multi-tenant office building reports that their devices can authenticate to the WiFi network successfully, but they never receive an IP address and cannot access the internet. Other tenants on the same access points are working normally. The RADIUS server logs show successful authentication and a VLAN 50 assignment for the affected tenant. What is the first configuration you should check?

提示:Think about the physical path that VLAN-tagged traffic takes from the access point to the core switch. What must be configured on that path for VLAN 50 traffic to pass?

查看標準答案

Check the 802.1Q trunk port configuration on the switch port connected to the access point. Verify that VLAN 50 is explicitly listed as an allowed VLAN on the trunk. If VLAN 50 is not permitted on the trunk, the switch drops all VLAN 50 tagged frames, and the client never receives a DHCP response. Add VLAN 50 to the trunk's allowed VLAN list and verify the client receives an IP address. Also confirm that a DHCP scope exists for the VLAN 50 subnet.

Q4. A building operator wants to add 50 new IoT sensors to monitor energy consumption across a multi-tenant office building. The sensors do not support 802.1X authentication. How should you onboard these devices securely, and what firewall policy should apply to their VLAN?

提示:Consider the authentication method available for devices that cannot perform 802.1X, and the security implications of that method.

查看標準答案

Use MAC Authentication Bypass (MAB) to onboard the IoT sensors. Register each sensor's MAC address in the RADIUS server and configure the server to assign authenticated MAC addresses to the dedicated IoT VLAN (e.g., VLAN 40). Because MAC addresses can be spoofed, apply strict egress firewall rules to VLAN 40: permit outbound traffic only to the designated energy management platform IP addresses, and block all other outbound and all inbound traffic. Apply strict ACLs to prevent any device on VLAN 40 from initiating connections to any tenant VLAN or the management VLAN.

繼續閱讀本系列

Mean time to innocence: how to prove it's not the WiFi

平均證明清白時間 (MTTI) 是一項關鍵指標,定義了 IT 團隊花費多少時間來證明網路問題並非其責任。本指南詳細介紹了一套包含五個步驟的可觀測性方法論,旨在消除多租戶環境中的推諉現象,以共享證據取代互相指責,從而降低平均修復時間 (MTTR)。

閱讀指南 →

VLAN Segmentation Best Practices for Multi-Tenant Environments

本指南為 IT 經理、網路架構師、CTO 及場域營運總監提供了一份權威且不綁定特定廠商的藍圖,用於在多租戶 WiFi 環境中實施 VLAN 區隔。內容涵蓋 IEEE 802.1Q 標準、透過 802.1X 與 RADIUS 進行的動態 VLAN 分配,以及針對旅宿業、零售業、體育場館和公共部門場域的逐步部署指南。妥善的 VLAN 區隔是符合 PCI DSS 與 GDPR 合規性、防止橫向移動,以及在共享物理基礎設施上提供高效能無線連線的基礎控制措施。

閱讀指南 →

Dynamic Pre-Shared Keys (DPSK) for Multi-Tenant Security

本權威技術參考指南深入探討動態預共用金鑰 (DPSK),將其視為多租戶 WiFi 環境中替代 802.1X 的高安全性、低阻力方案。書中詳細介紹了底層架構、廠商實作、動態 VLAN 導向以及由 API 驅動的生命週期自動化。IT 經理與網路架構師將能從中獲得部署 DPSK 的實用指引,以實現強大的租戶隔離、法規遵循以及無縫的裝置上網引導。

閱讀指南 →