This disclosure relates generally to information handling systems and, more particularly, to automatic provisioning of multi-tenant wireless local area networks.
As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to users is information handling systems. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may also vary regarding what information is handled, how the information is handled, how much information is processed, stored, or communicated, and how quickly and efficiently the information may be processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.
Shared Wi-Fi networks can present a security concern, especially in a multi-tenant environment. For example, malicious clients can snoop sensitive information and compromise the security of other clients. In a public or shared environment, such as a flexible workspace or a multi-tenant datacenter, end-to-end security is desired and may even be required.
In one aspect, a disclosed method is for automatically provisioning multi-tenant wireless local area networks. In at least some embodiments, the method may include, in an information handling system, detecting initiation, by a client in a given tenant, of a provisioning of a wireless local area network (LAN), and creating, automatically and in response to the detecting, a secure wireless LAN, where the LAN is to be isolated from clients in tenants other than the given tenant. Creating the secure wireless LAN may include allocating a virtual local area network (VLAN) on behalf of the tenant, associating the VLAN with the tenant, and associating a locally unique identifier with the VLAN. The method may also include determining, subsequent to the creating, that a disconnection condition for the VLAN has been met, and dismantling, automatically and in response to the determination, the VLAN, where dismantling the VLAN may include disassociating the locally unique identifier from the VLAN, and deallocating the VLAN.
In any of the disclosed embodiments, detecting initiation, by a client in a given tenant, of a provisioning of a wireless LAN may include receiving from the client, a provisioning packet.
In any of the disclosed embodiments, creating the secure wireless LAN further may include allocating an IP address range for the tenant.
In any of the disclosed embodiments, the method may further include communicating the locally unique identifier to one or more wireless access points.
In any of the disclosed embodiments, detecting initiation, by a client in a given tenant, of a provisioning of a wireless LAN may include receiving a request from the client for creation of a locally unique identifier for a VLAN.
In any of the disclosed embodiments, the method may further include adding, to the VLAN, one or more endpoint devices or shared resources in the information handling system that the client is authorized to access.
In any of the disclosed embodiments, determining that a disconnection condition for the VLAN has been met may include detecting that the client has disconnected from the VLAN.
In any of the disclosed embodiments, determining that a disconnection condition for the VLAN has been met may include determining that a predetermined timeout period or lease period for the VLAN has expired.
In any of the disclosed embodiments, detecting initiation, by a client in a given tenant, of a provisioning of a wireless LAN may include determining, using a near field communication mechanism, that a mobile device of the client is in close proximity to a server in the information handling system, and receiving, from the mobile device, a request to initiate provisioning of a wireless LAN.
In any of the disclosed embodiments, the method may further include adding one or more other clients in the given tenant to the VLAN.
Another disclosed aspect includes an information handling system including at least one wireless access point, and a network subdivided into a plurality of virtual local area networks (VLANs). The information handling system may further include circuitry to detect initiation, by a client in a given tenant, of a provisioning of a wireless local area network (LAN), and to create, automatically and in response to the detection, a secure wireless LAN, where the LAN is to be isolated from clients in tenants other than the given tenant. To create the secure wireless LAN, the information handling system may include circuitry to allocate a VLAN on behalf of the tenant, to associate the VLAN with the tenant, and to associate a locally unique identifier with the VLAN. The information handling system may also include circuitry to determine, subsequent to the creation, that a disconnection condition for the VLAN has been met, and to dismantle, automatically and in response to the determination, the VLAN. To dismantle the VLAN, the information handling system may include circuitry to disassociate the locally unique identifier from the VLAN, and to deallocate the VLAN.
In any of the disclosed embodiments, to detect initiation, by a client in a given tenant, of a provisioning of a wireless LAN, the information handling system may include circuitry to receive from the client, a provisioning packet.
In any of the disclosed embodiments, to create the secure wireless LAN, the information handling system may include circuitry to allocate an IP address range for the tenant.
In any of the disclosed embodiments, the information handling system may further include circuitry to communicate the locally unique identifier to one or more wireless access points.
In any of the disclosed embodiments, to detect initiation, by a client in a given tenant, of a provisioning of a wireless LAN, the information handling system may include circuitry to receive a request from the client for creation of a locally unique identifier for a VLAN.
In any of the disclosed embodiments, the information handling system may further include circuitry to add, to the VLAN, one or more endpoint devices or shared resources that the client is authorized to access.
In any of the disclosed embodiments, to determine that a disconnection condition for the VLAN has been met, the information handling system may include circuitry to detect that the client has disconnected from the VLAN.
In any of the disclosed embodiments, to determine that a disconnection condition for the VLAN has been met, the information handling system may include circuitry to determine that a predetermined timeout period or lease period for the VLAN has expired.
In any of the disclosed embodiments, to detect initiation, by a client in a given tenant, of a provisioning of a wireless LAN, the information handling system may include circuitry to determine, using a near field communication mechanism, that a mobile device of the client is in close proximity to a server in the information handling system, and to receive, from the mobile device, a request to initiate provisioning of a wireless LAN.
In any of the disclosed embodiments, the information handling system may further include circuitry to add one or more other clients in the given tenant to the VLAN.
For a more complete understanding of the present invention and its features and advantages, reference is now made to the following description, taken in conjunction with the accompanying drawings, in which:
In the following description, details are set forth by way of example to facilitate discussion of the disclosed subject matter. It should be apparent to a person of ordinary skill in the field, however, that the disclosed embodiments are exemplary and not exhaustive of all possible embodiments.
As used herein, a hyphenated form of a reference numeral refers to a specific instance of an element and the un-hyphenated form of the reference numeral refers to the collective or generic element. Thus, for example, widget “72-1” refers to an instance of a widget class, which may be referred to collectively as widgets “72” and any one of which may be referred to generically as a widget “72”.
For the purposes of this disclosure, an information handling system may include an instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or utilize various forms of information, intelligence, or data for business, scientific, control, entertainment, or other purposes. For example, an information handling system may be a personal computer, a PDA, a consumer electronic device, a network storage device, or another suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include memory, one or more processing resources such as a central processing unit (CPU) or hardware or software control logic. Additional components or the information handling system may include one or more storage devices, one or more communications ports for communicating with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, and a video display. The information handling system may also include one or more buses operable to transmit communication between the various hardware components.
For the purposes of this disclosure, computer-readable media may include an instrumentality or aggregation of instrumentalities that may retain data and/or instructions for a period of time. Computer-readable media may include, without limitation, storage media such as a direct access storage device (e.g., a hard disk drive or floppy disk), a sequential access storage device (e.g., a tape disk drive), compact disk, CD-ROM, DVD, random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and/or flash memory (SSD); as well as communications media such wires, optical fibers, microwaves, radio waves, and other electromagnetic and/or optical carriers; and/or any combination of the foregoing.
Multi-tenancy and security continue to grow in importance as the density of datacenter solutions increase. Servers and chassis are continuing to realize increased compute power and there is a growing desire to subdivide these resources whenever possible. As described herein, an information handling system may, in some embodiments, implement a method for automatically provisioning multi-tenant wireless local area networks and subsequently dismantling them. The disclosed techniques, sometimes referred to as “variable SSID” may increase the security of “at-the-box” networking solutions and may give the customer greater control over the access to their resources. In at least some embodiments, the disclosed techniques may allow a wireless LAN to be automatically provisioned from a client. In such embodiments, rather than having to request the creation of a wireless LAN from a system administrator, the client may automatically provision the network when joining the network. In some embodiments, this may involve the client providing a provisioning packet, and a secure wireless LAN may be automatically created based on what the client provides to the back end. In some embodiments, the variable SSID approach described herein may be used to create a short-lived, private wireless LAN over which a group of users who are working together in a shared work space can collaborate.
Particular embodiments are best understood by reference to
Turning now to the drawings,
As shown in
In
As depicted in
Also in
In some embodiments, an information handling system may include multiple rack servers, one of which may include an “at-the-box” Wi-Fi network that is configured automatically near field communication (NFC). In other embodiments, such a rack server may include an “at-the-box” Wi-Fi network that is configured automatically using Bluetooth Low Energy (BLE). In some systems there may be one Wi-Fi Access Point (AP) per rack server. In other systems, such as system 300 illustrated in
As illustrated in
In some embodiments of the present disclosure, an unused VLAN may be allocated for use as a customized, secure Wi-Fi network on behalf of a client or multiple clients of a given tenant. In some embodiment, the VLAN may be allocated for a predetermined fixed timeout period, after which it may be dismantled and its resources returned to a pool for subsequent reallocation. In other embodiment, the VLAN may be allocated to a client or tenant through a lease mechanism, and the lease may be renewable.
In system 400, links 405 connect active chassis 402 and standby chassis 406 to customer network 410 through their respective switches 416. A customer may have access to EC controller SoCs 414-1 and 414-2, and any of the resources 418-1, 420-1, 422-1, and 422-2 over links 405. In system 400, there is one VLAN B on link 411 between switch 416-1 on active chassis 402 and switch 416-3 on standby chassis 406, and a separate VLAN B on link 413 between switch 416-2 on active chassis 404 and 416-4 on standby chassis 408. In system 400, VLAN C provides internal chassis links, such as between the EC controller SoCs 414 and various resources in an active/standby chassis pair. In system 400, VLAN D provides a chassis-to-chassis private link between stacked chassis (shown as link 415). In system 400, LAN A is on links 405, 411, 413 and 415.
In at least some embodiments of the present disclosure, the only link that the customer traffic does not flow on is the link to the “at-the-box” network. In such embodiments, for security reasons, the “at-the-box” network may not be bridged with the normal customer management network. In system 400, VLAN E provides an “at-the-box” network connecting a mobile client to the respective EC controller SoCs 414 and various resources in an active/standby chassis pair through the respective USB and Wi-Fi element 412 in the chassis pair. In some embodiments, VLAN E may go to all ports that also go to other switches. In a given chassis, the MSM 422 may talk to the EC controller SoC 414 to control which VLANs are allowed on the switch ports, including the ports that connect to the access control/servers 418. While
In some embodiments of the present disclosure, a computer network may be partitioned or subdivided into multiple virtual LANs (VLANs), and the VLANs may be isolated from each other in the computer network. In some embodiments, multiple such VLANs may be reserved for specific purposes, while other VLANs may be reserved but unused. For example, a VLAN may be reserved for a customer network, for communication between an active EC and a corresponding standby EC, for an internal chassis VLAN, for a stacked chassis VLAN, for MSM-to-MSM communication, and/or for “at-the-box” Wi-Fi. In some systems, there may be as many as 15 unused reserved VLANs that could be used to create multiple “at the box” networks, as described herein. In some embodiments, e.g., in a stacked chassis situation, a master MSM may control all the other MSMs and therefore the entire stack. This master MSM may include circuitry or logic to determine which servers to connect to each of these additional VLANs. The master MSM may control which switch ports allow which VLANs. The master MSM may also manage the servers (e.g., through VLANs C and D) by communicating to the servers that they should connect to those VLANs and by automatically provisioning an IPv6 address on those VLANs. In some embodiments, if the switch port blocks the VLAN to a given server, or if a given server does not connect and acquire an IPv6 address on the VLAN, the “at-the-box” client may not be able to talk to that server.
As depicted in
Method 500 may include (at 506) allocating a reserved, but currently unused, VLAN on behalf of the tenant, and associating the VLAN with the tenant. Method 500 may also include associating a service set identifier (SSID) with the VLAN (as in 508). In some embodiments, the VLAN may be associated with another type of a locally unique identifier. In at least some embodiments, the SSID or other locally unique identifier may be automatically generated. For example, it may be automatically generated in response to a request to initiate the provisioning of a wireless LAN. Once the VLAN has been created, method 500 may include (at 510) the client utilizing the Wi-Fi network and/or accessing one or more endpoints or other resources in the VLAN, if there are any.
If (at 512) a disconnection condition is met for the VLAN subsequent to its creation, method 500 may proceed to 514, where the SSID may be automatically disassociated from the VLAN and the VLAN may be automatically deallocated. Otherwise, method 500 may return to 512 and the client may continue to access one or more endpoints or other resources in the VLAN until or unless a disconnection condition is met for the VLAN. In various embodiments, the disconnection conditions may include, but may not be limited to, a client (or all clients) disconnecting from the VLAN, a predetermined fixed timeout period expiring, or a lease expiring without being renewed. In some embodiments, once the VLAN is dismantled, its resources may be returned to a pool of such resources for subsequent reallocation. For example, the VLAN may subsequently be allocated on behalf of another client or tenant and may be associated with a different SSID and Wi-Fi password.
In various embodiments, the variable SSID approach described herein may be employed to automatically create a customized, secure Wi-Fi network and backend routing based on provisioning information provided by the client. This customized network may provide isolation from other clients and may provide end-to-end security.
In the illustrated embodiment, it may be assumed that the user has installed an application on a mobile device that uses near field communication technology to allow the user to establish two-way communication with a server's remote access controller when in close proximity to the server. In the illustrated embodiment, the user may press a button on the front of the chassis to enable Bluetooth Low Energy (BLE) and user scans for the chassis using the mobile application. This is illustrated in
For example, in the illustrated embodiment, the Enclosure Controller (EC) Bluetooth daemon informs the Modular Systems Management (MSM) that there is a new client that want to connect. This is illustrated as the “new user” communication between BLE 604 and MSM 606. As shown as 612, MSM 606 may create a new, random SSID and Wi-Fi password. MSM 606 may then allocate one of the available VLANs (which is connected only to MSM 606) and associate it with the SSID. The Wi-Fi SSID and password may then be returned to the client over Bluetooth. This is illustrated in
Once Wi-Fi client 602 receives the Wi-Fi SSID and password, the client may connect to the provided Wi-Fi (shown as the “connect” operation between Wi-Fi client 602 and Wi-Fi 608) and (at 614) discover the MSM (using e.g., multicast DNS or an MSM IPv6 address that is provided in the Bluetooth response). At this point, the client may authenticate with MSM 606. This is illustrated in
Following authentication, the client may use the token it received from MSM 606 to configure, monitor, and/or remote desktop into the servers and IOMs that are on the VLAN associated with the client. This is illustrated in
In some embodiments, the techniques described herein for automatically provisioning multi-tenant wireless local area networks may be employed in a multi-tenant environment, such as in a shared work space. For example, employees of the same tenant may want access to each other and to the Internet, but they may need to be separated from each other. While it may be possible to create a static SSID allocation for each tenant, that may involve too much overhead for tenants that turn over frequently.
In the illustrated embodiment, a Wi-Fi client 702 may connect to a guest network (shown as open SSID 704). This is illustrated in FIG. by the “connect” and corresponding acknowledge (“ACK”) operations between Wi-Fi client 702 and open SSID 704. Wi-Fi client 702 may also connect to a captive portal 706 that has access to a provisioning server 708. In some embodiments, when the client connects to a captive portal and ties to access any website, it may be redirected to its internal implementation of that web page to verify the user's identity or to perform some other level of authentication. This is illustrated in
In the embodiment illustrated in
The provisioning server 708 may configure the new SSID on all Wi-Fi Access Points (APs) and bridges and may add the SSID to the allocated VLAN. This is illustrated in
The client 702 may also use the new SSID and password to connect to and gain a lease from the DHCP server 714. This is illustrated by the “request IP address” operation between Wi-Fi client 702 and DHCP server 714. In at least some embodiments, Wi-Fi client 702 can give this username and password to other co-workers of the same tenant. In other words, each tenant may be multiple individuals, and those individuals may share an SSID and password to the network in order to share content with each other, while remaining isolated from individuals in other tenants.
In the illustrated embodiment, as clients disconnect from the network (or after some pre-determined amount of time passed) their leases with the DHCP server will expire. For example, in at least some embodiments, these leases may be for a very short period of time, such as for 30 minutes or an hour, and they may be renewable. When a lease expires without being renewed, the DHCP server 714 may notify the provisioning server 708 of the expiration of the DHCP lease. This is illustrated in
In at least some embodiments, the variable SSID approach described herein includes the automatic creation of VLANs to isolate tenants on both the wireless segment and on the wired side. In some embodiments, the variable SSID approach described herein allows multiple clients from the same tenant to communicate with each other. As described herein, the variable SSID approach includes automatically creating a virtual wireless network, associating it with a tenant and, potentially, removing the association so that the resources can be used by another tenant. While several specific embodiments of the variable SSID approach are described herein, these are only examples and are not intended to be limiting.
The above disclosed subject matter is to be considered illustrative, and not restrictive, and the appended claims are intended to cover all such modifications, enhancements, and other embodiments which fall within the true spirit and scope of the present disclosure. Thus, to the maximum extent allowed by law, the scope of the present disclosure is to be determined by the broadest permissible interpretation of the following claims and their equivalents, and shall not be restricted or limited by the foregoing detailed description.