Linux AD Authentication Deployment - Xianming Ding Request

Executive Summary

Deployment Type: Linux Research Workstation with AD SSH Authentication

Request Origin: Xianming Ding (Research Computing)

Problem Statement: Linux research workstations under Research_Onboard dACL can authenticate via 802.1X EAP-TLS but AD SSH fails due to missing Kerberos/LDAP ACEs.

Solution: Deploy hardened dACL that permits AD authentication traffic while blocking lateral movement.

Pattern Validation	Completed in home enterprise (see linux-ad-auth-dacl runbook)
ISE Objects	dACL + Authorization Profile + Rule
Zero-Trust	RFC1918 deny with explicit AD DC permits

Pattern Validation

Completed in home enterprise (see linux-ad-auth-dacl runbook)

ISE Objects

dACL + Authorization Profile + Rule

Zero-Trust

RFC1918 deny with explicit AD DC permits

This runbook was validated in the Domus Digitalis home enterprise before CHLA production deployment.

Pattern validation reference: ise-linux component, linux-ad-auth-dacl runbook

Device Information

Field Value

Field	Value
Request ID	XIANMING-LINUX-2026-02
Owner	Dr. Xianming Ding
Department	Research Computing
Location	TBD
MAC Address	`<MAC-ADDRESS>` (fill when known)
Switch	`<SWITCH-NAME>` (fill when known)
Port	`<INTERFACE>` (fill when known)
Current Policy	Research_Onboard (AD SSH blocked)
Target Policy	Linux_Research_AD_Auth (hardened)

Request ID

XIANMING-LINUX-2026-02

Owner

Dr. Xianming Ding

Department

Research Computing

Location

TBD

MAC Address

<MAC-ADDRESS> (fill when known)

Switch

<SWITCH-NAME> (fill when known)

Port

<INTERFACE> (fill when known)

Current Policy

Research_Onboard (AD SSH blocked)

Target Policy

Linux_Research_AD_Auth (hardened)

Architecture Context

The Problem

Figure 1. Current Research_Onboard dACL - AD authentication blocked

The Solution

Figure 2. Target Linux_Research_AD_Auth dACL - Zero-trust with AD permits

Required AD Ports

Port	Protocol	Purpose
53	UDP/TCP	DNS to Domain Controller
88	UDP/TCP	Kerberos authentication
389	TCP	LDAP (directory services)
636	TCP	LDAPS (TLS-encrypted LDAP)
445	TCP	SMB/CIFS (AD group policy, file shares)
3268	TCP	Global Catalog
3269	TCP	Global Catalog (TLS)

Port

Protocol

Purpose

UDP/TCP

DNS to Domain Controller

UDP/TCP

Kerberos authentication

389

TCP

LDAP (directory services)

636

TCP

LDAPS (TLS-encrypted LDAP)

445

TCP

SMB/CIFS (AD group policy, file shares)

3268

TCP

Global Catalog

3269

TCP

Global Catalog (TLS)

Prerequisites

CHLA Infrastructure Details (FILL BEFORE DEPLOYMENT)

Component Value

Component	Value
Primary DC	`<DC-HOSTNAME>` / `<DC-IP-1>`
Secondary DC	`<DC-HOSTNAME-2>` / `<DC-IP-2>` (if applicable)
AD Domain	`la.ad.chla.org`
Kerberos Realm	`LA.AD.CHLA.ORG`
DNS Servers	`10.112.142.41`, `10.112.142.42`
ISE PSN	`<ISE-PSN-IP-1>`, `<ISE-PSN-IP-2>`
Policy Set	`Wired Dot1X Closed` (or applicable set)

Primary DC

<DC-HOSTNAME> / <DC-IP-1>

Secondary DC

<DC-HOSTNAME-2> / <DC-IP-2> (if applicable)

AD Domain

la.ad.chla.org

Kerberos Realm

LA.AD.CHLA.ORG

DNS Servers

10.112.142.41, 10.112.142.42

ISE PSN

<ISE-PSN-IP-1>, <ISE-PSN-IP-2>

Policy Set

Wired Dot1X Closed (or applicable set)

Pattern Validation (Home Enterprise)

The following was validated in home enterprise on 2026-02-12:

Test Result Notes

Test	Result	Notes
dACL creation via netapi	PASS	`netapi ise create-dacl` with file
Authorization profile with dACL	PASS	VLAN + dACL assignment
Authorization rule at rank 0	PASS	Most specific rule first
CoA reauthentication	PASS	New dACL applies within 10s
Kerberos kinit under dACL	PASS	Tickets acquired successfully
SSH with AD credentials	PASS	Domain user login works
Lateral movement blocked	PASS	RFC1918 ping fails

dACL creation via netapi

PASS

netapi ise create-dacl with file

Authorization profile with dACL

PASS

VLAN + dACL assignment

Authorization rule at rank 0

PASS

Most specific rule first

CoA reauthentication

PASS

New dACL applies within 10s

Kerberos kinit under dACL

PASS

Tickets acquired successfully

SSH with AD credentials

PASS

Domain user login works

Lateral movement blocked

PASS

RFC1918 ping fails