Linux AD Auth - Issues

Rollback

Quick Rollback (Revert to Research_Onboard)

# Delete the authorization rule
netapi ise delete-authz-rule "$POLICY_SET" "$AUTHZ_PROFILE" --force

# Force reauthentication (will fall back to default rule)
netapi ise mnt coa "$MAC"

Full Rollback (Delete All Objects)

# 1. Delete authorization rule
netapi ise delete-authz-rule "$POLICY_SET" "$AUTHZ_PROFILE" --force

# 2. Delete authorization profile
netapi ise delete-authz-profile "$AUTHZ_PROFILE" --force

# 3. Delete dACL
netapi ise delete-dacl "$DACL_NAME" --force

# 4. Force reauthentication
netapi ise mnt coa "$MAC"

Deliverables

For Xianming Ding

Workstation MAC address
Workstation location (switch/port)
Confirmation workstation is domain-joined
Verification SSH works with AD credentials post-deployment

For InfoSec Team

dACL created: DACL_LINUX_RESEARCH_AD_AUTH
Authorization profile created: Linux_Research_AD_Auth
Authorization rule added to policy set
CoA issued and new policy applied
All validation tests pass

Status Update Template

Subject: Linux AD Auth Deployment - Xianming Ding Request

Deployment Date: 2026-02-14
Device: <MAC-ADDRESS> on <SWITCH> <INTERFACE>

Validation Results:
- AD Connectivity (pre): BLOCKED (as expected)
- AD Connectivity (post): [PASS/FAIL]
- Kerberos kinit: [PASS/FAIL]
- SSH with AD: [PASS/FAIL]
- Lateral movement: [BLOCKED/FAIL]
- Internet: [PASS/FAIL]

ISE Objects:
- dACL: DACL_LINUX_RESEARCH_AD_AUTH (created)
- Authz Profile: Linux_Research_AD_Auth (created)
- Authz Rule: Rank 0 in Wired Dot1X Closed

Status: [COMPLETE/PENDING/BLOCKED]

Notes:
<Any issues or observations>

Quick Reference Commands

netapi Commands

Command Purpose

Command	Purpose
`netapi ise mnt session <MAC>`	Active session status
`netapi ise dc session <MAC>`	Detailed diagnostics
`netapi ise mnt coa <MAC>`	Force reauthentication
`netapi ise get-dacl <name>`	View dACL content
`netapi ise get-authz-rules <policy-set>`	List authorization rules

netapi ise mnt session <MAC>

Active session status

netapi ise dc session <MAC>

Detailed diagnostics

netapi ise mnt coa <MAC>

Force reauthentication

netapi ise get-dacl <name>

View dACL content

netapi ise get-authz-rules <policy-set>

List authorization rules

Switch Commands

show access-session mac <MAC> detail
show ip access-list | include DACL_LINUX
clear access-session mac <MAC>

References

Pattern validation: ise-linux component, linux-ad-auth-dacl runbook
Deployment template: ise-linux component, linux-eaptls-deployment-runbook
Previous deployment: captures, DEPLOY-2026-01-26-shahab-linux-workstation

Prepared: 2026-02-14
Request: Xianming Ding - Linux AD Authentication
Validated: Domus Digitalis home enterprise (2026-02-12)