Downtime Computers — Wired-Only Enforcement

Summary

Cerner 724 downtime computers are critical systems that must only connect via wired network. An agreement exists to prohibit wireless access for these endpoints. This project validates compliance using ISE DataConnect queries, identifies violating endpoints, and implements enforcement via ISE policy.

Objective

Identify all Cerner 724 downtime computers currently authenticating via wireless
Validate that wired-only policy is enforced
Remediate any endpoints connecting via wireless
Implement ongoing monitoring

Phase Summary

Phase	Description	Status	Notes
0: Discovery	Identify downtime computer endpoints — MACs, hostnames, identity groups	✅ Done	45 computers identified, 16 violating, 29 compliant
1: Audit	Query ISE DataConnect for wireless auth events from downtime computers	✅ Done	v2 query (identity_group/endpoint_profile filter), 180 auth records, 583 wireless auths. Report v3 delivered.
2: Enforcement	ISE policy to deny wireless for downtime computer identity group	❌ Not started	AuthZ rule: medigate_724Access_Viewer_Cerner_EHR + NAS-Port-Type Wireless = DenyAccess
3: Monitoring	Ongoing DataConnect query or ISE alarm for violations	❌ Not started	Re-run dc_query monthly, diff with process substitution
4: Documentation	Report findings, policy change CR, stakeholder communication	🟡 In progress	v3 Excel delivered to management 2026-04-21. CR for enforcement TBD.

Phase

Description

Status

Notes

0: Discovery

Identify downtime computer endpoints — MACs, hostnames, identity groups

✅ Done

45 computers identified, 16 violating, 29 compliant

1: Audit

Query ISE DataConnect for wireless auth events from downtime computers

✅ Done

v2 query (identity_group/endpoint_profile filter), 180 auth records, 583 wireless auths. Report v3 delivered.

2: Enforcement

ISE policy to deny wireless for downtime computer identity group

❌ Not started

AuthZ rule: medigate_724Access_Viewer_Cerner_EHR + NAS-Port-Type Wireless = DenyAccess

3: Monitoring

Ongoing DataConnect query or ISE alarm for violations

❌ Not started

Re-run dc_query monthly, diff with process substitution

4: Documentation

Report findings, policy change CR, stakeholder communication

🟡 In progress

v3 Excel delivered to management 2026-04-21. CR for enforcement TBD.

Key Questions

Which downtime computers are authenticating via wireless today?
What NAS device (WLC) are they connecting through?
What ISE policy set / authorization profile allows this?
What identity group are these endpoints in?
Can we enforce wired-only via ISE authorization policy without breaking failover?

Metadata

Field	Value
PRJ ID	PRJ-2026-04-downtime-computers
Author	Evan Rosado
Created	2026-04-21
Last Updated	2026-04-21
Status	Active — investigation
Category	Network Security / Endpoint Compliance
Priority	P1
Scope	Cerner 724 downtime computers — enforce wired-only access
Requestor	Management (resurfaced project)
Related	PRJ-mschapv2-migration, PRJ-mandiant-remediation

Field

Value

PRJ ID

PRJ-2026-04-downtime-computers

Author

Evan Rosado

Created

2026-04-21

Last Updated