Linux Research: Risk Management & Governance

Risk Assessment

Risk	Likelihood	Impact	Mitigation	Contingency
nmcli certificate password bug blocks all progress	High	Critical	Test multiple workarounds: wpa_supplicant direct config, PKCS12 bundle, NetworkManager dispatcher scripts. Document findings.	Bypass nmcli entirely. Use wpa_supplicant.conf directly with systemd service.
Linux distro fragmentation across research workstations	Medium	Medium	Standardize on Ubuntu LTS or RHEL/Rocky for supported deployment. Document per-distro differences.	Maintain distro-specific playbooks. Limit support to top 2-3 distributions.
dACL not applied correctly on Linux (no posture agent)	Medium	High	Test dACL application in lab with ISE debug logs. Verify ACL push via RADIUS attributes. UFW provides backup enforcement.	Use VLAN assignment instead of dACL if ACL push unreliable on Linux.
Research users resist certificate-based auth (workflow disruption)	Low	Medium	Transparent authentication after initial setup. No password prompts. Better UX than MSCHAPv2 once configured.	Keep MSCHAPv2 fallback during transition period. Provide documentation and support.
Ansible deployment fails on non-standard Linux configurations	Medium	Medium	Gather inventory of all Linux distros, versions, and configurations before Phase 3. Test playbook against each variant.	Manual deployment for edge cases. Document manual procedure alongside Ansible playbook.

Risk

Likelihood

Impact

Mitigation

Contingency

nmcli certificate password bug blocks all progress

High

Critical

Test multiple workarounds: wpa_supplicant direct config, PKCS12 bundle, NetworkManager dispatcher scripts. Document findings.

Bypass nmcli entirely. Use wpa_supplicant.conf directly with systemd service.

Linux distro fragmentation across research workstations

Medium

Standardize on Ubuntu LTS or RHEL/Rocky for supported deployment. Document per-distro differences.

Maintain distro-specific playbooks. Limit support to top 2-3 distributions.

dACL not applied correctly on Linux (no posture agent)

Medium

High

Test dACL application in lab with ISE debug logs. Verify ACL push via RADIUS attributes. UFW provides backup enforcement.

Use VLAN assignment instead of dACL if ACL push unreliable on Linux.

Research users resist certificate-based auth (workflow disruption)

Low

Medium

Transparent authentication after initial setup. No password prompts. Better UX than MSCHAPv2 once configured.

Keep MSCHAPv2 fallback during transition period. Provide documentation and support.

Ansible deployment fails on non-standard Linux configurations

Medium

Gather inventory of all Linux distros, versions, and configurations before Phase 3. Test playbook against each variant.

Manual deployment for edge cases. Document manual procedure alongside Ansible playbook.

Decision Log

Date	Decision	Rationale	Decided By
2026-03-25	EAP-TLS (not PEAP/MSCHAPv2) for Linux workstations	Certificate-based auth eliminates credential exposure. Aligns with org-wide MSCHAPv2 deprecation strategy. Linux supplicant (wpa_supplicant/nmcli) has native EAP-TLS support.	Evan
2026-03-25	UFW integration for local enforcement alongside dACL	dACL provides network-level enforcement. UFW provides host-level enforcement. Defense in depth: even if dACL bypassed, local firewall blocks unauthorized access.	Evan
2026-03-25	Ansible for certificate deployment at scale	Manual cert installation does not scale to research fleet. Ansible provides idempotent, repeatable deployment. Certificates, permissions, and nmcli profiles configured in single playbook.	Evan
2026-03-25	Lab validation mandatory before any production deployment	nmcli certificate password bug must be resolved first. No point deploying to production until auth flow validated end-to-end in home lab.	Evan

Date

Decision

Rationale

Decided By

2026-03-25

EAP-TLS (not PEAP/MSCHAPv2) for Linux workstations

Certificate-based auth eliminates credential exposure. Aligns with org-wide MSCHAPv2 deprecation strategy. Linux supplicant (wpa_supplicant/nmcli) has native EAP-TLS support.

Evan

2026-03-25

UFW integration for local enforcement alongside dACL

dACL provides network-level enforcement. UFW provides host-level enforcement. Defense in depth: even if dACL bypassed, local firewall blocks unauthorized access.

Evan

2026-03-25

Ansible for certificate deployment at scale

Manual cert installation does not scale to research fleet. Ansible provides idempotent, repeatable deployment. Certificates, permissions, and nmcli profiles configured in single playbook.

Evan

2026-03-25

Lab validation mandatory before any production deployment

nmcli certificate password bug must be resolved first. No point deploying to production until auth flow validated end-to-end in home lab.

Evan

Stakeholders

Xianming Ding - Research department (requestor)
Evan - Implementation lead
ISE Team - Policy configuration