Remediation Action Items

Design GUEST_CWA_REDIRECT_MAX_SECURITY dACL — strips all credential protocols from pre-AUP window

Lab validate GUEST_CWA_REDIRECT_MAX_SECURITY in d000 — test full CWA guest flow

Verify Apple CNA still works with hardened ACL (17.0.0.0/8 preserved)

Investigate SMB 445 + NetBIOS 137-139 to specific host in Guest-Internet-Only — determine what that host is

Confirm ACL_WEBAUTH_REDIRECT is globally uniform via Catalyst Center

Coordinate with Tony Sun (NE) on switch ACL changes — remove deny lines for credential protocols

Submit joint CR (ER + NE) to iTrack

Deploy ISE dACL to production

NE deploys switch ACL changes

72-hour post-deployment monitoring

Submit iTrack CR for zero-trust posture redirect ACL

Validate restricted ACL in home lab — confirm posture flow completes

Deploy zero-trust ACL to production wireless controllers

72-hour post-deployment monitoring — watch for posture failures

Evil twin re-test — validate Kerberos/SMB/LDAP blocked during posture window

Verify February 10-12 ISE 3.2P8 deployment completed

Confirm current ISE version via show version on all nodes

Document upgrade in security audit log

Close iTrack CR for ISE patch

Deploy zero-trust dACL to wired policy sets (Wired_802.1X)

Deploy zero-trust dACL to wireless policy sets

Migrate legacy Aireos AirSpace ACLs to ISE-managed dACLs

Create dACL for Isensix BMS controller (IoT/MAB policy set)

Validate dACL enforcement on each policy set post-deployment

Send scoping email to William Cox — non-Windows platform breakdown with ownership matrix and manager callouts (2026-04-24)

ISE supplicant-side configuration complete — EAP-TEAP and EAP-TLS policies, certificate trust, authorization rules

Windows EAP-TEAP migration complete

All 8 platform owners confirmed — Albert (Collaboration), John (Endpoint Engineering)

John designated Jason Landeros for GPOs, Justin Halbmann for visibility

Will confirmed 5/4 start, 5/30 deadline — Albert agreed to planning meeting

Export Windows 11 EAP-TEAP XML profile config for reference documentation

Verify anonymous identity configured across all deployed EAP profiles

Verify all Windows endpoints running EAP-TEAP — confirm no legacy MSCHAPv2 GPO profiles remain

Prep checklist: ISE RADIUS IPs, SCEP URL, cert requirements, anonymous identity format, example auth screenshots

Schedule working sessions with platform owners (Wyse, Chrome, Vocera, JAMF, Intune, WS1, SCCM, GPO)

Track per-platform completion in MSCHAPv2 Migration Project

Coordinate with endpoint teams for SCEP certificate enrollment

Disable MSCHAPv2 allowed protocol after all platforms migrated

Copy 4/16 finding updates into Mandiant Excel spreadsheet at work (P0 — carried since Apr 17)

WIR-I-01: Submit CR for MFP enablement on CHLA_IoT, CHLA_Medical, CHLA_Staff SSIDs

WIR-I-02: Coordinate with endpoint team on GPO to disable Wi-Fi Direct radio on HP printers

WIR-I-02: Obtain printer inventory from Appendix D

Daily ISE Live Logs review — failed auths, unknown MACs, policy violations

Weekly compliance reports — posture rate trending, top failed endpoints

Raspberry Pi OUI monitoring — B8:27:EB, DC:A6:32, E4:5F:01

Certificate expiration alerting — 30-day warning threshold

Update CHLA security audit log with all remediation actions

Create runbook for guest ACL changes and rollback

Create runbook for dACL deployment and rollback

Document ISE patch validation procedure

Re-test posture redirect with evil twin simulation post-remediation

Validate all dACLs enforced across wired and wireless

Confirm ISE CVE patched and no longer exploitable

Verify MSCHAPv2 device count trending to zero

Final report to CISO with remediation evidence