Remediation Action Items

Submit iTrack CR for zero-trust posture redirect ACL

Validate restricted ACL in home lab — confirm posture flow completes

Deploy zero-trust ACL to production wireless controllers

72-hour post-deployment monitoring — watch for posture failures

Evil twin re-test — validate Kerberos/SMB/LDAP blocked during posture window

Verify February 10-12 ISE 3.2P8 deployment completed

Confirm current ISE version via show version on all nodes

Document upgrade in security audit log

Close iTrack CR for ISE patch

Deploy zero-trust dACL to wired policy sets ({policy-set-wired})

Deploy zero-trust dACL to wireless policy sets

Migrate legacy Aireos AirSpace ACLs to ISE-managed dACLs

Create dACL for Isensix BMS controller (IoT/MAB policy set)

Validate dACL enforcement on each policy set post-deployment

Continue 5-wave migration to EAP-TLS certificate-based authentication

Track per-wave completion in MSCHAPv2 Migration Project

Coordinate with endpoint teams for certificate enrollment

Disable MSCHAPv2 allowed protocol after final wave

Daily ISE Live Logs review — failed auths, unknown MACs, policy violations

Weekly compliance reports — posture rate trending, top failed endpoints

Raspberry Pi OUI monitoring — B8:27:EB, DC:A6:32, E4:5F:01

Certificate expiration alerting — 30-day warning threshold

Update CHLA security audit log with all remediation actions

Create runbook for posture redirect ACL changes

Create runbook for dACL deployment and rollback

Document ISE patch validation procedure

Process new Mandiant findings when formal report received

Classify findings by severity and assign owners

Create remediation timeline for each finding

Update this project with new workstreams

Re-test posture redirect with evil twin simulation post-remediation

Validate all dACLs enforced across wired and wireless

Confirm ISE CVE patched and no longer exploitable

Verify MSCHAPv2 device count trending to zero

Final report to CISO with remediation evidence