Research Device Onboarding Flow
1. Overview
This document defines the two-stage onboarding flow for research Linux workstations. New devices start with limited network access, then transition to full zero-trust access after EAP-TLS certificate enrollment.
|
This pattern mirrors enterprise research environments where:
|
2. Architecture
┌─────────────────────────────────────────────────────────────────────────┐
│ RESEARCH DEVICE ONBOARDING FLOW │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────────────────┐ │
│ │ Stage 1 │ │ Transition │ │ Stage 2 │ │
│ │ ONBOARD │────▶│ (Manual) │────▶│ EAP-TLS + HARDENED │ │
│ └──────────────┘ └──────────────┘ └──────────────────────────┘ │
│ │
│ Auth: MAB Enroll cert Auth: EAP-TLS │
│ ACL: RESEARCH_ONBOARD Configure client ACL: RESEARCH_HARDENED │
│ Access: Limited Test connection Access: Zero-trust │
│ │
├─────────────────────────────────────────────────────────────────────────┤
│ ISE Policy Priority: │
│ Rule 1: EAP-TLS + Cert Valid → RESEARCH_HARDENED (higher priority) │
│ Rule 2: MAB + Known MAC → RESEARCH_ONBOARD (lower priority) │
│ Rule 3: Default → DenyAccess │
└─────────────────────────────────────────────────────────────────────────┘3. Stage 1: RESEARCH_ONBOARD
3.1. Purpose
Provide limited network access for new research devices to:
-
Resolve DNS (required for everything)
-
Reach certificate enrollment server (Vault/AD CS)
-
Access ISE portals (if needed for self-service)
-
Reach AD/DC for domain join (if required)
-
Limited internet for package installation
3.2. RESEARCH_ONBOARD dACL
! =============================================================================
! dACL: RESEARCH_ONBOARD
! Purpose: Limited access for research device onboarding/cert enrollment
! Author: InfoSec Team
! ACE Count: ~12 (well within 64 ACE limit)
! =============================================================================
! -----------------------------------------------------------------------------
! SECTION 1: PERMIT INFRASTRUCTURE (Enrollment Requirements)
! -----------------------------------------------------------------------------
remark === DNS ===
permit udp any host 10.50.1.90 eq 53
permit udp any host 10.50.1.50 eq 53
remark === NTP ===
permit udp any any eq 123
remark === Certificate Enrollment (Vault) ===
permit tcp any host 10.50.1.60 eq 8200
remark === ISE Portals ===
permit tcp any host 10.50.1.20 eq 8443
permit tcp any host 10.50.1.20 eq 8905
remark === AD/DC (Domain Join + Kerberos) ===
permit tcp any host 10.50.1.50 eq 88
permit udp any host 10.50.1.50 eq 88
permit tcp any host 10.50.1.50 eq 389
permit tcp any host 10.50.1.50 eq 636
permit tcp any host 10.50.1.50 eq 445
! -----------------------------------------------------------------------------
! SECTION 2: PERMIT LIMITED INTERNET
! Required for package downloads during setup
! -----------------------------------------------------------------------------
remark === HTTP/HTTPS (Internet only - RFC1918 blocked below) ===
permit tcp any any eq 80
permit tcp any any eq 443
! -----------------------------------------------------------------------------
! SECTION 3: BLOCK INTERNAL NETWORKS
! Prevent lateral movement during onboarding
! -----------------------------------------------------------------------------
remark === DENY RFC1918 - No Lateral Movement ===
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
! -----------------------------------------------------------------------------
! SECTION 4: IMPLICIT DENY
! -----------------------------------------------------------------------------
remark === Deny All Other ===
deny ip any any log|
Key differences from RESEARCH_HARDENED:
|
3.3. Create dACL in ISE
# Create the dACL content file
cat > /tmp/RESEARCH_ONBOARD.txt << 'EOF'
permit udp any host 10.50.1.90 eq 53
permit udp any host 10.50.1.50 eq 53
permit udp any any eq 123
permit tcp any host 10.50.1.60 eq 8200
permit tcp any host 10.50.1.20 eq 8443
permit tcp any host 10.50.1.20 eq 8905
permit tcp any host 10.50.1.50 eq 88
permit udp any host 10.50.1.50 eq 88
permit tcp any host 10.50.1.50 eq 389
permit tcp any host 10.50.1.50 eq 636
permit tcp any host 10.50.1.50 eq 445
permit tcp any any eq 80
permit tcp any any eq 443
deny ip any 10.0.0.0 0.255.255.255
deny ip any 172.16.0.0 0.15.255.255
deny ip any 192.168.0.0 0.0.255.255
EOF
# Upload to ISE
netapi ise create-dacl RESEARCH_ONBOARD \
--file /tmp/RESEARCH_ONBOARD.txt \
--descr "Limited access for research device onboarding - cert enrollment and domain join"3.4. Create Authorization Profile
# Create authorization profile for onboarding
netapi ise create-authz-profile "Research_Onboard" \
--dacl RESEARCH_ONBOARD \
--vlan 40 \
--descr "Research device onboarding - limited access for cert enrollment"Or via GUI:
-
Navigate to: Policy > Policy Elements > Results > Authorization > Authorization Profiles
-
Click Add
-
Configure:
| Field | Value |
|---|---|
Name |
|
Description |
Research device onboarding - limited access for cert enrollment |
Access Type |
ACCESS_ACCEPT |
DACL Name |
|
VLAN |
|
4. Stage 2: RESEARCH_HARDENED
4.1. Purpose
After certificate enrollment, device authenticates with EAP-TLS and receives zero-trust access:
-
Internet access (HTTP/HTTPS/SSH)
-
DNS and NTP
-
ISE posture ports
-
All internal (RFC1918) blocked - no lateral movement
4.2. RESEARCH_HARDENED dACL
See Hardened dACL Configuration for the full ACL definition.
The key difference: no Vault or AD ports - those are only needed during onboarding.
5. ISE Policy Configuration
5.1. Authorization Rules (Priority Order)
|
Rule priority is CRITICAL. EAP-TLS rule must be HIGHER priority than MAB onboarding rule. |
| Priority | Rule Name | Condition | Profile |
|---|---|---|---|
1 |
|
|
|
2 |
|
|
|
3 |
|
(none) |
|
5.2. Create Endpoint Identity Group
Before MAB onboarding works, the device MAC must be registered:
# Create endpoint identity group for onboarding devices
netapi ise create-endpoint-group "Research_Onboard" \
--descr "Research devices pending EAP-TLS enrollment"5.3. Register Device MAC for Onboarding
# Get the MAC address of the research device
# On the device: ip link show | grep ether
# Register in ISE for MAB onboarding
netapi ise create-endpoint "AA:BB:CC:DD:EE:FF" \
--group "Research_Onboard" \
--descr "Xian Ding research workstation - pending cert enrollment"5.4. Create Authorization Rules via GUI
-
Navigate to: Policy > Policy Sets > [Your Policy Set] > Authorization Policy
-
Add rules in this order (higher = more priority):
Rule 1: Research_EAP_TLS_Hardened
Condition: Network Access:EapTls EQUALS True
AND
CERTIFICATE:Subject - Common Name CONTAINS research
Profile: Research_EAP_TLSRule 2: Research_Onboard_MAB
Condition: Network Access:MAB EQUALS True
AND
IdentityGroup:Name EQUALS Endpoint Identity Groups:Research_Onboard
Profile: Research_Onboard6. Onboarding Procedure
6.1. Step 1: Register Device MAC
# On the research device, get MAC
ip link show enp3s0 | grep ether
# Output: link/ether aa:bb:cc:dd:ee:ff
# Register in ISE
netapi ise create-endpoint "aa:bb:cc:dd:ee:ff" \
--group "Research_Onboard" \
--descr "Research device - Xian Ding - pending enrollment"6.2. Step 2: Connect Device (Stage 1)
Connect the device to the network. It will:
-
Send MAB authentication request
-
ISE matches
Research_Onboard_MABrule -
Receives
RESEARCH_ONBOARDdACL -
Has limited access for enrollment
6.3. Step 3: Verify Onboarding Access
# On the research device, verify access
# DNS should work
dig google.com @10.50.1.90
# Vault should be reachable
curl -k https://10.50.1.60:8200/v1/sys/health
# AD/DC should be reachable (for domain join)
timeout 3 bash -c '</dev/tcp/10.50.1.50/389' && echo "LDAP OK"
# Internal lateral movement should be BLOCKED
ping -c 2 10.50.1.10 # Switch - should fail
timeout 3 bash -c '</dev/tcp/10.50.1.10/22' && echo "FAIL: Lateral movement!" || echo "OK: Blocked"6.4. Step 4: Enroll Certificate
Follow Certificate Enrollment or Vault BYOD Enrollment to issue EAP-TLS certificate.
6.5. Step 5: Configure EAP-TLS Client
Follow NetworkManager Wired or wpa_supplicant to configure the 802.1X supplicant with the new certificate.
6.6. Step 6: Reconnect (Stage 2)
# Disconnect and reconnect to trigger EAP-TLS auth
sudo nmcli connection down "Wired-802.1X"
sudo nmcli connection up "Wired-802.1X"6.7. Step 7: Verify Hardened Access
# Verify EAP-TLS authentication succeeded
# Check ISE for the session
netapi ise dc query "SELECT USERNAME, AUTHENTICATION_PROTOCOL, AUTHORIZATION_RULE, PASSED
FROM RADIUS_AUTHENTICATIONS
WHERE CALLING_STATION_ID = 'AA:BB:CC:DD:EE:FF'
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 1 ROWS ONLY"
# Expected: AUTHENTICATION_PROTOCOL = EAP-TLS, AUTHORIZATION_RULE = Research_EAP_TLS_Hardened6.8. Step 8: Remove from Onboarding Group
After successful EAP-TLS authentication, remove the MAC from the onboarding group:
# Update endpoint to production group (or delete from onboarding)
netapi ise update-endpoint "aa:bb:cc:dd:ee:ff" \
--group "Research_Production" \
--descr "Research device - Xian Ding - EAP-TLS enrolled"7. Validation Test Script
Create a script to validate both stages:
# Set environment variables from attributes
DNS_IP="10.50.1.90"
VAULT_IP="10.50.1.60"
VAULT_PORT="8200"
AD_DC_IP="10.50.1.50"
ISE_IP="10.50.1.20"
SWITCH_IP="10.50.1.10"
PORT_LDAP="389"
PORT_ISE_ADMIN="8443"
PORT_SSH="22"
cat > /tmp/test-onboarding.sh << EOF
#!/bin/bash
echo "=== Research Onboarding Validation ==="
echo ""
# Detect current stage based on what's accessible
VAULT_REACHABLE=\$(timeout 3 bash -c '</dev/tcp/$VAULT_IP/$VAULT_PORT' 2>/dev/null && echo "yes" || echo "no")
SWITCH_REACHABLE=\$(timeout 3 bash -c '</dev/tcp/$SWITCH_IP/$PORT_SSH' 2>/dev/null && echo "yes" || echo "no")
if [ "\$VAULT_REACHABLE" = "yes" ] && [ "\$SWITCH_REACHABLE" = "no" ]; then
echo "Detected: STAGE 1 (ONBOARD)"
echo ""
echo "Testing ONBOARD access..."
echo "Test 1: DNS to pfSense"
dig +short google.com @$PFSENSE_IP >/dev/null && echo " [PASS] DNS working" || echo " [FAIL] DNS broken"
echo "Test 2: Vault (cert enrollment)"
timeout 3 bash -c '</dev/tcp/$VAULT_IP/$VAULT_PORT' 2>/dev/null && echo " [PASS] Vault reachable" || echo " [FAIL] Vault blocked"
echo "Test 3: AD/DC (domain join)"
timeout 3 bash -c '</dev/tcp/$AD_DC_IP/$PORT_LDAP' 2>/dev/null && echo " [PASS] LDAP reachable" || echo " [FAIL] LDAP blocked"
echo "Test 4: ISE Portal"
timeout 3 bash -c '</dev/tcp/$ISE_IP/$PORT_ISE_ADMIN' 2>/dev/null && echo " [PASS] ISE reachable" || echo " [FAIL] ISE blocked"
echo "Test 5: Internet HTTPS"
curl -sI --max-time 3 https://google.com >/dev/null && echo " [PASS] Internet working" || echo " [FAIL] Internet blocked"
echo "Test 6: Lateral movement (should be BLOCKED)"
timeout 3 bash -c '</dev/tcp/$SWITCH_IP/$PORT_SSH' 2>/dev/null && echo " [FAIL] Switch reachable - SECURITY ISSUE!" || echo " [PASS] Lateral movement blocked"
elif [ "\$VAULT_REACHABLE" = "no" ] && [ "\$SWITCH_REACHABLE" = "no" ]; then
echo "Detected: STAGE 2 (HARDENED/EAP-TLS)"
echo ""
echo "Testing HARDENED access..."
echo "Test 1: DNS"
dig +short google.com @$PFSENSE_IP >/dev/null && echo " [PASS] DNS working" || echo " [FAIL] DNS broken"
echo "Test 2: Internet HTTPS"
curl -sI --max-time 3 https://google.com >/dev/null && echo " [PASS] Internet working" || echo " [FAIL] Internet blocked"
echo "Test 3: Vault (should be BLOCKED in hardened)"
timeout 3 bash -c '</dev/tcp/$VAULT_IP/$VAULT_PORT' 2>/dev/null && echo " [INFO] Vault reachable (optional)" || echo " [PASS] Vault blocked (expected)"
echo "Test 4: Lateral movement (should be BLOCKED)"
timeout 3 bash -c '</dev/tcp/$SWITCH_IP/$PORT_SSH' 2>/dev/null && echo " [FAIL] Switch reachable - SECURITY ISSUE!" || echo " [PASS] Lateral movement blocked"
echo "Test 5: Internal ping (should be BLOCKED)"
ping -c 1 -W 2 $PFSENSE_IP >/dev/null 2>&1 && echo " [FAIL] Internal ICMP allowed" || echo " [PASS] Internal ICMP blocked"
else
echo "Detected: UNKNOWN STATE"
echo " Vault reachable: \$VAULT_REACHABLE"
echo " Switch reachable: \$SWITCH_REACHABLE"
echo ""
echo "If switch is reachable, you may have permit-all ACL (INSECURE)"
fi
echo ""
echo "=== Validation Complete ==="
EOF
chmod +x /tmp/test-onboarding.sh8. Troubleshooting
8.1. Device Not Getting Onboard ACL
Symptom: Device connects but gets denied or wrong ACL
Check:
# Verify MAC is registered
netapi ise get-endpoint "aa:bb:cc:dd:ee:ff"
# Verify endpoint is in correct group
netapi ise get-endpoint "aa:bb:cc:dd:ee:ff" | grep -i group
# Check ISE live logs
netapi ise mnt auth-logs "aa:bb:cc:dd:ee:ff" --limit 5