Phase 1: EAP-TLS for Managed Devices

Scope

Domain-joined Windows workstations
Domain-joined Linux workstations
Servers with 802.1X

Prerequisites

PKI Infrastructure

Vault PKI operational (DOMUS-ROOT-CA, DOMUS-ISSUING-CA)
Auto-enrollment configured (Windows) or manual process (Linux)
CA chain trusted by ISE

ISE Configuration

EAP-TLS allowed in protocols
Trusted CA imported
Policy set created for EAP-TLS

Client Preparation

Certificate enrollment tested on pilot group
Supplicant configuration documented
Rollback procedure documented

Implementation Steps

Step 1: Pilot Group (Week 1)

Select 5-10 devices across departments
Enroll certificates manually
Monitor authentication logs
Document issues

Step 2: IT Department (Week 2)

Deploy certificates to all IT devices
Use IT staff as early adopters
Refine troubleshooting procedures

Step 3: Department Rollout (Week 3-4)

Deploy by department
Coordinate with department leads
Maintain help desk awareness

Certificate Deployment

Windows (GPO Auto-Enrollment)

Computer Configuration > Policies > Windows Settings >
  Security Settings > Public Key Policies >
    Certificate Services Client - Auto-Enrollment
      Configuration Model: Enabled
      [x] Renew expired certificates
      [x] Update certificates that use templates

Linux (Vault CLI)

vault write pki_int/issue/domus-client \
  common_name="${HOSTNAME}.inside.domusdigitalis.dev" \
  ttl="8760h"

See Vault PKI Cert Issuance (infra-ops).

Verification

Per-Device Check

SELECT CALLING_STATION_ID, AUTHENTICATION_PROTOCOL, PASSED
FROM RADIUS_AUTHENTICATIONS
WHERE CALLING_STATION_ID = 'AA:BB:CC:DD:EE:FF'
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 5 ROWS ONLY

Department Progress

SELECT FRAMED_IP_ADDRESS, AUTHENTICATION_PROTOCOL
FROM RADIUS_AUTHENTICATIONS
WHERE FRAMED_IP_ADDRESS LIKE '10.50.10.%'  -- Department subnet
AND TIMESTAMP_TIMEZONE > SYSDATE - 1

Success Metrics

100% IT devices on EAP-TLS
<5 help desk tickets per week
No MSCHAPv2 authentications from managed devices

Rollback

If critical issues:

Re-enable MSCHAPv2 in allowed protocols
Communicate delay to stakeholders
Address root cause
Resume migration