Chapter 3: Scenarios & Selection

Figure 3.1: Wired Enterprise LAN — Managed workstations authenticate via EAP-TLS certificates through access switches to RADIUS server, with dynamic VLAN assignment

In a wired enterprise LAN, all managed workstations connect via Ethernet to access switches in IDF closets. Each workstation holds a machine certificate issued by the corporate PKI, enabling EAP-TLS mutual authentication. The switch acts as the 802.1X authenticator, forwarding EAP frames to the RADIUS server, which validates the certificate chain and revocation status before returning a VLAN/ACL assignment. Devices without valid certificates are placed in a remediation VLAN where they can access only the MDM and CA proxy for certificate enrollment.

Figure 3.2: Enterprise Wi-Fi — Three SSIDs (Corporate EAP-TLS, BYOD Enrollment, Guest Captive Portal) with RADIUS dynamic VLAN assignment via wireless controller

Enterprise wireless deployments typically require three distinct SSIDs serving different user populations. The corporate SSID uses EAP-TLS with machine certificates for managed devices, providing seamless roaming and dynamic VLAN assignment. A BYOD enrollment SSID provides a limited-access path for personal devices to enroll certificates via SCEP/MDM. A guest SSID redirects unauthenticated users to a captive portal with sponsor approval workflow. The wireless controller acts as the central enforcement point, applying RADIUS-returned VLAN assignments to all associated clients.

Figure 3.3: IoT Device Containment — NAC profiling engine classifies IP cameras, printers, badge readers, and environmental sensors into dedicated VLANs; unknown devices quarantined automatically

IoT devices — IP cameras, printers, badge readers, environmental sensors — cannot run 802.1X supplicants and require an alternative onboarding model. NAC profiling uses DHCP fingerprinting, SNMP OID matching, HTTP user-agent analysis, and API integrations with asset management systems to classify devices automatically. Each device type is assigned to a dedicated IoT VLAN with a restrictive ACL permitting only the specific ports and destinations required for its function. Unknown devices are automatically placed in a quarantine VLAN pending manual review or automated remediation.

Figure 3.4: Guest Network — QR code captive portal with sponsor approval workflow; guest VLAN provides internet-only access with DNS filtering, rate limiting, and session expiry

Guest network management must balance hospitality with security. Visitors scan a QR code at reception, which redirects their device to a captive portal requiring either a sponsor approval or a self-service registration with legal notice acceptance. The guest VLAN is strictly isolated from the corporate network at the firewall level, with DNS filtering to block malicious domains, bandwidth rate limiting to prevent abuse, and automatic session expiry to prevent credential sharing. Sponsor approval workflows integrate with email or ITSM systems for accountability.

Figure 3.5: ZTNA Conditional Access — Remote users authenticate through IdP MFA/CA with risk scoring, device compliance check, and geo/IP reputation before accessing per-app internal segments

Remote workforce access requires continuous verification of user identity, device health, and contextual risk signals. The ZTNA model replaces traditional VPN with per-application access control. Users authenticate to the IdP with MFA, which evaluates risk signals including device compliance (MDM/EDR status), geographic location, IP reputation, and time-of-day patterns. High-risk sessions trigger step-up authentication or are blocked entirely. Legacy VPN is retained only for specific legacy applications with restricted subnet access. All sessions are logged with correlation IDs for forensic traceability.

Figure 3.6: Privileged Access Management — Admin users authenticate through MFA/PAM vault to jump server; TACACS+ enforces command-level authorization with full session recording

Privileged access to network devices and servers requires the highest level of accountability. All administrative sessions are brokered through a PAM jump server, which enforces MFA, credential checkout with time-limited TTL, and full session recording. TACACS+ provides command-level authorization based on the admin's role, denying unauthorized commands and logging every permitted command with user identity and timestamp. Break-glass emergency procedures are documented and audited, requiring post-incident review. Shared admin accounts are prohibited; every admin uses a unique identity.

Figure 3.7: Multi-Site Federation — Central IdP/AD with identity replication to HQ and branch sites; local RADIUS cache enables survivability during WAN outage

Organizations with multiple sites require a federated identity architecture that provides both centralized policy control and local survivability. The central IdP and AD serve as the authoritative identity source, with identity data replicated to local domain controllers at each site. Each site maintains a local RADIUS/TACACS+ server that caches policy decisions and can authenticate users independently during WAN outages. Policy synchronization ensures that changes made centrally propagate to all sites within a defined SLA. The architecture supports 8–30 sites with consistent policy enforcement regardless of WAN availability.

Figure 3.8: SIEM Identity Audit — SOC analysts monitor authentication event timeline, failed login heatmap, VLAN assignment analytics, and privileged access alerts from centralized SIEM platform

A comprehensive identity audit capability requires all authentication and authorization events to flow into a centralized SIEM with consistent log schemas, correlation IDs, and NTP-synchronized timestamps. The SIEM provides real-time dashboards for authentication event timelines, failed login heatmaps, VLAN assignment analytics, and privileged access alerts. SOAR playbooks automate incident response for high-confidence detections such as impossible travel, brute-force attacks, and unauthorized command execution. Log retention of 180–365 days supports forensic investigations and compliance reporting.