sync: auto-sync from HOWARD-HOME at 2026-06-24 11:50:01

Author: Howard Enos
Machine: HOWARD-HOME
Timestamp: 2026-06-24 11:50:01
This commit is contained in:
2026-06-24 11:50:29 -07:00
parent 47c9441781
commit 5c77b88654
9 changed files with 428 additions and 12 deletions

View File

@@ -54,9 +54,14 @@ Senior living community. Active project: HIPAA-compliant folder redirection GPO
## Pending / Next Up
**>> CANONICAL EXECUTION PLAN: `docs/REMAINING-WORK-PLAN.md`** (built 2026-06-24 from a live
AD+RMM domain-join diff). It sequences ALL remaining work — workstation domain migration,
users/departments/file-share access, HIPAA caregiver lockdown go-live, M365 relicense, server/RAID,
network tail — and maps every open Syncro ticket to its workstream. Work the migration from THAT doc.
**Open Syncro Tickets (folded into the engagement, 2026-06-24 — Howard review):**
These 7 open Cascades tickets are tracked todos #1#7 and roll up into the existing workstreams
(machine/user deployment into the domain + network/HIPAA lockdown). All are in Syncro status `New`.
These 7 open Cascades tickets are tracked todos #1#7 and roll up into the workstreams in the plan
above (machine/user deployment into the domain + network/HIPAA lockdown).
| Ticket | Workstream | Summary | Notes |
|--------|-----------|---------|-------|

View File

@@ -0,0 +1,208 @@
# Cascades of Tucson — Remaining Work Plan (to completion)
> Consolidated execution plan tying the open Syncro tickets to the broader migration
> workstreams (workstations -> domain, users/departments, HIPAA caregiver lockdown).
> Built 2026-06-24 (Howard) from a live AD+RMM diff. Companion to `PROJECT_STATE.md`
> and `wiki/clients/cascades-tucson.md` (current truth, compiled 2026-06-23).
> Goal: finish the migration quickly by working it as one sequenced plan.
---
## Live snapshot — domain-join inventory (2026-06-24, AD vs RMM diff)
**Domain (`cascades.local`) — joined staff workstations (12):**
ACCT2-PC, CRYSTAL-PC, DESKTOP-DLTAGOI (Sharon/LE), DESKTOP-F94M8UT, DESKTOP-H6QHRR7,
DESKTOP-N5G1ROO (Chris Knight), DESKTOP-ROK7VNM, DESKTOP-U2DHAP0 (Ashley),
ASSISTNURSE-PC, NURSESTATION-PC, RECEPTIONIST-PC, MEGAN.
(Plus infra: CS-SERVER = DC, CS-QB = QB VM. Stale AD objects to clean: DESKTOP-1ISF081 (last logon 2025-03), AZUREADSSOACC is the Seamless-SSO object — leave.)
**In RMM but NOT domain-joined — still to migrate (~17):**
| Machine | User / role | Plan |
|---|---|---|
| ASSISTMAN-PC | Meredith Kuhn (on LOCAL acct `meredithk`) | Domain-join + migrate her to `cascades\Meredith.Kuhn` |
| ANN-PC | (verify user) | Join + OU + drives |
| DESKTOP-LPOPV30 | (verify) | Join + OU + drives |
| DESKTOP-MD6UQI3 | (verify, offline) | Join + OU + drives |
| MAINTENANCE-PC | Maintenance | Join -> OU=Maintenance |
| MDIRECTOR-PC | Shelby Trozzi (MC Director) | Join -> OU=Care-Memorycare |
| MEMRECEPT-PC | MC reception (shared) | Join -> OU=Shared PCs |
| NurseAssist | (distinct from ASSISTNURSE-PC) | Join or retire-as-dupe — verify |
| SALES4-PC | Sales | Join -> OU=Marketing |
| LAPTOP-8P7HDSEI | (verify) | Join or caregiver path |
| Health-Services-Director | vs AD `HEALTH-SERVICES` | Verify dup/rename before acting |
| **CHEF-PC** | Culinary (Chef JD) | **Ticket #32254** — reinstall Windows, THEN join -> OU=Culinary |
| DESKTOP-TRCIEJA | Lupe Sanchez | EOL — **replace machine** (decision 2026-06-18), join the replacement |
| DESKTOP-KQSL232 | Lois Lane | Resistant to migration; coordinate via John Trozzi |
| CascadesProxess | Proxess access-control appliance | Likely leave un-joined — verify it's an appliance |
| Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, Laptop4 | Caregiver shared laptops | Join via the **Caregiver Devices** path (Workstream 3), not the staff path |
**OU structure (built):** `OU=Departments` -> Administrative, Marketing, Care-Assisted Living
(+ Nurses), Care-Memorycare, Culinary, Housekeeping, Life Enrichment, Maintenance, Resident
Services, Transportation, Caregivers. `OU=Workstations` -> Staff PCs, Shared PCs,
`OU=Caregiver Devices` (under Staff PCs). Groups in `OU=Groups`.
---
## Workstream 1 — Workstation domain migration
**Goal:** every staff PC on `cascades.local` + GuruRMM + correct dept OU + mapped dept drives;
retire per-PC Synology Drive Client.
**Per-machine runbook** (scripts in `docs/migration/scripts/`):
1. `phase3-pre-join-verify.ps1` (OneDrive KFM unlinked, no poisoned shell folders, name OK)
2. `phase3-join-domain.ps1` -> join `cascades.local`
3. `phase3-post-join-verify.ps1`
4. Move computer object into the correct **department OU**
5. Confirm GuruRMM agent still checks in; migrate the user profile/data
6. Map department drives (Workstream 2); uninstall Synology Drive Client; delete local cache once clean
7. Log the change
**Tickets in this workstream:** #32194 (deploy spare machine for new hire — join + enroll + AD acct),
#32254 (Chef-PC reinstall then join).
### Device readiness audit (2026-06-24, live probe of 15 un-joined online machines)
| Machine | User | Edition | Readiness |
|---|---|---|---|
| DESKTOP-LPOPV30 | Karen Rossini | Win11 Pro | READY |
| MAINTENANCE-PC | Bruce Miller | Win11 Pro WS | READY |
| LAPTOP-E0STJJE8 | caregiver | Win11 Pro WS | READY (caregiver path) |
| ASSISTMAN-PC | Meredith Kuhn | Win11 Pro | pending reboot |
| ANN-PC | christina | Win11 Enterprise | pending reboot |
| Laptop2 | caregiver | Win11 Pro | pending reboot |
| CHEF-PC | Ramon Castaneda | Win11 Pro | do #32254 reinstall first |
| LAPTOP-8P7HDSEI | User | **Win10 Home** | BLOCKED: Home->Pro + OneDrive KFM ON |
| MDIRECTOR-PC | Shelby Trozzi | **Win11 Home** | BLOCKED: Home->Pro + reboot |
| MEMRECEPT-PC | memfrtdesk | **Win10 Home** | BLOCKED: Home->Pro + reboot |
| NurseAssist | Veronica | **Win11 Home** | BLOCKED: Home->Pro + KFM ON + reboot |
| SALES4-PC | Tamra (departing) | **Win11 Home** | BLOCKED: Home->Pro; Tamra leaving — repurpose? |
| LAPTOP-DRQ5L558 | caregiver | Win11 Pro WS | BLOCKED: off-network (public DNS, no DC reach) |
| DESKTOP-TRCIEJA | Lupe Sanchez | Win11 Pro | SKIP — EOL, being replaced |
| Health-Services-Director | Lois Lane | Win11 Pro WS | already domain-joined (= AD `HEALTH-SERVICES`) |
**Prep blockers / decisions (2026-06-24):**
- **5 machines on Windows Home cannot domain-join** until upgraded to Pro (need license keys):
LAPTOP-8P7HDSEI, MDIRECTOR-PC, MEMRECEPT-PC, NurseAssist, SALES4-PC. **Howard handling the
Home->Pro upgrades himself** (list DM'd 2026-06-24).
- **OneDrive KFM ON** (unlink before folder-redirect GPO): LAPTOP-8P7HDSEI, NurseAssist.
- **Pending reboots + KFM unlinks: held for onsite** (Howard) — disruptive to clear remotely.
- **LAPTOP-DRQ5L558** is off the Cascades network (8.8.8.8/1.1.1.1 DNS, no DC reachability) —
must be on-site/on-LAN before any join.
- Note: the legacy `phase3-pre-join-verify.ps1` hardcodes the DC at `192.168.2.254`; clients
actually reach it at `192.168.2.248` (the `.254` NIC is the Hyper-V vEthernet and does not
cleanly serve domain SMB) — update the script's target before reuse.
- Pro/Enterprise + internal machines are READY to join once reboots are cleared onsite:
DESKTOP-LPOPV30, MAINTENANCE-PC, ASSISTMAN-PC, ANN-PC, LAPTOP-E0STJJE8, Laptop2 (+ CHEF-PC after #32254).
---
## Workstream 2 — Users, departments & file-share access
**Goal:** every user in the right OU + `SG-*-RW` group; department drives mapped per the
access matrix; Synology retired as primary.
- Shares already created on CS-SERVER (`D:\Shares\...`): Management, Sales/SalesDept, Server,
Accounting, Culinary, Activities, directoryshare, IT, Receptionist, **Executive (NEW — Ashley+Meredith)**.
Confirm ALdocs/WebDocs/LifeEnrichment exist + NTFS per the matrix.
- Populate `SG-*-RW` groups per `docs/migration/share-access-matrix-2026-04-23.md`.
- Map dept drives per user via GPP/logon script (Receptionist drive = machine+user scoped, Tower desk only).
- **Close out the matrix open questions** (per-user interviews): Lois Lane, Karen Rossini, Susan Hicks,
John Trozzi, Lupe Sanchez, Shelby Trozzi, Matt Brooks, Christine Nyanzunda; `pacs`/Clinical-PHI
create-or-retire; `web` retire.
**Tickets:** #32193 (Executive restricted share — **DONE 2026-06-24**, E: mapped both machines),
#32230 (Karen Rossini -> ALDOCS on Synology — **recheck when she's in**, she was out 2026-06-24).
---
## Workstream 3 — HIPAA caregiver lockdown — GO-LIVE (highest value, mostly built)
Everything is built + validated on the pilot (NURSESTATION + pilot.test). Go-live = flip from
test scope to real caregivers, one device at a time. (Detail: wiki "Entra Access Architecture".)
1. Swap GPO `CSC - Caregiver Workstation` security filter `SG-Caregivers-Test` -> `SG-Caregivers`.
2. CA allow-list policy `1b7fd025`: test group `SG-Caregivers-DeviceTest` -> `SG-Caregivers`; disable the compliance-block policy `ede985e2`.
3. Move each caregiver machine into `OU=Caregiver Devices` + `SG-PC-MainTower`/`SG-PC-MemoryCare`
one at a time: Laptop2, LAPTOP-DRQ5L558, LAPTOP-E0STJJE8, ASSISTNURSE-PC, NURSESTATION-PC (+ verify NurseAssist/Laptop4).
4. ALIS email-match the 38 caregivers + medtechs (ALIS staff Email = Entra UPN); turn off ALIS-native 2FA per user.
5. Lower ALIS app session timeout 20 -> 15 min (Howard, ALIS admin).
6. **Reboot NURSESTATION-PC** to activate + verify the device-lockdown GPO (lock @3min, 90s warn, sign-out @15min).
---
## Workstream 4 — M365
- **Relicense 31 users Business Standard -> Business Premium** (Standard is SUSPENDED — time-sensitive).
- Create break-glass accounts (`breakglass1/2-csc@`) + enroll FIDO2 YubiKeys.
- Build audit retention (Log Analytics 90d + Storage 6yr) in `rg-audit-cascadestucson`.
---
## Workstream 5 — Server / infrastructure
- **Verify cloud backup** (MSP360 -> ACG-backup) first full completed + set retention. [GATE for RAID work]
- **CS-SERVER degraded OS RAID-1** -> replace with 2x 480 GB enterprise SATA SSD (gate on backup verified). Real fix = DC migration off the 16-yr-old R610.
- Clean up old-MSP agent sprawl (Datto RMM/CentraStage + Datto EDR/Infocyte) thrashing the spindle.
- Synology -> backup-only (Team Folder migration of the real shares; close the workgroup/Kerberos quirk).
- Rotate the Synology signin-portal credential (was committed plaintext historically).
---
## Workstream 6 — Network (mostly complete)
- **CSC ENT device-island consolidation (phones + Helpany on 5 GHz)** — repurpose CSC ENT as a
**5 GHz-only WPA2 PPSK** SSID and consolidate BOTH the Poly voice handsets (-> VLAN 30) and the
Helpany "Paul" radar sensors (-> new VLAN 40) onto it, separated at the VLAN layer. Gets both
off congested 2.4 GHz; keeps WPA2-only gear isolated so CSCNet can later move to WPA3/WiFi7/6GHz.
Supersedes the standalone "Voice 5 GHz lock" item below and the earlier "delete CSC ENT" idea
(deleting it would orphan the Pauls). Both vendors can move their devices remotely once we
provide the network. **Onsite gate: verify per-room 5 GHz coverage before the band flip**
(steel walls; weak-5GHz devices stay on 2.4). Full design + sequence:
`docs/network/csc-ent-device-island-plan.md`.
- Build VLAN 40 (Helpany, egress-only to `*.sedimentum.com` + snapcraft/ubuntu) on pfSense.
- Enable PPSK on CSC ENT: key `Ftfd85710#` -> VLAN 40 (Pauls keep SSID+key, not reprogrammed);
new voice key -> VLAN 30 (phones re-pointed by Howard/Richard).
- Flip CSC ENT to 5 GHz-only (`apply-wlan.sh ... bands 5g`) in a coordinated window; pilot a few
phones + Pauls, then full rollout.
- Helpany = Sandro Cilurzo / Eugenie Nicoud; Poly = Richard Turner (Vertical).
- **#32319** WiFi Room 343 — relocate a floor-2/4 AP for coverage (unifi-wifi skill, site `va6iba3v`).
- **#32342** Copy Room switch — install + adopt into UniFi.
- ~25 switch ports linked at 100 Mbps but gig-capable (cabling/NIC sweep).
- *(Superseded)* Voice 5 GHz lock — now folded into the CSC ENT consolidation above (single
dedicated 5 GHz network for phones + sensors, not just a phone-side band lock).
---
## Workstream 7 — Onsite peripheral
- **#32370** eFax setup (Karen & Christin) + portable scanner on both machines.
---
## Suggested sequence (fastest path)
1. **Today's onsite batch (Howard, on-site):** #32342 (Copy Room switch), #32319 (Room 343 AP),
#32370 (eFax + scanner), #32194 (spare machine for new hire), #32254 (Chef-PC reinstall+join);
#32230 (Karen -> ALDOCS) once she's in. **While onsite: verify per-room 5 GHz coverage** for the
CSC ENT device-island consolidation (Workstream 6) so the band flip can be scheduled with the
vendors.
2. **Caregiver lockdown go-live** (Workstream 3) — remote, highest HIPAA value, just needs the flip + per-device moves.
3. **M365 relicense 31 users** (Workstream 4) — time-sensitive.
4. **Backup verify -> RAID replacement** (Workstream 5) — critical single-DC risk.
5. **Remaining staff domain joins + dept drives** (Workstreams 1+2) — batch the ~17 un-joined PCs, OU + drives per machine.
6. Network tail (Vertical 5 GHz, 100 Mbps ports) + M365 break-glass/audit retention.
---
## Open Syncro tickets -> workstream map
| Ticket | Workstream | Status |
|---|---|---|
| #32193 Executive restricted share | 2 | **DONE 2026-06-24** (E: both machines, billed 0.5h block) |
| #32194 spare machine for new hire | 1 | Open — onsite |
| #32230 Karen -> ALDOCS | 2 | Open — recheck when she's in |
| #32254 Chef-PC reinstall | 1 | Open — onsite (then domain-join) |
| #32319 WiFi Room 343 | 6 | Open — onsite |
| #32342 Copy Room switch | 6 | Open — onsite |
| #32370 eFax + scanner | 7 | Open — onsite |

View File

@@ -0,0 +1,149 @@
# Cascades — CSC ENT Device-Island Consolidation (Phones + Helpany on 5 GHz)
> **Decision (2026-06-24, Howard + Mike):** Repurpose the existing **CSC ENT** SSID as the
> permanent **WPA2 / 5 GHz-only device island** and consolidate BOTH the Poly voice handsets
> and the Helpany "Paul" sensors onto it, separated at the VLAN layer via Private PSK (PPSK).
> This gets both device classes off congested 2.4 GHz, keeps the WPA2-only gear on its own
> network, and clears the path to eventually move **CSCNet** to WPA3 / WiFi 7 / 6 GHz.
>
> Companion to `network-optimization-master-plan.md`, `voice-vlan-cutover.md`,
> `2026-06-19-vertical-5ghz-lock-request.md`, and `docs/REMAINING-WORK-PLAN.md` (Workstream 6).
---
## Why (background)
Two separate vendor threads converged on the **same** fix — a dedicated 5 GHz SSID:
- **Poly voice handsets (Vertical / Richard Turner):** several Polys sit on saturated 2.4 GHz
despite excellent 5 GHz signal; UniFi band steering (`no2ghz_oui`, already ON) does **not**
hold the Poly OUI (`48:25:67`) on 5 GHz. Richard (2026-06-24): phones can't be statically
pinned to a band; Poly recommends a **separate 5 GHz SSID** for the phones (or disabling band
steering on a shared SSID so the phone targets 5 GHz itself). See
`2026-06-19-vertical-5ghz-lock-request.md`.
- **Helpany "Paul" sensors (Sandro Cilurzo / Eugenie Nicoud):** the room devices are **radar
fall/motion sensors** (Sedimentum backend — *no camera, no microphone*), currently programmed
onto **CSC ENT** (WPA2, key `Ftfd85710#`) and landing on 2.4 GHz. Per Sandro (email
2026-06-19): *"Do you have a dedicated 5 GHz network with a separate SSID? If so we can
remotely transition the Paul devices to that network... we'd need the SSID and password... if
5 GHz is not available or the signal is not strong enough, the devices default to 2.4 GHz."*
Helpany's engineering performs the band transition **remotely** once we provide the network.
CSC ENT was **deliberately kept as a WPA2 WiFi5 island** by Mike back in March 2026 precisely so
the WPA2-only Helpany gear had a home while CSCNet moves to newer standards (*"CSCNet is slated
to be converted to WiFi7 and will not be compatible with their devices — CSC ENT will remain
WiFi5 and is the correct network for them to use."*). This plan formalizes and extends that role.
---
## Hard constraints (vendor-stated)
- **Helpany is WPA2-only** — explicitly **NOT** WPA3 or hybrid WPA2/WPA3 (*"we don't support
hybrid, only WPA2"*). The device SSID must stay WPA2-PSK.
- **5 GHz has shorter range** than 2.4 GHz. Both vendors warn: a device with weak 5 GHz signal
will fall back to 2.4 GHz or be orphaned. **Per-room 5 GHz coverage must be verified before
transitioning** (Cascades is 6 floors with steel hallway walls). Leave any weak-signal device
on 2.4 rather than force it.
- **Reprogramming is painful on Helpany's side** — they can't reach offline devices, and key
rotations need **72 h notice + the new key**. The SSID/password must be right and stable.
- **Helpany bandwidth is negligible:** < 0.04 Mbps per Paul device; whole fleet ~0.38 Mbps low /
0.75 avg / **1.35 Mbps peak** (peaks ~11:00 AM & 7:00 PM). No capacity threat to voice.
---
## Target design
Repurpose CSC ENT; **no new SSID** (Pauls keep their current SSID + key, so they are NOT
reprogrammed — only band-moved by Helpany).
| Network | Band / Security | Mechanism | Clients | VLAN |
|---|---|---|---|---|
| **CSC ENT** (repurposed) | **5 GHz-only, WPA2-PSK** | **PPSK** | Poly voice handsets | **VLAN 30** (existing voice, keep) |
| | | | Helpany Paul sensors | **VLAN 40** (new, sensors) |
| **CSCNet** | 2.4 + 5 GHz, WPA2 (today) | PPSK (per-room) | residents + staff IoT/TVs | per-room VLANs (unchanged) |
| **Guest** | 2.4 + 5 GHz, WPA2 | — | guests | VLAN 50 (unchanged) |
**PPSK key map on CSC ENT:**
- Existing key `Ftfd85710#` -> **VLAN 40** (Helpany). Pauls keep SSID + password unchanged.
- New voice key -> **VLAN 30** (phones). Howard/Richard re-point the Polys to this key.
**Only structural change to CSC ENT itself:** flip `wlan_bands` from `[2g,5g]` to `[5g]` and
enable PPSK. The band flip is the step requiring vendor coordination + the coverage check.
### New VLAN 40 (Helpany sensors) — egress-only, isolated like VLAN 30
Mirror the Voice VLAN 30 isolation model: internet/cloud egress only; firewalled off PHI, main
LAN, voice, and resident VLANs (HIPAA). Required outbound destinations (Helpany / Sedimentum,
Ubuntu/snap based):
| Port | Proto | Destinations |
|---|---|---|
| 5671 | AMQPS (SSL) | `*.sedimentum.com` |
| 8883 | MQTT | `*.sedimentum.com` |
| 8030 | HTTP | `*.sedimentum.com` |
| 443 | HTTPS | `*.sedimentum.com`, `snapcraft.io`, `api.snapcraft.io`, `public.apps.ubuntu.com`, `fastly.cdn.snapcraft.io` |
(VLAN 40 = proposed; confirm it is free on pfSense/UniFi before use. Existing VLANs: 1, 20, 30,
50, 999, room VLANs 101-631; "CSC Internal Network" VLAN 10 is a suspected orphan to verify.)
### Why this shape
- **One SSID via PPSK** = minimal beacon airtime on a dense 77-AP site (vs. two separate SSIDs).
- **Pauls not reprogrammed** — same SSID + key, only a remote band move.
- **VLAN separation** keeps voice QoS (DSCP EF) and HIPAA isolation intact; sensor data never
mixes with voice.
- CSC ENT stays the **WPA2 island**, so a future CSCNet WPA3 migration doesn't touch this gear.
---
## Execution sequence
1. **Build VLAN 40** on pfSense (igc1.40, DHCP scope, DNS) + firewall egress rules above; mirror
VLAN 30 isolation.
2. **Enable PPSK on CSC ENT**; add keys: `Ftfd85710#` -> VLAN 40, new voice key -> VLAN 30.
3. **[ONSITE GATE] Verify 5 GHz coverage** in the rooms where Pauls + phones live (per-floor,
account for steel walls). Use `unifi-wifi` skill (`live-stats.sh --clients`, `watch-ap.sh`).
4. **Flip CSC ENT to 5 GHz-only** (`apply-wlan.sh <site> bands 5g --wlan <CSC ENT>`), coordinated
with both vendors during a change window.
5. **Vendors transition their devices:**
- **Helpany** remotely moves the Pauls to 5 GHz (we hand them: SSID `CSC ENT`, key
`Ftfd85710#` — unchanged; they confirm strong 2.4 signal per-device first).
- **Poly/Vertical** (Richard) — phones re-pointed to CSC ENT + the new voice key. Howard can
do the phone-side SSID change directly.
6. **Pilot first:** move 2-3 phones + bring up a few Pauls on 5 GHz; verify association +
stability before the full fleet.
7. **Full rollout** of remaining phones + Pauls.
8. **(Optional cleanup)** investigate the stray `element-5b32...` SSID on the controller and the
orphan "CSC Internal Network" VLAN 10; remove if unused (more airtime/clarity back).
**We do NOT delete CSC ENT** — it becomes the permanent device island. (Supersedes the earlier
"delete CSC ENT" idea, which would have orphaned the Pauls.)
---
## Future (separate project) — CSCNet -> WPA3 / WiFi 7 / 6 GHz
- WiFi 7 on 2.4/5 GHz already works on WPA2 (U7-Pro APs). The thing WPA3 unlocks is the **6 GHz
band** (6 GHz mandates WPA3 + PMF) — the largest untapped clean capacity at the site.
- Moving phones + Pauls onto CSC ENT is a **prerequisite**, but the real blocker for CSCNet -> WPA3
is the **~230 resident PPSK clients** (TVs / legacy IoT, many 2.4-only / WPA2-only). That
migration needs its own resident-device impact survey and is **not** gated by the voice/sensor
gear.
---
## Vendor contacts
- **Poly / Vertical:** Richard Turner <RTurner@vertical.com>
- **Helpany:** Sandro Cilurzo (CEO) <sandro.cilurzo@helpany.com>; Eugenie Nicoud (COO)
<eugenie.nicoud@helpany.com>
- **Facility liaison:** John Trozzi (Facilities Director) <john.trozzi@cascadestucson.com>
## Credentials
- **CSC ENT / CSCNet WPA2 key:** `Ftfd85710#` (vault: `clients/cascades-tucson/wifi-cscnet`;
confirm a CSC-ENT-specific entry exists or add `clients/cascades-tucson/wifi-csc-ent`).
- **New voice PPSK key (VLAN 30):** to be generated + vaulted at
`clients/cascades-tucson/wifi-voice-ppsk` when created.
## Open items / decisions
1. Confirm VLAN 40 is free (and whether VLAN 10 "CSC Internal Network" is an orphan to reclaim).
2. PPSK-on-one-SSID (recommended) vs. two separate 5 GHz SSIDs — confirm approach.
3. Schedule the coordinated change window with Poly/Vertical + Helpany.
4. Per-room 5 GHz coverage verification (onsite) — the gating task.

View File

@@ -4,7 +4,7 @@
| SSID | Network Assignment | AP Group | Bands | Security | Purpose |
|------|-------------------|----------|-------|----------|---------|
| **CSCNet** | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. |
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi — many machines still on this SSID. Must keep functional (LAN access to servers/printers) until all devices migrate to CSCNet (INTERNAL VLAN). Remove after migration complete. |
| **CSC ENT** | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi + the WPA2 island for WPA2-only devices (Helpany "Paul" sensors, key `Ftfd85710#`). **PLANNED (2026-06-24): repurpose as the 5 GHz-only WPA2 PPSK device island** — phones -> VLAN 30, Helpany -> VLAN 40. **Do NOT delete** (would orphan the Pauls). See `csc-ent-device-island-plan.md`. |
| **Guest** | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) |
## UniFi Network Definitions
@@ -46,8 +46,12 @@ WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode w
**Fix:** Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See `security/hipaa.md`.
### 5. No Band Steering or Separate SSIDs (Low)
All SSIDs broadcast on both 2.4 and 5 GHz. Band steering should be enabled (if not already) to push capable devices to 5 GHz for better performance, especially in high-density areas like the Dining Room.
### 5. No Band Steering or Separate SSIDs (Low) — being addressed
Band steering (`no2ghz_oui`) is in fact ON on CSCNet/CSC ENT/Guest, but it does **not** reliably
hold the Poly voice OUI (`48:25:67`) or the Helpany sensors on 5 GHz — they land on congested 2.4.
**Fix in progress (2026-06-24):** rather than rely on steering, give the voice + sensor devices a
dedicated **5 GHz-only WPA2 SSID** by repurposing CSC ENT (PPSK -> VLAN 30 phones / VLAN 40 Helpany).
Full plan: `csc-ent-device-island-plan.md`.
## Migration Plan — WiFi Changes (Phase 1.1)