Howard Enos
8d975c1b44
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:
Clients (structured MSP docs under clients/<name>/docs/):
- anaise (NEW) - 13 files
- cascades-tucson - 47 files merged (existing had only reports/)
- dataforth - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa (NEW) - 22 files, multi-site (camden, river)
- kittle (NEW) - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template - 13-file scaffold for new clients
MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/ - clean_printer_ports, win11_upgrade,
screenconnect-toolbox-commands
Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
no other credentials found
Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
(identical duplicates of msp-audit-scripts versions)
Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)
Session log: session-logs/2026-04-16-howard-client-docs-import.md
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4.5 KiB
WiFi Configuration (UniFi)
SSIDs (3)
| SSID | Network Assignment | AP Group | Bands | Security | Purpose |
|---|---|---|---|---|---|
| CSCNet | 238 Networks (per-room VLANs) | All APs | 2.4 + 5 GHz | WPA2 | Primary SSID — residents + staff. VLAN assignment handled at UniFi controller level (per-AP network mapping), NOT via RADIUS/NPS. NPS on CS-SERVER has only default deny policies, no RADIUS clients, and no VLAN attributes configured. |
| CSC ENT | Native Network (Default LAN, 192.168.0.0/22) | All APs | 2.4 + 5 GHz | WPA2 | Legacy staff WiFi — many machines still on this SSID. Must keep functional (LAN access to servers/printers) until all devices migrate to CSCNet (INTERNAL VLAN). Remove after migration complete. |
| Guest | Guest (VLAN 50, 10.0.50.0/24) | All APs | 2.4 + 5 GHz | WPA2 | Guest WiFi — isolated from all internal networks (moved from Default LAN 2026-03-06) |
UniFi Network Definitions
Infrastructure Networks
| Network Name | VLAN ID | Gateway | Subnet | Notes |
|---|---|---|---|---|
| Default | 1 (native) | Third-party (pfSense) | 192.168.0.0/22 | Main LAN — servers, infra, APs |
| Guest | 50 | Third-party (pfSense) | 10.0.50.0/24 | Guest WiFi isolation (added 2026-03-06) |
| CSC Internal Network | 10 | Third-party (pfSense) | - | Mismatch: pfSense has INTERNAL on VLAN 20, not 10 |
| Internal | 20 | Third-party (pfSense) | - | Staff VLAN (10.0.20.0/24) — matches pfSense |
| 999 - Test | 999 | Third-party (pfSense) | - | GuruTestNet |
Room VLANs (238 total)
All room VLANs are defined in UniFi as "Third-party Gateway" networks. VLAN IDs match room numbers.
Floor 1 (44): 101-149 (missing: 113, 114, 139, 141) Floor 2 (46): 201-249 (missing: 213, 214, 239) Floor 3 (48): 301-350 (missing: 313, 314) Floor 4 (47): 401-449 (missing: 413, 414) Floor 5 — MemCare (21): 501-522 (missing: 513) Floor 6 — MemCare (29): 603-631
Issues
1. Guest WiFi on Native LAN — NO ISOLATION (High) FIXED 2026-03-06
Guest SSID moved to VLAN 50 (10.0.50.0/24) with internet-only firewall rules. All RFC1918 ranges blocked. DHCP scope: 10.0.50.50–10.0.50.239 (190 addresses). Needs onsite testing to verify isolation.
2. CSC Internal Network VLAN Mismatch (Medium)
UniFi defines "CSC Internal Network" as VLAN 10, but pfSense has the INTERNAL interface on VLAN 20 (igc1.20, 10.0.20.0/24). UniFi also has "Internal" on VLAN 20 (correct). The VLAN 10 network may be unused/orphaned, or it could cause tagging issues if any port or SSID references it.
Fix: Verify if VLAN 10 is used anywhere. If not, delete "CSC Internal Network" from UniFi to avoid confusion.
3. All SSIDs Use WPA2 Only (Low)
WPA3 is not enabled on any SSID. WPA2 is acceptable but WPA3-transitional mode would improve security for newer devices while maintaining compatibility.
4. Kitchen iPads Not Restricted (Medium — Security)
9 kitchen iPads are on INTERNAL VLAN (10.0.20.x) with full access to staff resources. They are food-service only (NOT medical) — used for taking orders and printing to kitchen thermal receipt printers. They should be restricted to kitchen printer access only to prevent lateral movement into PHI networks if a device is compromised.
Fix: Create firewall rules restricting kitchen iPad MACs to kitchen thermal printer IPs only. Block access to staff VLAN, servers, and Synology. Allow internet for app updates. See security/hipaa.md.
5. No Band Steering or Separate SSIDs (Low)
All SSIDs broadcast on both 2.4 and 5 GHz. Band steering should be enabled (if not already) to push capable devices to 5 GHz for better performance, especially in high-density areas like the Dining Room.
Migration Plan — WiFi Changes (Phase 1.1)
Guest SSID → VLAN 50
The Guest SSID will be reassigned from the Default (native LAN) network to a new Guest network on VLAN 50 (10.0.50.0/24). This isolates guest traffic from all internal resources.
UniFi changes:
- Create "Guest" network: VLAN 50, third-party gateway
- Change Guest SSID network assignment: Default → Guest (VLAN 50)
Note: Guest WiFi will briefly disconnect during SSID reassignment.
Delete CSC Internal Network (VLAN 10)
After verifying VLAN 10 is not referenced by any port profile or SSID, delete "CSC Internal Network" from UniFi to avoid confusion with the correct "Internal" network on VLAN 20.
See migration/phase1-network.md for full steps.