Skip to content

Add Protect section: Wireless, Wired, and SSH for GitHub use-case guides#529

Draft
joshdrake wants to merge 7 commits into
mainfrom
josh/use-case-docs
Draft

Add Protect section: Wireless, Wired, and SSH for GitHub use-case guides#529
joshdrake wants to merge 7 commits into
mainfrom
josh/use-case-docs

Conversation

@joshdrake

@joshdrake joshdrake commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

What this does

Adds a new Protect section to the Platform nav with three self-contained, API-first use-case guides, each following the same outline — configure credential issuance (API) → configure the enforcement point → configure clients (agent- or MDM-managed):

  • tutorials/protect-wireless-networks.mdx — 802.1X EAP-TLS Wi-Fi
  • tutorials/protect-wired-networks.mdx — 802.1X EAP-TLS ethernet (new coverage; nothing existed)
  • tutorials/protect-github-ssh.mdx — hardware-bound SSH certificates for GitHub Enterprise

Removed pages (content absorbed into the Wireless guide)

  • tutorials/wifi-setup-guide.mdx (AP vendor reference)
  • tutorials/intune-mdm-setup-guide.mdx (Intune SCEP + Wi-Fi template)
  • tutorials/apple-mdm-jamf-setup-guide.mdx (Jamf SCEP webhook flow)
  • tutorials/wifi-authentication-webhooks.mdx (Enterprise RADIUS webhook spec)

Redirects for the four retired URLs: smallstep/smallstep.com PR https://github.com/smallstep/smallstep.com/pull/1193 (merge that one first or together to avoid 404s).

Notes for reviewers

API examples target v2025-01-01 and were audited against the OpenAPI spec. Two flow details differ from older internal drafts:

  1. The RADIUS shared secret is not returned by POST /managed-radius; the guides retrieve it via GET /managed-radius/{id}?secret=true.
  2. certificate.authorityID is required on POST /credentials, so the guides start with GET /authorities (which also supplies the clientCA root for managed RADIUS).

Please confirm before merge (ideally with a live smoke test on a test team):

  • GET /managed-radius/{id}?secret=true is the correct way to obtain the shared secret
  • Which authority should be recommended for Wi-Fi client credentials and for SSH_USER credentials (guides currently say "choose the authority")
  • Windows agent native wired 802.1X is GA (the wired guide documents it as supported)
  • Enterprise RADIUS details (RadSec, per-region static IPs, reply attributes) are approved for public docs
  • The Jamf .mobileconfig template + SCEP webhook settings are exposed on the Wi-Fi resource page as described (UI affordances were re-framed from the old device-collection flow)
  • Okta SCIM githubUsername attribute steps match a live tenant

Follow-ups noted for later: VPN section migration under Protect, switch-vendor wired guide, macOS wired MDM payload, Google Workspace/Entra ID GitHub-username attribute docs.

🤖 Generated with Claude Code

joshdrake and others added 5 commits July 8, 2026 10:23
API-first end-to-end guide for 802.1X EAP-TLS Wi-Fi: credential issuance
via /credentials, managed RADIUS setup, access point configuration, and
agent- or MDM-managed client deployment (Jamf SCEP + ACME-DA, Intune SCEP
+ OMA-URI hybrid, Workspace ONE). Absorbs the AP vendor reference and
RADIUS authorization webhook spec from the former Wi-Fi section.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
New guide for 802.1X EAP-TLS on wired networks: credential issuance,
managed RADIUS, generic switch configuration checklist, and client
deployment via the agent or Intune/Workspace ONE LanXML profiles.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Covers IdP sync of GitHub usernames (Okta SCIM custom attribute),
SSH_USER credential creation via the API, GitHub org SSH CA setup,
per-OS SSH agent socket configuration, remote migration, and optional
SSH commit signing.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The new Protect section holds the three use-case guides (Wireless
Networks, Wired Networks, SSH for GitHub). The four pages of the former
'Smallstep for WPA-Enterprise Wi-Fi' section are removed; their content
is absorbed into the Wireless Networks guide. Redirects for the removed
URLs are added in the smallstep.com repo.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Link the resource-protection variants in core-concepts to the new
guides, and list them as worked API examples on the Smallstep API page.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

joshdrake and others added 2 commits July 8, 2026 15:27
On Windows, the agent places HARDWARE_ATTESTED credentials in the
computer certificate store, so profiles selecting such credentials must
use authMode 'machine' (matching this guide's credential examples);
credentials with other protection levels land in the user store and
need authMode 'user'. Adds the element to the wired LANProfile XML,
corrects it in the wireless WLANProfile XML, and documents the rule on
both pages.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants