Add Protect section: Wireless, Wired, and SSH for GitHub use-case guides#529
Draft
joshdrake wants to merge 7 commits into
Draft
Add Protect section: Wireless, Wired, and SSH for GitHub use-case guides#529joshdrake wants to merge 7 commits into
joshdrake wants to merge 7 commits into
Conversation
API-first end-to-end guide for 802.1X EAP-TLS Wi-Fi: credential issuance via /credentials, managed RADIUS setup, access point configuration, and agent- or MDM-managed client deployment (Jamf SCEP + ACME-DA, Intune SCEP + OMA-URI hybrid, Workspace ONE). Absorbs the AP vendor reference and RADIUS authorization webhook spec from the former Wi-Fi section. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
New guide for 802.1X EAP-TLS on wired networks: credential issuance, managed RADIUS, generic switch configuration checklist, and client deployment via the agent or Intune/Workspace ONE LanXML profiles. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Covers IdP sync of GitHub usernames (Okta SCIM custom attribute), SSH_USER credential creation via the API, GitHub org SSH CA setup, per-OS SSH agent socket configuration, remote migration, and optional SSH commit signing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The new Protect section holds the three use-case guides (Wireless Networks, Wired Networks, SSH for GitHub). The four pages of the former 'Smallstep for WPA-Enterprise Wi-Fi' section are removed; their content is absorbed into the Wireless Networks guide. Redirects for the removed URLs are added in the smallstep.com repo. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Link the resource-protection variants in core-concepts to the new guides, and list them as worked API examples on the Smallstep API page. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
|
On Windows, the agent places HARDWARE_ATTESTED credentials in the computer certificate store, so profiles selecting such credentials must use authMode 'machine' (matching this guide's credential examples); credentials with other protection levels land in the user store and need authMode 'user'. Adds the element to the wired LANProfile XML, corrects it in the wireless WLANProfile XML, and documents the rule on both pages. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this does
Adds a new Protect section to the Platform nav with three self-contained, API-first use-case guides, each following the same outline — configure credential issuance (API) → configure the enforcement point → configure clients (agent- or MDM-managed):
tutorials/protect-wireless-networks.mdx— 802.1X EAP-TLS Wi-Fitutorials/protect-wired-networks.mdx— 802.1X EAP-TLS ethernet (new coverage; nothing existed)tutorials/protect-github-ssh.mdx— hardware-bound SSH certificates for GitHub EnterpriseRemoved pages (content absorbed into the Wireless guide)
tutorials/wifi-setup-guide.mdx(AP vendor reference)tutorials/intune-mdm-setup-guide.mdx(Intune SCEP + Wi-Fi template)tutorials/apple-mdm-jamf-setup-guide.mdx(Jamf SCEP webhook flow)tutorials/wifi-authentication-webhooks.mdx(Enterprise RADIUS webhook spec)Redirects for the four retired URLs: smallstep/smallstep.com PR https://github.com/smallstep/smallstep.com/pull/1193 (merge that one first or together to avoid 404s).
Notes for reviewers
API examples target v2025-01-01 and were audited against the OpenAPI spec. Two flow details differ from older internal drafts:
POST /managed-radius; the guides retrieve it viaGET /managed-radius/{id}?secret=true.certificate.authorityIDis required onPOST /credentials, so the guides start withGET /authorities(which also supplies theclientCAroot for managed RADIUS).Please confirm before merge (ideally with a live smoke test on a test team):
GET /managed-radius/{id}?secret=trueis the correct way to obtain the shared secretSSH_USERcredentials (guides currently say "choose the authority").mobileconfigtemplate + SCEP webhook settings are exposed on the Wi-Fi resource page as described (UI affordances were re-framed from the old device-collection flow)githubUsernameattribute steps match a live tenantFollow-ups noted for later: VPN section migration under Protect, switch-vendor wired guide, macOS wired MDM payload, Google Workspace/Entra ID GitHub-username attribute docs.
🤖 Generated with Claude Code