Deployed 802.1x wireless SSID's with RADIUS authentication. Deployed 802.1x wired network with core switch being authentication point to RADIUS server. This included device certificates for non-Windows devices. 802.1x wireless network deployment was to free up existing wires for a secure ThinClient and RDS environment using SmartCard logins (ThinClient and RDS session) to isolate business system from normal user business PC activity. Using layer 1 (physical security) to prevent someone from accidently plugging into a port and getting a connection since client believes physical security is not a problem but end users are the greatest risk.
Shorten the window between steps since getting from PoC to production was mostly about teaching skills learned but forgotten. Also, use a different vendor for ThinClients - we are an HP/HPE shop but the ThinClient group was left in HP not HPE so support was a challenge sometimes to get answers.