CHLA Daily Work Log - Tuesday Home Enterprise

Summary of Yesterday (2026-01-26 Evening Session)

✅ Completed: modestus-p50 NetworkManager Migration

Wired 802.1X (COMPLETE)

  • Migrated from wpa_supplicant-wired to NetworkManager

  • Connection: Wired-802.1X on interface enp0s31f6

  • Fixed "secrets required" error (missing identity-flags for wired)

  • Disabled dhcpcd (conflicting with NetworkManager)

  • Configured NetworkManager DNS management (dns=default in NetworkManager.conf)

  • Result: Wired connection stable, DNS working, SSH accessible

Wireless 802.1X (IN PROGRESS - needs reboot)

  • Configured wpa_supplicant backend (disabled iwd)

  • Created connection: Domus-Secure on interface wlan1 (not wlan0!)

  • Fixed unmanaged interface issue (removed unmanaged-wlan0.conf)

  • Discovered interface name changed from wlan0→wlan1 when switching iwd→wpa_supplicant

  • Status: Ready for reboot to verify both connections auto-connect

Zero-Trust dACL Troubleshooting

  • Created LINUX_RESEARCH_HARDENED versions V1→V5

  • Root cause: ACL ordering - RFC1918 denies blocked DNS/ISE before permits

  • V5 (WORKING): Specific permits (DNS, ISE) BEFORE RFC1918 denies

  • Removed: log keyword (not supported in Cisco dACLs)

  • Added: Return traffic permits (tcp any eq 22/80/443 any, tcp/udp any gt 1023 any)

  • Result: SSH, ping, DNS, HTTPS all working with zero-trust restrictions

📝 Documentation Updated

PRJ-ISE-HOME-LINUX updates:

  • networkmanager-wired.adoc: Added DNS troubleshooting section, dhcpcd conflicts, working dACL V5 example with ACL ordering rules

  • networkmanager-wifi.adoc: Added enterprise WiFi backend requirements (wpa_supplicant vs iwd), interface name variability, 5 major troubleshooting sections

🔧 System State (modestus-p50)

Current configuration (pre-reboot):

  • Wired: NetworkManager active via wpa_supplicant backend

  • Wireless: Configured but interface disappeared after driver reload

  • Services: iwd masked, wpa_supplicant enabled, dhcpcd disabled

  • Backend: wifi.backend=wpa_supplicant configured

  • Connections: Wired-802.1X (enp0s31f6), Domus-Secure (wlan1)

Expected after reboot:

  • Both interfaces managed by NetworkManager

  • Auto-connect to both Wired-802.1X and Domus-Secure

  • wlan1 interface should appear (created by wpa_supplicant, not iwd)

Today’s Focus (Tuesday 2026-01-27)

Priority 1: Verify modestus-p50 NetworkManager Migration

Goal: Confirm both wired and wireless are working on NetworkManager after reboot.

Verification Steps

# 1. Check both interfaces are managed
nmcli device status
# Expected:
# enp0s31f6  ethernet  connected    Wired-802.1X
# wlan1      wifi      connected    Domus-Secure

# 2. Verify DNS working
cat /etc/resolv.conf
dig google.com
ping 8.8.8.8

# 3. Test SSH from main workstation
ssh modestus-p50
nc -zv 10.50.40.101 22

# 4. Verify ISE sessions
netapi ise mnt session c8:5b:76:c6:59:62  # wired MAC
netapi ise mnt session $(cat /sys/class/net/wlan1/address)  # wireless MAC

# 5. Check dACL applied
netapi ios exec "show access-session interface GigabitEthernet1/0/5 detail" | grep "ACS ACL"
# Should show: xACSACLx-IP-LINUX_RESEARCH_HARDENED_V5-<hash>

If Issues

  • WiFi interface name changed? Update connection: nmcli connection modify "Domus-Secure" ifname wlan1

  • Interface unmanaged? Check /etc/NetworkManager/conf.d/ for unmanaged configs

  • iwd still running? Verify: systemctl status iwd (should be masked)

  • DNS empty? Check NetworkManager.conf has dns=default

Priority 2: CHLA Work (Carry-over)

iPSK Manager MySQL Hardening:

  • SSH to iPSK Manager server

  • Restrict MySQL access from wildcard to specific ISE hosts

  • Update config.php and ISE ODBC settings

  • Test authentication

Dr. Shahab Workstation:

  • Complete ISE hardening validation

  • Apply appropriate dACL

  • Document configuration

Technical Notes

NetworkManager vs wpa_supplicant vs iwd

For Enterprise 802.1X:

  • NetworkManager + wpa_supplicant: Enterprise standard, full EAP support

  • NetworkManager + iwd: Limited enterprise support, different config format

  • wpa_supplicant alone: Low-level control, manual DHCP management

  • dhcpcd + NetworkManager: Conflicts, both try to manage DHCP/DNS

Key Lessons Learned

dACL Ordering is Critical:

WRONG:
deny ip any 10.0.0.0 0.255.255.255      ← Blocks DNS to 10.50.1.1!
permit udp any host 10.50.1.1 eq 53     ← Never reached

CORRECT:
permit udp any host 10.50.1.1 eq 53     ← DNS works
deny ip any 10.0.0.0 0.255.255.255      ← Then block rest

WiFi Interface Names are Unstable:

  • iwd creates wlan0

  • wpa_supplicant may create wlan0 or wlan1

  • Always verify: nmcli device status | grep wifi

NetworkManager WiFi Flags:

  • identity-flags - NOT valid for WiFi (only wired)

  • private-key-password-flags=4 - Valid for both wired/WiFi

Pending Items (Carry-over from Yesterday)

CHLA Priority Tasks

  • iPSK Manager MySQL hardening

  • Dr. Shahab workstation ISE hardening

  • Camera IPs in InfoBlox

  • JOY workstation follow-up

  • VNC hunt with Mauricio

  • SNE-21 investigation

  • CVE-2026-20029 iTrack submission

  • YouTube/GetWell review

  • Azure DevOps LFS fix

OWED TO OMER

  • ISE diagrams

  • dACL documentation

  • Claroty integration architecture

SCHEDULING

  • MSCHAPv2 migration meetings

  • Victor Negri follow-up

  • Azure Legacy kick-off

Session Log

(Work notes for today go here)