Infrastructure Automation & Security Platform Engineering Tasks

Document Information

Author

Evan Rosado

Primary

evan.rosado@domusdigitalis.dev

Enterprise

erosado@chla.usc.edu

Personal

evan.rosado@outlook.com

Revision

2026-02-01

1. Executive Summary

This document outlines immediate and long-term infrastructure automation tasks following recent designation as Automation Platform Security Engineer. Priorities include 802.1X authentication migration, PKI infrastructure modernization, mobile device configuration, and comprehensive documentation updates.

Critical Context: One month of Linux experience, transitioning from Windows-centric workflows to terminal-native automation.

1.1. Upcoming: CISO Strategy Session

Meeting with Derek Pizzagoni (Former CISO)

Date: Monday, Feb 2, 2026 @ 4:00 PM Pacific
Platform: Zoom (Meeting ID: 857 7222 6474)
Topics: Docs-as-code, Linux transition, security automation, PKMS, networking

Demo Focus Areas:

Docs-as-Code Pipeline - AsciiDoc → HTML/PDF with diagrams (d2, mermaid)
Linux Terminal Workflow - Arch Linux, Neovim, tmux, CLI-first approach
Security Automation - ISE APIs, 802.1X, EAP-TLS, certificate management
PKMS Architecture - Principia knowledge base structure
netapi CLI - Custom network automation tool (ISE, FTD, DNAC)

2. Documentation Projects

2.1. Security Engineering Portfolio

2.2. Project Inventory

2.3. Active Projects

2.3.1. ISE 802.1X Projects

Table 1. Principia Knowledge Base Structure
Project	Description	Status
domus-ise-linux	home enterprise ISE 802.1X Linux deployment	Active
`domus-ise-ops`	ISE Operations and configuration	Active
domus-identity-ops	ISE SAML/SSO integration	Active

2.3.2. iPSK Projects

Project Description Status

Project	Description	Status
domus-ise-linux	iPSK Manager for IoT devices (home)	Active
`iPSK CHLA`	iPSK Manager for IoT devices (work)	Separate environment

domus-ise-linux

iPSK Manager for IoT devices (home)

Active

iPSK CHLA

iPSK Manager for IoT devices (work)

Separate environment

2.3.3. SIEM Projects

Project	Description	Status
Microsoft Sentinel KQL	Microsoft Sentinel architecture & KQL	Active
IBM QRadar AQL	IBM QRadar architecture & AQL	Active
SIEM Operations	SIEM operations runbooks	Active

Project

Description

Status

Microsoft Sentinel KQL

Microsoft Sentinel architecture & KQL

Active

IBM QRadar AQL

IBM QRadar architecture & AQL

Active

SIEM Operations

SIEM operations runbooks

Active

2.3.4. Infrastructure Projects

Project	Description	Status
domus-netapi-docs	Network automation CLI (ISE, FTD, DNAC)	Active Dev
domus-infra-ops	Infrastructure operations runbooks	Active
Vault PKI	Vault PKI for home enterprise certificates	Active
Backup & Recovery	Disaster recovery & backup documentation	Active
domus-secrets-ops	Credential management architecture	Active

Project

Description

Status

domus-netapi-docs

Network automation CLI (ISE, FTD, DNAC)

Active Dev

domus-infra-ops

Infrastructure operations runbooks

Active

Vault PKI

Vault PKI for home enterprise certificates

Active

Backup & Recovery

Disaster recovery & backup documentation

Active

domus-secrets-ops

Credential management architecture

Active

2.3.5. Standards & Templates

Project	Description	Status
Docs as Code Reference	Antora template & standards - base structure for all documentation projects	Template

Project

Description

Status

Docs as Code Reference

Antora template & standards - base structure for all documentation projects

Template

2.3.6. Reference & Tools

Project	Description	Status
domus-linux-ops	Linux command mastery, tools, and automation	Active
Network Analysis	tcpdump, Wireshark, netcat, network enumeration	Active

Project

Description

Status

domus-linux-ops

Linux command mastery, tools, and automation

Active

Network Analysis

tcpdump, Wireshark, netcat, network enumeration

Active

2.4. Authentication Flow

Figure 1. 802.1X EAP-TLS Authentication

3. Section 1: Foundation & Skills Development

3.1. Unix Philosophy & Command-Line Mastery

Learning Objectives

Command composition using pipes, redirection, and filters
Stream editing with sed, awk, and text processing
vi/vim/nvim proficiency (motions, macros, registers, visual mode)
Shell scripting fundamentals (bash/zsh best practices)

Professional Request Example

ORIGINAL: "don't want to get distracted but i need to know how to
incorporate the best automation workflows possible and from time to
time i will be typing out the commands myself"

PROFESSIONAL: "I require guidance on automation workflow best practices
with hands-on command execution to build muscle memory. Please provide
examples I can execute directly rather than abstractions."

3.2. sed Command Reference

Table 2. Pattern Replacement Comparison
Editor	Syntax	Notes
Neovim	`:%s/old/new/gc`	Interactive with confirmation
sed (preview)	`sed -n 's/old/new/gp' file`	Non-destructive preview
sed (in-place)	`sed -i 's/old/new/g' file`	Direct file modification

Practical Example

# Preview changes before applying
sed -n 's/synology-nfs/nas-01/gp' netapi/cli/ise.py

# Show diff-style preview
sed 's/synology-nfs/nas-01/g' netapi/cli/ise.py | diff netapi/cli/ise.py -

# Apply changes in-place
sed -i 's/synology-nfs/nas-01/g' netapi/cli/ise.py
sed -i 's/synology-nfs/nas-01/g' netapi/vendors/cisco/ise/backup_client.py

4. Section 2: Immediate Tasks (Today)

4.1. ISE Backup Validation

Backup Status

Repository: nas-01 (NFS)
Server: 10.50.1.70:/volume1/ise_backups
Name: pre-ise01-restore
Status: ✓ Backup completed

Next Actions

# Update repository references in netapi
grep -n "synology-nfs" netapi/cli/ise.py netapi/vendors/cisco/ise/backup_client.py
sed -i 's/synology-nfs/nas-01/g' netapi/cli/ise.py
sed -i 's/synology-nfs/nas-01/g' netapi/vendors/cisco/ise/backup_client.py

# Verify backup integrity
netapi ise list-backups --repo nas-01

# Test restore on ISE-02
# Power on ise-01, restore ise-02 config to test cert binding bug

4.2. Mobile Workflow Configuration (Z Fold 7)

Status: COMPLETED

SSH via YubiKey working (direct network, no ADB tunnel)
Full atelier sync via rsync (1.29 GB)
Packages: openssh, git, neovim, age, rsync, stow, pass, gnupg

See Z Fold 7 Mobile Workflow Setup for complete setup documentation.

Sync Entire Atelier to Phone

rsync -avz --progress \
  --exclude='.git' \
  --exclude='node_modules' \
  --exclude='build' \
  --exclude='*.pdf' \
  --exclude='*.docx' \
  ~/atelier fold7:~/

Example 1. Professional Request

To: Infrastructure Team
Subject: Mobile Device Setup for On-Call Operations

I need to configure SSH access and development tooling on my Samsung Z Fold 7 for mobile infrastructure management. This will enable:

Secure SSH access to critical infrastructure
Git repository synchronization for runbooks
Emergency response capabilities while remote

Request: Please validate that ADB connectivity is permitted on corporate network for initial device provisioning.

Setup Procedure (Workstation)

# 1. Verify ADB connectivity
adb devices -l

# 2. Push all SSH keys to phone
mkdir -p /tmp/ssh-push
cp ~/.ssh/id_ed25519_* ~/.ssh/config /tmp/ssh-push/
adb push /tmp/ssh-push/ /sdcard/Download/ssh-keys/

# 3. Forward SSH port
adb forward tcp:8022 tcp:8022

On-Device Configuration (Termux)

# Install core packages
pkg update && pkg upgrade -y
pkg install openssh git neovim tmux

# Copy SSH keys from sdcard
mkdir -p ~/.ssh
cp /sdcard/Download/ssh-keys/* ~/.ssh/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519_*
chmod 644 ~/.ssh/*.pub
chmod 600 ~/.ssh/config

# Set password and start SSH daemon
passwd
sshd  # Default port: 8022

Connect from Workstation

ssh -p 8022 localhost

5. Section 3: Work Projects (CHLA)

5.1. Urgent Deliverables

5.1.1. PM Meeting: QRadar to Sentinel Migration Analysis

Example 2. Professional Request

To: Project Manager
Subject: QRadar Log Source Inventory - Sentinel Migration Planning

Background: Preparing migration report for QRadar to Microsoft Sentinel transition.

Deliverable: Log source inventory and ISE data analysis including:

Complete log source inventory with event volumes
ISE-specific event categories and types
Daily ingestion rates for Sentinel cost estimation
Authentication event breakdown (success/failure)

Timeline: Analysis completed before scheduled meeting.

Access Required: QRadar console with AQL query permissions.

AQL Queries for Migration Report

Run these queries in QRadar Console: Log Activity > Advanced Search

Query 1: Log Source Inventory (All Sources)

SELECT
    logsourcename(logsourceid) AS "Log Source",
    logsourcetypename(devicetype) AS "Type",
    COUNT(*) AS "Event Count (24h)"
FROM events
WHERE INOFFENSE = FALSE
GROUP BY logsourceid, devicetype
ORDER BY "Event Count (24h)" DESC
LAST 24 HOURS

Query 2: ISE Log Sources

SELECT
    logsourcename(logsourceid) AS "ISE Log Source",
    devicetype AS "Device Type ID",
    COUNT(*) AS "Events"
FROM events
WHERE logsourcetypename(devicetype) ILIKE '%ISE%'
   OR logsourcename(logsourceid) ILIKE '%ISE%'
GROUP BY logsourceid, devicetype
LAST 7 DAYS

Query 3: ISE Event Categories

SELECT
    categoryname(category) AS "Category",
    COUNT(*) AS "Count",
    MIN(starttime) AS "First Seen",
    MAX(starttime) AS "Last Seen"
FROM events
WHERE logsourcename(logsourceid) ILIKE '%ISE%'
GROUP BY category
ORDER BY "Count" DESC
LAST 7 DAYS

Query 4: ISE Event Types (Detailed)

SELECT
    qidname(qid) AS "Event Name",
    COUNT(*) AS "Count"
FROM events
WHERE logsourcename(logsourceid) ILIKE '%ISE%'
GROUP BY qid
ORDER BY "Count" DESC
LIMIT 50
LAST 7 DAYS

Query 5: Daily Event Volume (Capacity Planning)

SELECT
    logsourcename(logsourceid) AS "Log Source",
    DATEFORMAT(starttime, 'yyyy-MM-dd') AS "Date",
    COUNT(*) AS "Daily Events"
FROM events
WHERE INOFFENSE = FALSE
GROUP BY logsourceid, DATEFORMAT(starttime, 'yyyy-MM-dd')
ORDER BY "Daily Events" DESC
LAST 30 DAYS

Query 6: ISE Authentication Events

SELECT
    qidname(qid) AS "Event",
    COUNT(*) AS "Count"
FROM events
WHERE logsourcename(logsourceid) ILIKE '%ISE%'
  AND (qidname(qid) ILIKE '%authentication%'
       OR qidname(qid) ILIKE '%failed%'
       OR qidname(qid) ILIKE '%success%')
GROUP BY qid
ORDER BY "Count" DESC
LAST 7 DAYS

Query 7: Top Talkers (Sentinel Cost Estimation)

SELECT
    logsourcename(logsourceid) AS "Log Source",
    SUM(eventcount) AS "Total Events",
    ROUND(SUM(eventcount) / 7, 0) AS "Avg Daily"
FROM events
WHERE INOFFENSE = FALSE
GROUP BY logsourceid
ORDER BY "Total Events" DESC
LIMIT 20
LAST 7 DAYS

For Sentinel Cost Estimation:

Query 5 and 7 provide daily ingestion volumes
Sentinel bills per GB ingested (~$2.76/GB for Pay-As-You-Go)
Estimate: (Avg Daily Events * Avg Event Size in KB) / 1024 / 1024 = Daily GB
Typical ISE syslog event: 500-1500 bytes

5.1.2. Azure Legacy Migration

Example 3. Professional Request

To: Migration Team
Subject: Request for Azure Migration Meeting Transcript

Purpose: Post-meeting analysis and action item extraction.

Request: Please provide meeting transcript or recording from the Azure legacy migration discussion for comprehensive review and technical planning.

Use Case: Extract specific technical requirements, timelines, and dependencies for migration runbook development.

5.2. Security Remediation: Mandiant Audit Findings

Findings Summary

Google/Mandiant audit identified critical vulnerabilities in wired 802.1X closed-mode port configuration:

SMB protocol enabled on authentication ports
Kerberos exposure on closed-mode interfaces
Unauthorized IP address acquisition possible
Pre-authentication network access vulnerabilities

Example 4. Professional Request

To: Information Security Team
Subject: Mandiant Audit Remediation Plan - Wired 802.1X

Finding: Wired 802.1X closed-mode ports permit SMB and Kerberos traffic prior to authentication, enabling unauthorized network access.

Impact: High - Attackers can acquire IP addresses and enumerate domain services before credential validation.

Proposed Remediation:

Implement strict pre-authentication ACLs (deny all except DHCP, DNS, 802.1X)
Disable SMB on authentication VLANs
Implement DACL-based port access control
Deploy endpoint posture validation

Documentation: Detailed write-up available in 03_Captures/mandiant-remediation.adoc

Timeline: 2-week implementation window, 4-week validation period.

5.3. 802.1X Authentication Migration (CRITICAL)

Migration Scope

Primary Objective: Migrate all network authentication from MSCHAPv2 to certificate-based methods.

Non-Windows devices: EAP-TLS (certificate-based)
Windows devices: EAP-TEAP (tunneled certificate)
Timeline: Aggressive - devices moved today where possible

Example 5. Professional Request

To: Network Engineering & Information Security
Subject: 802.1X Authentication Protocol Migration - MSCHAPv2 Deprecation

Business Driver: MSCHAPv2 is cryptographically weak and vulnerable to offline dictionary attacks. Migration to certificate-based authentication provides:

Mutual authentication (client and server validation)
Elimination of credential theft risk
Compliance with NIST 800-53 IA-5 requirements

Technical Approach:

Phase 1: Deploy PKI infrastructure (Vault-based)
Phase 2: SCEP/EST enrollment automation via MDM
Phase 3: Network policy updates (EAP-TLS/EAP-TEAP)
Phase 4: Legacy protocol deprecation

Dependencies:

PKI infrastructure (Vault) - In Progress
MDM enrollment system - Pending
Certificate auto-renewal workflow - Design phase
Network switch/WLC configuration updates

Risks:

Device enrollment failures during transition
Certificate expiration without auto-renewal
Legacy device incompatibility

Request: Approval to proceed with pilot deployment on test VLAN.

Wireless Controller Migration

Task: Migrate Aireos AirSpace ACLs to DACLs
Reason: 9800 WLC upgrade requires DACL format
Impact: All wireless policy enforcement rules

5.4. Team Collaboration Tasks

5.4.1. Device Identity Group Management (Arin)

Example 6. Professional Request

To: Arin
Subject: Automated ISE Identity Group Migration

Background: Devices require migration to appropriate ISE identity groups for proper policy enforcement.

Solution: I’ve developed netapi automation to streamline this process.

Next Steps:

Provide device list (CSV format: MAC, desired group)
Review automated script for approval
Execute during maintenance window

Benefits:

Eliminates manual ISE GUI operations
Provides audit trail of changes
Reduces human error

Timeline: Ready to execute upon device list receipt.

5.4.2. Lab Equipment Tracking

Example 7. Professional Request

To: Lab Operations
Subject: Label Printer Asset Location Request

Purpose: Lab device labeling for asset management.

Request: Please confirm current location of lab label printer (model/serial if available).

Use Case: Asset tagging for inventory reconciliation project.

6. Section 4: Home Enterprise Infrastructure

6.1. PKI Migration: AD CS to HashiCorp Vault

Table 3. Migration Scope
Domain	Purpose	Integration
`inside.domusdigitalis.dev`	Internal infrastructure certificates	Vault PKI engine
`guest.domusdigitalis.dev`	External guest network certificates	Let’s Encrypt automation

Certificate Lifecycle

1. Vault PKI root CA establishment
2. Intermediate CA issuance
3. SCEP/EST endpoint configuration
4. 90-day auto-renewal automation
5. AD CS decommissioning

6.2. iPSK Manager Deployment

6.2.1. Home Enterprise Configuration

Status: Functional, requires HA clustering
Missing: Redundancy, failover testing

6.2.2. CHLA Configuration

Example 8. Professional Request (Internal)

Subject: iPSK Manager Production Deployment Requirements

Current State: iPSK Manager functional in lab environment.

Production Requirements:

HTTPS with valid certificates (Vault-issued)
Firewall rule implementation
High-availability clustering
Documented runbook matching PRJ-ISE-LINUX-CHLA-ANTORA format

Request: Architecture review meeting to finalize HA design.

6.3. MDM Integration: ManageEngine

Deployment Plan

Platform: ManageEngine MDM Plus (free tier: 25 devices)
Integration: SCEP/EST certificate enrollment
Automation: Auto-push WiFi profiles with embedded certificates

6.4. Credential Management: 1Password to gopass Migration

6.4.1. Overview

Migrating from 1Password to gopass for:

Local-first credential storage (no cloud dependency)
GPG/age encryption (aligns with existing secrets infrastructure)
CLI-native workflow (terminal-first approach)
YAML/JSON structured secrets (programmatic access)
Git-based sync (version control, audit trail)

6.4.2. Installation (Arch Linux)

# Core package
sudo pacman -S gopass

# Optional integrations
sudo pacman -S gopass-jsonapi        # Browser extension support
sudo pacman -S git-credential-gopass # Git credential helper
sudo pacman -S gopass-hibp           # Have I Been Pwned integration

# Verify existing store works (backwards compatible with pass)
gopass ls

6.4.3. gopass vs pass Feature Comparison

Feature pass gopass

Feature	pass	gopass
Multiple stores	No	Yes (`gopass mounts`)
Team sharing	Manual	Built-in
YAML/JSON secrets	No	Yes (structured data)
Fuzzy search	No	Yes
Auto git sync	No	Yes (`autosync`)
Password audit	No	Yes (`gopass audit`)
TOTP/OTP	Plugin	Built-in
Browser integration	Plugin	Native (jsonapi)

Multiple stores

Yes (gopass mounts)

Team sharing

Manual

Built-in

YAML/JSON secrets

Yes (structured data)

Fuzzy search

Yes

Auto git sync

Yes (autosync)

Password audit

Yes (gopass audit)

TOTP/OTP

Plugin

Built-in

Browser integration

Plugin

Native (jsonapi)

6.4.4. YAML Secret Structure

gopass supports structured YAML secrets for 1Password compatibility:

password: actual-password-here
---
username: evan.rosado@domusdigitalis.dev
email: evan.rosado@domusdigitalis.dev
url: https://service.example.com
notes: |
  Recovery codes stored in ARCANA/recovery/
  MFA enabled: Yes
  Created: 2026-02-01
totp: otpauth://totp/Service:evan?secret=BASE32SECRET&issuer=Service
tags:
  - personal
  - critical
created: 2026-02-01
modified: 2026-02-01

6.4.5. 1Password Export and Import

Export from 1Password

# Option 1: CSV export (basic)
# 1Password > Settings > Export > CSV format

# Option 2: 1PUX export (recommended - preserves structure)
# 1Password > Settings > Export > 1Password Unencrypted Export (.1pux)

Import to gopass

# CSV import
gopass convert --from=1password /path/to/1password-export.csv

# 1PUX import (richer data)
gopass convert --from=1pux /path/to/export.1pux

6.4.6. Essential gopass Commands

Command Purpose

Command	Purpose
`gopass ls`	List all entries
`gopass show -o ENTRY`	Show password only (first line)
`gopass show ENTRY username`	Show specific YAML field
`gopass show -f json ENTRY`	Output as JSON
`gopass show -c ENTRY`	Copy password to clipboard
`gopass show -c ENTRY totp`	Copy TOTP code to clipboard
`gopass edit ENTRY`	Edit entry in $EDITOR
`gopass generate ENTRY 32`	Generate 32-char password
`gopass audit`	Check for weak/duplicate passwords
`gopass sync`	Git push/pull all stores

gopass ls

List all entries

gopass show -o ENTRY

Show password only (first line)

gopass show ENTRY username

Show specific YAML field

gopass show -f json ENTRY

Output as JSON

gopass show -c ENTRY

Copy password to clipboard

gopass show -c ENTRY totp

Copy TOTP code to clipboard

gopass edit ENTRY

Edit entry in $EDITOR

gopass generate ENTRY 32

Generate 32-char password

gopass audit

Check for weak/duplicate passwords

gopass sync

Git push/pull all stores

6.4.7. Configuration

# Enable auto git sync
gopass config autosync true

# Set clipboard clear timeout (seconds)
gopass config cliptimeout 45

# Enable notifications
gopass config notifications true

# Audit existing passwords
gopass audit

6.4.8. Integration with Existing Infrastructure

Table 4. Relationship with dsec/asec
System	Purpose	Use Case
gopass	Personal credentials (logins, API keys)	Interactive CLI, browser autofill
dsec	Infrastructure secrets (ISE, network devices)	Automation scripts, netapi
Vault	PKI certificates, dynamic secrets	Certificate issuance, short-lived credentials

6.4.9. Migration Checklist

Install gopass and verify existing store
Export 1Password vaults (1PUX format)
Import to gopass with structure preservation
Verify YAML fields imported correctly
Enable autosync for git-based backup
Run gopass audit for password hygiene
Configure browser extension (optional)
Delete 1Password export files securely

7. Section 5: API Development (netapi)

7.1. High Priority Integrations

Cisco Security (CRITICAL)

Platform: Firepower FTD/FMC
Reason: No automation currently exists for security policy deployment
Impact: Manual firewall rule changes increase risk and deployment time

Cisco Catalyst Center

Platform: DNA Center (Catalyst Center)
Integration: Device provisioning, configuration templates, assurance
Status: API access confirmed, development pending

7.2. Medium Priority Integrations

Infoblox: Admin access confirmed, API testing pending
Prime Infrastructure: Legacy platform, API documentation required
Additional ISE APIs: Posture, profiling, guest services

8. Section 6: SIEM & Security Operations

8.1. Microsoft Sentinel Integration

Example 9. Professional Request

To: Security Operations Center
Subject: Sentinel Integration - KQL Query Development Request

Objective: Maximize Sentinel SIEM value through custom query development for:

Network visibility dashboards
Threat detection and enumeration
Automated incident response
Asset inventory and anomaly detection

Request: SOC collaboration to identify high-value detection use cases and review KQL query syntax best practices.

Deliverable: Custom query library aligned with CHLA threat model.

9. Section 7: Documentation Standardization

9.1. Migration: Markdown to AsciiDoc

Rationale

Superior table formatting
Cross-referencing capabilities
Technical documentation standard (Antora, O’Reilly)
Better tooling for large documentation projects

Projects Requiring Completion

PRJ-ISE-HOME-LINUX-ANTORA: dot1x flow, posture diagrams
PRJ-ISE-CHLA-LINUX-ANTORA: dot1x flow, posture diagrams
All runbooks converted to .adoc format
Maintain .md for GitHub README files only

10. Section 8: Master Task List

10.1. Priority 1: Immediate (Today)

Task	Owner	Status
Z Fold 7 SSH configuration	Evan	Pending
Move all devices to EAP-TLS	Evan	In Progress
ISE-01 power on and restore test	Evan	Pending
netapi repository update (nas-01)	Evan	Ready
AQL query analysis for PM meeting	Evan	Scheduled

Task

Owner

Status

Z Fold 7 SSH configuration

Evan

Pending

Move all devices to EAP-TLS

Evan

In Progress

ISE-01 power on and restore test

Evan

Pending

netapi repository update (nas-01)

Evan

Ready

AQL query analysis for PM meeting

Evan

Scheduled

10.2. Priority 2: This Week

Task	Owner	Dependencies
Vault PKI migration (inside.domusdigitalis.dev)	Evan	Backup validation complete
Mandiant remediation implementation	Evan	ISec approval
Arin device migration (netapi)	Evan	Device list from Arin
Azure migration transcript review	Evan	Transcript delivery
FTD/FMC API development	Evan	API documentation

Task

Owner

Dependencies

Vault PKI migration (inside.domusdigitalis.dev)

Evan

Backup validation complete

Mandiant remediation implementation

Evan

ISec approval

Arin device migration (netapi)

Evan

Device list from Arin

Azure migration transcript review

Evan

Transcript delivery

FTD/FMC API development

Evan

API documentation

10.3. Priority 3: This Month

Vault PKI external guest (guest.domusdigitalis.dev)
ManageEngine MDM deployment
PRJ-ISE-HOME-LINUX-ANTORA completion
PRJ-ISE-CHLA-LINUX-ANTORA completion
iPSK HA clustering (home and work)
Catalyst Center API integration
Infoblox API testing
Sentinel KQL query development

10.4. Priority 4: Long-term

Windows EAP-TEAP rollout
Prime Infrastructure API integration
Full infrastructure backup automation
Markdown to AsciiDoc migration
Lab label printer procurement

11. Appendix A: Professional Communication Templates

11.1. Template: Technical Assistance Request

To: [Recipient]
Subject: [Concise description of need]

Background: [1-2 sentences of context]

Request: [Specific, actionable ask]

Use Case: [Why this is needed]

Timeline: [When response is needed]

Dependencies: [What's blocking or required]

11.2. Template: Security Remediation

To: [Security Team]
Subject: [Finding] - Remediation Plan

Finding: [Specific vulnerability]

Impact: [Risk level and business impact]

Proposed Remediation:
1. [Action item]
2. [Action item]

Documentation: [Reference to detailed write-up]

Timeline: [Implementation schedule]

12. Appendix B: Command Reference

12.1. sed Pattern Replacement

# Preview changes (non-destructive)
sed -n 's/pattern/replacement/gp' file.txt

# Diff-style preview
sed 's/pattern/replacement/g' file.txt | diff file.txt -

# In-place modification
sed -i 's/pattern/replacement/g' file.txt

# Multiple files
sed -i 's/pattern/replacement/g' file1.txt file2.txt file3.txt

12.2. ADB Mobile Device Setup

# Verify device connection
adb devices

# Push files to device
adb push ~/.ssh/config /sdcard/Download/

# Pull files from device
adb pull /sdcard/Download/backup.tar.gz ~/backups/

# Interactive shell
adb shell

12.3. rsync Over SSH

# Sync local to remote
rsync -avz --progress ~/source/ remote:~/destination/

# Sync remote to local
rsync -avz --progress remote:~/source/ ~/destination/

# Dry run (preview changes)
rsync -avz --dry-run ~/source/ remote:~/destination/

13. Appendix C: Build System Enhancements (2026-02-01)

13.1. Overview

Enhanced 03_Captures/build.sh with professional documentation features for long-term PKMS use.

13.2. Features Implemented

Feature	Description
Syntax Highlighting	Rouge with monokai.sublime dark theme, inline CSS (no external stylesheet)
Copy Button	Hover-to-reveal copy button on all code blocks, with language label
d2 Diagrams	Declarative diagrams as external PNG files (no inline SVG)
Mermaid Diagrams	Sequence/flow diagrams as external PNG files

Feature

Description

Syntax Highlighting

Rouge with monokai.sublime dark theme, inline CSS (no external stylesheet)

Copy Button

Hover-to-reveal copy button on all code blocks, with language label

d2 Diagrams

Declarative diagrams as external PNG files (no inline SVG)

Mermaid Diagrams

Sequence/flow diagrams as external PNG files

13.3. Usage

# Build HTML with all features
./build.sh document.adoc html

# Build all formats (html, pdf, docx)
./build.sh document.adoc

# Watch mode (auto-rebuild on save)
./build.sh document.adoc --watch

13.4. Diagram Syntax

d2 Diagram Example

[d2,diagram-name,png]
....
direction: right
a -> b: connection
b -> c: flow
....

Mermaid Diagram Example

[mermaid,diagram-name,png]
....
sequenceDiagram
    A->>B: Request
    B-->>A: Response
....

13.5. Files Modified

03_Captures/build.sh - Added rouge, asciidoctor-diagram, docinfo support
03_Captures/docinfo-footer.html - Copy button JS/CSS with language labels

13.6. Dependencies

# Ruby gems
gem install asciidoctor asciidoctor-pdf asciidoctor-diagram rouge

# Diagram tools
# d2: https://d2lang.com/tour/install
npm install -g @mermaid-js/mermaid-cli

14. Appendix D: 802.1X EAP-TLS Troubleshooting (2026-02-01)

14.1. Issue Summary

After RAM upgrade, unable to authenticate to wired 802.1X network. Authentication hangs with no errors visible initially.

14.2. Root Cause

PKI migration from HOME-ROOT-CA to DOMUS-ROOT-CA was completed on ISE, but the Linux client’s NetworkManager connection profile still referenced the old CA certificate file.

14.3. Wired 802.1X Authentication Flow

14.4. Symptoms

wpa_supplicant Error Log

TLS: Certificate verification failed, error 19 (self-signed certificate in certificate chain)
depth 2 for '/C=US/O=Domus Digitalis/OU=Enterprise PKI/CN=DOMUS-ROOT-CA'
err='self-signed certificate in certificate chain'
SSL: SSL3 alert: write (local SSL3 detected an error):fatal:unknown CA
OpenSSL: openssl_handshake - SSL_connect error:0A000086:SSL routines::certificate verify failed

14.5. Diagnostic Commands

Check Current 802.1X Configuration

# View certificate paths in connection profile
nmcli connection show <connection-name> | grep -E "client-cert|private-key|ca-cert"

# List all connections and their types
nmcli connection show

# Check device status
nmcli device status

Verify Certificate Chain

# Check certificate validity and subject
openssl x509 -in /etc/ssl/certs/DOMUS-ROOT-CA.pem -noout -dates -subject

# Verify cert/key match (modulus should be identical)
openssl x509 -noout -modulus -in /etc/ssl/certs/client.pem | md5sum
openssl rsa -noout -modulus -in /etc/ssl/private/client.key | md5sum

# Get certificate fingerprint (compare with ISE log)
openssl x509 -in /etc/ssl/certs/DOMUS-ROOT-CA.pem -noout -fingerprint -sha256

Live Authentication Debugging

# Watch authentication in real-time (run in separate terminal)
journalctl -f -u NetworkManager -u wpa_supplicant | grep -E "enp130s0|EAP|TLS|cert|802"

# Then trigger connection
nmcli connection up Wired-802.1X

14.6. Resolution

Update CA Certificate Path

# Check current CA (showed old CA)
nmcli connection show Wired-802.1X | grep "802-1x.ca-cert"
# Output: 802-1x.ca-cert: /etc/ssl/certs/HOME-ROOT-CA.pem

# Update to new CA
sudo nmcli connection modify Wired-802.1X 802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem

# Reconnect
nmcli connection up Wired-802.1X

Successful Authentication Log

CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
CTRL-EVENT-CONNECTED - Connection to 01:80:c2:00:00:03 completed
device (enp130s0): Activation: successful, device activated.
dhcp4 (enp130s0): state changed new lease, address=10.50.10.130

14.7. Wireless 802.1X EAP-TLS Troubleshooting

14.7.1. Issue

WiFi 802.1X connection profile Domus-Secure-802.1X failed with "Secrets were required, but not provided" even though certificate-based auth requires no password.

14.7.2. Authentication Flow

14.7.3. Resolution: Recreate Connection Profile

WiFi 802.1X EAP-TLS Flow

When NetworkManager WiFi 802.1X profiles become corrupted (prompting for secrets when none are needed), delete and recreate with explicit flags.

Step 1: Live Debug (Terminal 1)

journalctl -f -u NetworkManager -u wpa_supplicant | grep -E "wlan0|EAP|TLS|cert|802"

Step 2: Recreate Connection (Terminal 2)

# Capture identity before deleting
IDENTITY=$(nmcli -g 802-1x.identity connection show Domus-Secure-802.1X)

# Delete corrupted connection
nmcli connection delete Domus-Secure-802.1X

# Recreate with all flags (prevents GUI password prompts)
sudo nmcli connection add \
  type wifi \
  con-name "Domus-Secure-802.1X" \
  ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "$IDENTITY" \
  802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/modestus-razer-eaptls.pem \
  802-1x.private-key /etc/ssl/private/modestus-razer-eaptls.key \
  802-1x.private-key-password-flags 4 \
  802-1x.ca-cert-password-flags 4

# Connect
nmcli connection up Domus-Secure-802.1X

Table 5. Critical Flags
Flag	Value	Meaning
`private-key-password-flags`	`4`	Not required (no passphrase prompt)
`ca-cert-password-flags`	`4`	Not required (CA cert not password-protected)

14.7.4. Successful WiFi EAP-TLS Log

Config: added 'key_mgmt' value 'WPA-EAP FT-EAP FT-EAP-SHA384 WPA-EAP-SHA256'
Config: added 'eap' value 'TLS'
Config: added 'ca_cert' value '/etc/ssl/certs/DOMUS-ROOT-CA.pem'
Config: added 'client_cert' value '/etc/ssl/certs/modestus-razer-eaptls.pem'
supplicant interface state: disconnected -> scanning
SME: Trying to authenticate with 78:bc:1a:36:82:cb (SSID='Domus-Secure' freq=5540 MHz)
supplicant interface state: scanning -> authenticating -> associating -> associated
CTRL-EVENT-EAP-STARTED EAP authentication started
CTRL-EVENT-EAP-METHOD EAP vendor 0 method 13 (TLS) selected
CTRL-EVENT-EAP-PEER-CERT depth=2 subject='CN=DOMUS-ROOT-CA'
CTRL-EVENT-EAP-PEER-CERT depth=1 subject='CN=DOMUS-ISSUING-CA'
CTRL-EVENT-EAP-PEER-CERT depth=0 subject='CN=ise-02.inside.domusdigitalis.dev'
CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 78:bc:1a:36:82:cb [PTK=CCMP GTK=CCMP]
CTRL-EVENT-CONNECTED - Connection to 78:bc:1a:36:82:cb completed
dhcp4 (wlan0): state changed new lease, address=10.50.10.103
Activation: successful, device activated.

wpa_supplicant State Transitions (Success)

disconnected -> scanning -> authenticating -> associating -> associated -> completed

14.8. Key Lessons

Wired 802.1X:

Identify correct connection profile - Domus-Secure-802.1X was WiFi, Wired-802.1X was the actual wired profile
CA certificate mismatch - Client must trust the same Root CA that signed ISE’s EAP server certificate
Switch shows authorized, client rejects - In mutual TLS, ISE can accept client cert while client rejects server cert (two-way validation)
Error 19 = "self-signed certificate in certificate chain" means Root CA not trusted

Wireless 802.1X:

"Secrets were required" error - NetworkManager WiFi profiles can become corrupted; delete and recreate
Password flags are critical - Set private-key-password-flags 4 and ca-cert-password-flags 4 to prevent GUI prompts
Use -g flag for clean variable capture - nmcli -g 802-1x.identity returns just the value, not the field name
Include all flags in nmcli connection add - Adding flags later with modify doesn’t always work reliably

14.9. Connection Profile Reference

Table 6. Wired 802.1X Profile Settings
Setting	Value
Connection Name	`Wired-802.1X`
Interface	`enp130s0`
CA Certificate	`/etc/ssl/certs/DOMUS-ROOT-CA.pem`
Client Certificate	`/etc/ssl/certs/modestus-razer-eaptls.pem`
Private Key	`/etc/ssl/private/modestus-razer-eaptls.key`
EAP Method	TLS (method 13)

Table 7. Wireless 802.1X Profile Settings
Setting	Value
Connection Name	`Domus-Secure-802.1X`
SSID	`Domus-Secure`
Security	`WPA-EAP` (802.1X)
EAP Method	TLS (method 13)
Identity	`modestus-razer.inside.domusdigitalis.dev`
CA Certificate	`/etc/ssl/certs/DOMUS-ROOT-CA.pem`
Client Certificate	`/etc/ssl/certs/modestus-razer-eaptls.pem`
Private Key	`/etc/ssl/private/modestus-razer-eaptls.key`
private-key-password-flags	`4` (not required)
ca-cert-password-flags	`4` (not required)

14.10. Switch Verification

Verify Session on Switch (Post-Fix)

LAB-3560CX-01#show access-session int g1/0/5 d
            Interface:  GigabitEthernet1/0/5
          MAC Address:  98bb.1e1f.a713
         IPv6 Address:  Unknown
         IPv4 Address:  10.50.10.130
            User-Name:  modestus-razer.inside.domusdigitalis.dev
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
       Session Uptime:  685s
    Common Session ID:  0A32010A0000064ADF9BCFD8
      Acct Session ID:  0x000005BD
               Handle:  0xD90001C3
       Current Policy:  PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Local Policies:

Server Policies:
           Vlan Group:  Vlan: 10
      Security Policy:  None
      Security Status:  Link Unsecure
              ACS ACL:  xACSACLx-IP-LINUX_EAPTLS_PERMIT_ALL-69680320

Method status list:
      Method            State
      dot1x              Authc Success
      mab                Stopped

Key Indicators of Success

Status: Authorized - Port authorized for network access
dot1x: Authc Success - EAP-TLS authentication completed
ACS ACL: LINUX_EAPTLS_PERMIT_ALL - ISE pushed the correct DACL
Vlan Group: Vlan: 10 - Assigned to correct data VLAN
IPv4 Address: 10.50.10.130 - DHCP lease obtained

15. Appendix E: PKI Migration - Gabriel’s Workstation (modestus-p50)

15.1. Issue Summary

Gabriel’s workstation (modestus-p50) unable to connect to 802.1X network after PKI migration from HOME-ROOT-CA to DOMUS-ROOT-CA. NetworkManager service was also failing to start.

15.2. Multiple Issues Discovered

15.2.1. Issue 1: NetworkManager.conf Corrupted

Symptom

NetworkManager.service: Failed with result 'exit-code'
Failed to read configuration: Key file contains line "nmcli connection down Domus-Secure && nmcli connection up Domus-Secure"

Root Cause

Shell command was accidentally written to /etc/NetworkManager/NetworkManager.conf instead of being executed.

Resolution

# Restore valid config
sudo tee /etc/NetworkManager/NetworkManager.conf << 'EOF'
[main]
plugins=keyfile

[keyfile]
unmanaged-devices=none
EOF

# Reset and start
sudo systemctl reset-failed NetworkManager
sudo systemctl start NetworkManager

15.2.2. Issue 2: No Network Connectivity (Temp Workaround)

With NetworkManager down, used manual DHCP and temporary non-802.1X switch port.

Switch Configuration (IBNS 2.0 - Remove Template)

interface GigabitEthernet1/0/1
 no source template DefaultWiredDot1xClosedAuth

Manual DHCP Request

sudo ip link set enp0s31f6 up
sudo dhcpcd enp0s31f6

15.2.3. Issue 3: CA Certificate Mismatch

Symptom

Client configured to trust old CA.

nmcli connection show Domus-Secure | grep "802-1x.ca-cert"
# Output: 802-1x.ca-cert: /etc/ssl/certs/HOME-ROOT-CA.pem

Resolution

# Get CA from Vault
ssh certmgr-01 "vault read -field=certificate pki/cert/ca" > /tmp/DOMUS-ROOT-CA.crt

# Deploy to client
scp /tmp/DOMUS-ROOT-CA.crt gabriel@10.50.10.107:/tmp/
ssh gabriel@10.50.10.107
sudo cp /tmp/DOMUS-ROOT-CA.crt /etc/ssl/certs/DOMUS-ROOT-CA.pem
sudo chmod 644 /etc/ssl/certs/DOMUS-ROOT-CA.pem

# Update connection
sudo nmcli connection modify Domus-Secure 802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem

15.2.4. Issue 4: Client Certificate from Old PKI

Gabriel’s client cert was still signed by HOME-ROOT-CA, not compatible with new PKI.

Check Old Certificate

openssl x509 -in /etc/ssl/certs/modestus-p50-eaptls.pem -noout -issuer -subject
# issuer=DC=dev, DC=domusdigitalis, DC=inside, CN=HOME-ROOT-CA
# subject=O=Domus Digitalis, OU=Endpoints, CN=modestus-p50.inside.domusdigitalis.dev

Issue New Certificate from Vault

# On certmgr-01
vault operator unseal  # x3 with unseal keys
vault login

# List roles
vault list pki_int/roles
# domus-byod, domus-client, domus-server, domus-windows-machine, domus-windows-user

# Issue client cert
vault write -format=json pki_int/issue/domus-client \
  common_name="modestus-p50.inside.domusdigitalis.dev" \
  ttl="8760h" > /tmp/modestus-p50.json

# Extract components
jq -r '.data.certificate' /tmp/modestus-p50.json > /tmp/modestus-p50-eaptls.pem
jq -r '.data.private_key' /tmp/modestus-p50.json > /tmp/modestus-p50-eaptls.key

# Verify new cert
openssl x509 -in /tmp/modestus-p50-eaptls.pem -noout -subject -issuer
# subject=CN=modestus-p50.inside.domusdigitalis.dev
# issuer=CN=DOMUS-ISSUING-CA

Deploy to Client

# From workstation
scp certmgr-01:/tmp/modestus-p50-eaptls.pem /tmp/
scp certmgr-01:/tmp/modestus-p50-eaptls.key /tmp/
scp /tmp/modestus-p50-eaptls.* gabriel@10.50.10.107:/tmp/

# On Gabriel's machine
sudo cp /tmp/modestus-p50-eaptls.pem /etc/ssl/certs/
sudo cp /tmp/modestus-p50-eaptls.key /etc/ssl/private/
sudo chmod 644 /etc/ssl/certs/modestus-p50-eaptls.pem
sudo chmod 600 /etc/ssl/private/modestus-p50-eaptls.key

# Connect
nmcli connection up Domus-Secure

15.3. Key Lessons from Gabriel’s Case

Multiple cascading failures - NetworkManager config corruption masked the real PKI issue
Vault must be unsealed - Remember to unseal before cert operations
Know your Vault roles - Use vault list pki_int/roles to find correct role (domus-client not client-cert)
Full PKI migration requires both CA and client cert - Updating CA alone isn’t enough if client cert is from old PKI
Temporary network access - Remove 802.1X template from switch port for emergency access while troubleshooting

15.4. Certificate Paths (modestus-p50)

Component Path

Component	Path
CA Certificate	`/etc/ssl/certs/DOMUS-ROOT-CA.pem`
Client Certificate	`/etc/ssl/certs/modestus-p50-eaptls.pem`
Private Key	`/etc/ssl/private/modestus-p50-eaptls.key`
Issuer	`CN=DOMUS-ISSUING-CA`

CA Certificate

/etc/ssl/certs/DOMUS-ROOT-CA.pem

Client Certificate

/etc/ssl/certs/modestus-p50-eaptls.pem

Private Key

/etc/ssl/private/modestus-p50-eaptls.key

Issuer

CN=DOMUS-ISSUING-CA

15.5. Final Resolution: Wired and WiFi Connectivity

15.5.1. WiFi 802.1X (Domus-Secure)

Successful Authentication

CTRL-EVENT-EAP-SUCCESS EAP authentication completed successfully
WPA: Key negotiation completed with 78:bc:1a:36:82:cb [PTK=CCMP GTK=CCMP]
device (wlan0): Activation: successful, device activated.

15.5.2. Wired 802.1X with MAB Fallback

Due to time constraints, wired 802.1X was verified via MAB (MAC Authentication Bypass) while certificate-based authentication is configured. Switch session shows successful authorization.

Switch Session Verification

LAB-3560CX-01#show access-session interface GigabitEthernet1/0/1 details
            Interface:  GigabitEthernet1/0/1
          MAC Address:  c85b.76c6.5962
         IPv4 Address:  10.50.40.100
            User-Name:  C8-5B-76-C6-59-62
               Status:  Authorized
               Domain:  DATA
       Current Policy:  PMAP_DefaultWiredDot1xClosedAuth_1X_MAB

Server Policies:
           Vlan Group:  Vlan: 40
              ACS ACL:  xACSACLx-IP-RESEARCH_ONBOARD_DACL-6967c0fb

Method status list:
      Method            State
      dot1x              Stopped
      mab                Authc Success

15.5.3. Switch Port Restoration

After troubleshooting, restored IBNS 2.0 template to temporary access port.

netapi Command for Template Restoration

# Verify current interface configuration
netapi ios exec "show running-config interface GigabitEthernet1/0/1"

# Restore IBNS 2.0 template
netapi ios config \
  "interface GigabitEthernet1/0/1" \
  "description [DOT1X] User Access Port" \
  "ip arp inspection trust" \
  "source template DefaultWiredDot1xClosedAuth" \
  "spanning-tree portfast edge" \
  --save

# Verify template applied
netapi ios exec "show derived-config interface GigabitEthernet1/0/1"

15.6. Summary: PKI Migration Completed

Table 8. Migration Status
Workstation	Status	Notes
modestus-razer (primary)	Complete	Wired + WiFi EAP-TLS working
modestus-p50 (Gabriel)	Complete	WiFi EAP-TLS working, Wired via MAB (cert deployment pending)

Table 9. Certificates Issued from Vault PKI
Common Name	Issuer	TTL
modestus-razer.inside.domusdigitalis.dev	DOMUS-ISSUING-CA	8760h (1 year)
modestus-p50.inside.domusdigitalis.dev	DOMUS-ISSUING-CA	8760h (1 year)

Document Status: Complete
Session Duration: Full day (early AM to late evening)
Next Review: 2026-02-08