Daily Worklog: 2026-02-11 (Wednesday)
Overview
Date: 2026-02-11 (Wednesday)
Location: Remote
Focus: ISE 3.4 Migration Complete, Dotfiles Organization & Documentation, Research Onboarding Prep
Summary
Major milestone: ISE 3.4 (ise-01) is fully operational with all 5 API surfaces validated and 802.1X EAP-TLS authentication confirmed.
ISE 3.4 Deployment - COMPLETED
Phase 1-3: Installation & Certificates
| Step | Status | Notes |
|---|---|---|
Boot from ISO |
DONE |
Ejected ISO after install |
Setup wizard |
DONE |
hostname: ise-01, IP: 10.50.1.20 |
Application install |
DONE |
ISE 3.4 bundle installed |
Restore from backup |
DONE |
|
Certificate issuance |
DONE |
Vault PKI - Admin/EAP cert |
Phase 4: API Validation - ALL PASSED
| API | Status | Command |
|---|---|---|
ERS (port 9060) |
PASSED |
|
OpenAPI |
PASSED |
|
MnT |
PASSED |
|
DataConnect (Oracle 2484) |
PASSED |
|
pxGrid (mTLS 8910) |
PASSED |
|
Phase 5: 802.1X EAP-TLS Validation
Ultimate test: Connected modestus-razer via 802.1X and verified via DataConnect:
USERNAME: modestus-razer.inside.domusdigitalis.dev
ISE_NODE: ise-01
POLICY_SET_NAME: Domus-Wired 802.1X
AUTHORIZATION_RULE: Linux_EAP-TLS_Permit
PASSED: PassConfirmed: ise-01 is handling RADIUS authentications.
DataConnect Troubleshooting
Encountered multiple issues getting DataConnect working:
| Issue | Cause | Fix |
|---|---|---|
SSL verification failed |
Wrong CA file |
Changed to |
PEM lib error |
Chain file missing newline between certs |
|
DPY-6006 hostname mismatch |
Using IP instead of FQDN |
Changed |
ORA-01017 invalid password |
Password sync issues |
Reset password in ISE GUI |
ORA-28000 account locked |
Too many failed attempts |
Toggle DataConnect off/on in ISE GUI |
Key learnings:
-
DataConnect requires FQDN (not IP) for SSL hostname verification
-
Password must contain special char from:
#$%&*+,-.:;=?^_~ -
Account locks after failed attempts - toggle off/on to unlock
Documentation Updates
domus-infra-ops
Commit: 49a4f2f
-
Updated
ise-34-deployment.adocwith Phase 11: API Validation -
Added dsec secrets update procedure
-
Added all 5 API test commands with expected output
-
Added DataConnect troubleshooting notes
-
Added 802.1X validation via DataConnect queries
domus-ise-linux
Commit: d6bbe31
-
Created
research-onboarding.adoc(514 lines) -
Documents two-stage onboarding flow:
-
Stage 1:
RESEARCH_ONBOARDdACL (MAB → cert enrollment) -
Stage 2:
RESEARCH_HARDENEDdACL (EAP-TLS → zero-trust)
-
-
Includes validation test script that auto-detects current stage
-
Added attributes for research device:
{research-device-hostname},{research-device-mac},{research-user}
dsec Secrets Update
Updated d000 dev/network to point to ise-01:
-
Changed active target from
ISE_HQ_01toISE_HQ_02 -
ISE_DATACONNECT_HOSTchanged from IP to FQDN -
ISE_DATACONNECT_CApointed todomus-ca-chain.crt -
Reset DataConnect password via gopass
Shell Skills: Globs vs Regex
Quick reference for file matching vs content matching.
Globs (File Names)
Used by: ls, find -name, rm, cp
| Pattern | Matches |
|---|---|
|
Any characters |
|
Single character |
|
Either "a" or "b" |
|
Single char: a, b, or c |
|
Single digit |
ls $mod/modestus*.{cer,csr}
shred -vuzn 3 $modestus*.{cer,csr}Regex (File Contents)
Used by: grep, sed, awk, rg
| Pattern | Meaning |
|---|---|
|
Any single char |
|
Zero or more of previous |
|
One or more of previous |
|
Start / end of line |
|
Character class |
|
Either a or b |
|
Digit (Perl regex) |
|
Reset match start (grep -P) |
# IP addresses
grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' file
# MAC addresses
grep -Ei '([0-9a-f]{2}:){5}[0-9a-f]{2}' logs
# Extract usernames from RADIUS logs
grep -oP 'User-Name=\K[^,]+' radius.log
# Certificate CN
grep -oP 'CN=\K[^,]+' cert.pemShred Dry-Run Pattern
# Preview (safe)
echo $modestus*.{cer,csr}
ls -la $modestus*.{cer,csr}
# Execute (destructive)
shred -vuzn 3 $modestus*.{cer,csr}Flags: -v verbose, -u remove after, -z zero final pass, -n 3 = 3 overwrites
Dotfiles Optimization Session
winfiles-optimus Parity & Optimization
Commits:
-
f3a313b- oh-my-posh optimization + lazygit config -
281978d- README converted to AsciiDoc
Changes:
| Component | Change |
|---|---|
oh-my-posh theme |
Optimized for 5-10x faster prompt. Disabled |
lazygit |
Ported config from dotfiles-optimus with delta pager |
README |
Converted from .md to .adoc |
dotfiles-optimus Updates
Commits:
-
109360c- Fixed winfiles alias to point to winfiles-optimus -
43a36c9- Renamed vim configs for clarity -
04b0f57- Added vim config aliases (vims, vimm, vima) -
88e4154- Fixed deprecated pastetoggle option -
4612e3a- Added comprehensive Symlink Inventory (590 lines) -
2c85d8c- Enhanced troubleshooting guide (424 lines added)
Vim Config Renaming:
| Old Name | New Name | Purpose |
|---|---|---|
|
|
Lightweight server camping (28k) |
|
|
Alternative IDE config (83k) |
|
|
Locked-down environments (16k) |
|
|
Primary IDE (unchanged, 117k) |
Vim Aliases Added:
-
vims→vim -u ~/.vimrc-server -
vimm→vim -u ~/.vimrc-minimal -
vima→vim -u ~/.vimrc-ide-alt
Added to both aliases.sh (bash/zsh) and aliases.fish.
Vim Fix: Replaced deprecated pastetoggle=<F2> with modern mapping:
nnoremap <F2> :set paste!<CR>
inoremap <F2> <C-O>:set paste!<CR>Symlink Inventory Documentation:
Created comprehensive section in DOTFILES-OPTIMUS.adoc documenting all 100+ symlinked files:
-
Why symlinks? (5 benefits explained)
-
Base configurations (shells, git, vim, ssh, gpg, search tools)
-
Shell enhancements (cross-shell aliases and functions)
-
Custom scripts (~/.local/bin/)
-
Terminal emulators (Ghostty, Kitty)
-
Window manager stack (Hyprland, Waybar, Wofi, Mako)
-
Applications (20+ app configs)
-
File count summary and verification commands
Troubleshooting Guide Enhanced:
Expanded docs/troubleshooting.adoc from 151 to 541 lines:
-
GNU Stow issues (slash errors, no symlinks, regular file vs symlink, broken links)
-
Shell startup (Fish hangs, Oh-My-Posh slow, alias caching, PATH)
-
SSH issues (key agent, permissions, post-quantum algorithms)
-
Vim issues (pastetoggle deprecation)
-
GPG issues (agent, pinentry)
-
Quick reference table (10 common fixes)
Fish/pyenv Issue Fixed
Problem: Fish shell hanging 60+ seconds on startup
Cause: Stale pyenv lock file at ~/.pyenv/shims/.pyenv-shim
Fix:
rm -f ~/.pyenv/shims/.pyenv-shimDiagnosis technique:
fish -c "echo test" # See errors before test outputPending Dotfiles Work
-
Convert 11 remaining .md files in dotfiles-optimus to .adoc
-
docs/AUDIT-REPORT.md, ARCHITECTURE.md, CHANGELOG.md, KEYBINDINGS.md, WSL-STOW-SETUP.md
-
hosts/README.md
-
wm/hyprland, mako, waybar, wofi READMEs
-
Root README.md
-
Completed Today
| Category | Items |
|---|---|
ISE 3.4 |
All 5 APIs validated, 802.1X EAP-TLS confirmed |
Documentation |
research-onboarding.adoc (514 lines), Symlink Inventory (590 lines), Troubleshooting guide (424 lines added) |
Dotfiles |
Vim config renaming, vim aliases, pastetoggle fix, stow symlink verification |
Roadmaps |
Vault PKI roadmap, Packet Analysis roadmap (in domus-docs) |
In Progress
-
Test research onboarding flow with Alienware (modestus-aw)
-
Device hostname:
modestus-aw -
Target user: Xianming Ding research workstation simulation
-
Two-stage flow: MAB → EAP-TLS
-
Pending
-
Register modestus-aw MAC in ISE for MAB onboarding
-
Import cert to ISE GUI (from earlier session)
-
Decommission ise-02 after 1-2 week verification period
-
Expand glob/regex reference in domus-linux-ops
-
Convert remaining .md files to .adoc in dotfiles-optimus (11 files)
Next Steps (Research Onboarding)
-
Bring modestus-aw (Alienware) online
-
Get MAC address:
ip link show | grep ether -
Register MAC in ISE as endpoint (Identity Group:
Research-Devices) -
Connect to network - should hit Stage 1 (RESEARCH_ONBOARD dACL)
-
Enroll certificate via Vault PKI
-
Reconnect with EAP-TLS - should hit Stage 2 (RESEARCH_HARDENED dACL)
-
Validate zero-trust ACL blocks lateral movement
References
-
infra-ops::runbooks/ise-34-deployment.adoc- ISE 3.4 Deployment Runbook -
ise-linux::03-ise-config/research-onboarding.adoc- Research Onboarding Flow -
gopass:
v2/DOMUS/servers/ise-01/dataconnect