[Title]
Context
What prompted this capture.
captures notes and ideas that pertain to today’s work log and other ideas that may come up.
Objectives
-
Goal 1
-
Goal 2
-
Goal 3
Commands / Code
# Commands executedOutcomes
What was accomplished.
Follow-ups
-
Action item 1
-
Action item 2
Notable and functional commands
cp docs/modules/ROOT/_drafts/TEMPLATE-capture.adoc docs/modules/ROOT/_drafts/LRN-$(date +%Y-%m-%d)-cli-data-processing.adoc
❯ netapi ise dc query " ❯ netapi ise dc query " > select view_name from all_views > where owner = 'DATACONNECT' order > by view_name" Query Results ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓ ┃ VIEW_NAME ┃ ┡━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩ │ AAA_DIAGNOSTICS_VIEW │ │ ADAPTER_STATUS │ │ ADAPTIVE_NETWORK_CONTROL │ │ ADMINISTRATOR_LOGINS │ │ ADMIN_USERS │ │ AUP_ACCEPTANCE_STATUS │ │ AUTHORIZATION_PROFILES │ │ CHANGE_CONFIGURATION_AUDIT │ │ COA_EVENTS │ │ ENDPOINTS_DATA │ │ ENDPOINT_IDENTITY_GROUPS │ │ ENDPOINT_PURGE_VIEW │ │ EXT_ID_SRC_ACTIVE_DIRECTORY │ │ EXT_ID_SRC_CERT_AUTH_PROFILE │ │ EXT_ID_SRC_LDAP │ │ EXT_ID_SRC_ODBC │ │ EXT_ID_SRC_RADIUS_TOKEN │ │ EXT_ID_SRC_REST │ │ EXT_ID_SRC_RSA_SECURID │ │ EXT_ID_SRC_SAML_ID_PROVIDERS │ │ EXT_ID_SRC_SOCIAL_LOGIN │ │ FAILURE_CODE_CAUSE │ │ GUEST_ACCOUNTING │ │ GUEST_DEVICELOGIN_AUDIT │ │ KEY_PERFORMANCE_METRICS │ │ LOGICAL_PROFILES │ │ MISCONFIGURED_NAS_VIEW │ │ MISCONFIGURED_SUPPLICANTS_VIEW │ │ NETWORK_ACCESS_USERS │ │ NETWORK_DEVICES │ │ NETWORK_DEVICE_GROUPS │ │ NODE_LIST │ │ OPENAPI_OPERATIONS │ │ POLICY_SETS │ │ POSTURE_ASSESSMENT_BY_CONDITION │ │ POSTURE_ASSESSMENT_BY_ENDPOINT │ │ POSTURE_GRACE_PERIOD │ │ POSTURE_SCRIPT_CONDITION │ │ POSTURE_SCRIPT_REMEDIATION │ │ PRIMARY_GUEST │ │ PROFILED_ENDPOINTS_SUMMARY │ │ PROFILING_POLICIES │ │ PXGRID_DIRECT_DATA │ │ RADIUS_ACCOUNTING │ │ RADIUS_ACCOUNTING_WEEK │ │ RADIUS_AUTHENTICATIONS │ │ RADIUS_AUTHENTICATIONS_WEEK │ │ RADIUS_AUTHENTICATION_SUMMARY │ │ RADIUS_ERRORS_VIEW │ │ REGISTERED_ENDPOINTS │ │ SECURITY_GROUPS │ │ SECURITY_GROUP_ACLS │ │ SPONSOR_LOGIN_AND_AUDIT │ │ SYSTEM_DIAGNOSTICS_VIEW │ │ SYSTEM_SUMMARY │ │ TACACS_ACCOUNTING │ │ TACACS_ACCOUNTING_LAST_TWO_DAYS │ │ TACACS_AUTHENTICATION │ │ TACACS_AUTHENTICATION_LAST_TWO_DAYS │ │ TACACS_AUTHENTICATION_SUMMARY │ │ TACACS_AUTHORIZATION │ │ TACACS_AUTHORIZATION_LAST_TWO_DAYS │ │ TACACS_COMMAND_ACCOUNTING │ │ THREAT_EVENTS │ │ UPSPOLICY │ │ UPSPOLICYSET │ │ UPSPOLICYSET_POLICIES │ │ USER_IDENTITY_GROUPS │ │ USER_PASSWORD_CHANGES │ │ VULNERABILITY_ASSESSMENT_FAILURES │ └─────────────────────────────────────┘
netapi ise dc query "
SELECT
CALLING_STATION_ID as MAC,
ENDPOINT_PROFILE,
AUTHORIZATION_PROFILES,
NAS_PORT_ID,
TIMESTAMP_TIMEZONE as LAST_SEEN
FROM RADIUS_AUTHENTICATIONS
WHERE AUTHENTICATION_PROTOCOL = 'Lookup'
AND TIMESTAMP_TIMEZONE > SYSDATE - 30
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 50 ROWS ONLY
"
netapi ise dc query " SELECT CALLING_STATION_ID as MAC, ENDPOINT_PROFILE, AUTHORIZATION_PROFILES, NAS_PORT_ID, TIMESTAMP_TIMEZONE as LAST_SEEN FROM RADIUS_AUTHENTICATIONS WHERE AUTHENTICATION_PROTOCOL = 'Lookup' AND TIMESTAMP_TIMEZONE > SYSDATE - 30 ORDER BY TIMESTAMP_TIMEZONE DESC FETCH FIRST 50 ROWS ONLY "
netapi ise dc query "
SELECT * FROM PROFILED_ENDPOINTS_SUMMARY
WHERE ENDPOINT_ID LIKE '%B8:FC:FE'
OR ENDPOINT_ID LIKE '%b8:fc:fe'
"Query Results ┏━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━┓ ┃ ID ┃ TIMESTAMP ┃ ENDPOINT_ID ┃ ENDPOINT_PROFILE ┃ SOURCE ┃ HOST ┃ ENDPOINT_ACTION_NAME ┃ MESSAGE_CODE ┃ IDENTITY_GROUP ┃ ┡━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━┩ │ 1770803790878074 │ 2026-02-13 │ 90:32:4B:B8:FC:FE │ Brother-Device │ MFC Probe │ ise-01.inside.domusd… │ │ 80002 │ Profiled │ │ │ 01:20:29.479000 │ │ │ │ │ │ │ │ └──────────────────┴───────────────────────┴───────────────────┴──────────────────┴───────────┴───────────────────────┴──────────────────────┴──────────────┴────────────────┘
sed -n '177,193p' docs/modules/ROOT/_drafts/WRKLOG-2026-02-14-research-linux-testing.adocThe sed -n '177,193p' command is perfectly valid - it's a common idiom for extracting line ranges. Not retarded at all.
Alternatives you could use:
# sed (what you used) - clean, readable
sed -n '177,193p' file.adoc
[source,awk]Here’s the full set:
| Operator | Meaning | |----------|-----------------------| | < | less than | | > | greater than | | <= | less than or equal | | >= | greater than or equal | | == | equal to | | != | not equal to |
Examples:
# Lines 177 through 193 (inclusive) awk 'NR>=177 && NR<=193' file
# Exactly line 177 awk 'NR==177' file
# All lines except 177 awk 'NR!=177' file
# Lines after 177 (not including 177) awk 'NR>177' file
# First 10 lines awk 'NR<=10' file
The = alone is assignment. Double == is comparison. Same as most programming languages.
[source,awk]
awk 'NR>=177 && NR<=193' docs/modules/ROOT/_drafts/WRKLOG-2026-02-14-research-linux-testing.adoc
# head + tail combo - more verbose
head -n 193 file.adoc | tail -n 17
# bat with line range (if installed) - nice syntax highlighting
bat -r 177:193 file.adoc
The sed version is fine for quick extraction. If you want it in your toolkit, you could make a zsh function:
# Add to .zshrc
lines() { sed -n "${1},${2}p" "$3"; }
# Usage: lines 177 193 file.adoc
Now run that printer query:
netapi ise dc query "
SELECT * FROM PROFILED_ENDPOINTS_SUMMARY
WHERE ENDPOINT_ID LIKE '%B8:FC:FE'
"
References
how to use special symbols
They’re just two characters typed in sequence - no special key combo:
<= → Shift+, (less than) then = (equals) >= → Shift+. (greater than) then = (equals) == → = (equals) then = (equals) again != → Shift+1 (exclamation) then = (equals)
On US keyboard: - < is Shift + , (comma key) - > is Shift + . (period key) - = is just the equals key (next to backspace)
So <= is literally typing < then = right after. Two keystrokes, shown together.
netapi ise dc query "SELECT * FROM EXT_ID_SRC_LDAP FETCH FIRST 5 ROWS ONLY"
netapi ise dc query "SELECT * FROM EXT_ID_SRC_ODBC FETCH FIRST 5 ROWS ONLY"
Query Results
┏━━━━━━━━━━━━━┳━━━━━━━━━━━━━┓
┃ NAME ┃ DESCRIPTION ┃
┡━━━━━━━━━━━━━╇━━━━━━━━━━━━━┩
│ iPSKManager │ │
└─────────────┴─────────────┘
netapi ise dc query "SELECT * FROM EXT_ID_SRC_ACTIVE_DIRECTORY FETCH FIRST 5 ROWS ONLY"
Query Results
┏━━━━━━━━━━━━┓
┃ NAME ┃
┡━━━━━━━━━━━━┩
│ DOMUS_DC01 │
└────────────┘For Red Hat enterprise, the answer is clear:
FreeIPA (upstream) / Red Hat Identity Management (IdM) (RHEL product)
┌─────────────────────────────────────────────────────────────┐ │ FreeIPA / Red Hat IdM │ ├─────────────────────────────────────────────────────────────┤ │ 389 Directory Server (LDAP) ← User/host/service store │ │ MIT Kerberos (KDC) ← SSO authentication │ │ Dogtag CA (PKI) ← Certificate authority │ │ Integrated DNS ← Dynamic DNS updates │ │ SSSD ← Linux client integration│ │ HBAC ← Host-based access ctrl │ │ Sudo rules ← Centralized sudo │ │ AD Trust ← Cross-forest trust w/AD │ └─────────────────────────────────────────────────────────────┘
Why FreeIPA for your learning:
| Skill | Enterprise Value | |---------------------|-----------------------------------| | LDAP administration | Universal directory skill | | Kerberos | SSO, AD interop, secure auth | | PKI/Dogtag | Alternative to AD CS, certs | | SSSD | Every RHEL client uses this | | AD Trust | Hybrid Windows/Linux environments | | DNS integration | Dynamic host registration | | HBAC/sudo | RHEL security compliance |
Your target architecture:
┌──────────────┐
│ AD (DC01) │◄─── Windows clients
└──────┬───────┘
│ AD Trust
▼
┌──────────────┐
│ FreeIPA │◄─── Linux clients, printers, IoT
└──────┬───────┘
│ LDAP
▼
┌──────────────┐
│ ISE │◄─── 802.1X (EAP-TLS, EAP-TTLS)
└──────────────┘
Deployment path:
# RHEL 9 / Rocky 9 / Alma 9 sudo dnf install freeipa-server freeipa-server-dns
# Interactive setup sudo ipa-server-install --setup-dns
# Or with options sudo ipa-server-install \ --realm=INSIDE.DOMUSDIGITALIS.DEV \ --domain=inside.domusdigitalis.dev \ --ds-password=<directory-manager-pass> \ --admin-password=<admin-pass> \ --setup-dns \ --forwarder=10.50.1.1 \ --no-ntp
For your printer (after FreeIPA is up):
# Create service account for printer ipa user-add brother-mfc --first=Brother --last=Printer --password
# Or create a service principal ipa service-add printing/brother-mfc.inside.domusdigitalis.dev
ISE integration:
-
Add FreeIPA as LDAP identity source
-
Base DN: dc=inside,dc=domusdigitalis,dc=dev
-
Bind DN: uid=admin,cn=users,cn=accounts,dc=inside,dc=domusdigitalis,dc=dev
Network Scanning Session
Problem
KVM host IP changed (DHCP). DNS showed .192, SSH config had .203 - neither worked.
Solution: Parallel Port Scanning
Discovered massively parallel netcat scanning via xargs:
# Scan entire /24 for SSH in ~5 seconds
echo 192.168.1.{1..254} | tr ' ' '\n' | \
xargs -P 50 -I {} sh -c 'timeout 1 nc -zv {} 22 2>&1 | grep -q succeeded && echo "{}: SSH open"'Results
192.168.1.184: SSH open # Unknown
192.168.1.185: SSH open # Unknown
192.168.1.225: SSH open # KVM host (supermicro300-9d1)Verification
ssh kvm-01 # Updated ~/.ssh/config to 192.168.1.225
# Successfully connected to supermicro300-9d1nmap Equivalent
nmap -p 22 192.168.1.0/24 --open -T4Key Learnings
| Technique | Command | Speed |
|---|---|---|
Parallel nc (50 threads) |
|
~5 sec for /24 |
nmap fast scan |
|
~10 sec for /24 |
nmap stealth |
|
~15 sec for /24 |
awk 'NR>=177 && NR<=193' 02_Assets/PRJ-ISE-CHLA-LINUX-ANTORA/runbooks/.internal/linux-deployment-ise-playbook.adoc netapi ise create-endpoint-group "DOMUS_Printers" \
--description "DOMUS network printers - EAP-TTLS authentication"
✓ Created endpoint group: DOMUS_Printers
ID: 0cd05390-0a10-11f1-a844-16ee71fc0c3bdomus-infra-ops/roadmaps/freeipa-identity-management.adoc
Documentation trail for today's work:
| Document | Path | |--------------------------|-----------------------------------------------------------| | netapi bulk commands | domus-netapi-docs/cli/ise/ers/endpoints.adoc | | Printer EAP-TTLS runbook | domus-infra-ops/runbooks/printer-eap-ttls.adoc | | FreeIPA roadmap | domus-infra-ops/roadmaps/freeipa-identity-management.adoc | | Today's WRKLOG | domus-captures/2026/02/WRKLOG-2026-02-14.adoc |
FreeIPA Linux skills you'll gain:
389 DS (LDAP) → ldapsearch, ldapmodify, schema design MIT Kerberos → kinit, klist, keytabs, principals Dogtag CA → certutil, certificate templates, CRL SSSD → sss_cache, authselect, failover HBAC → Who can SSH where Sudo rules → Centralized sudo without /etc/sudoers
Next step: Deploy FreeIPA on kvm-01, then join ISE as LDAP identity source.
Want to start the FreeIPA deployment now?
# Scan subnet for SSH
for ip in {100..140}; do
timeout 1 nc -zv 10.50.10.$ip 22 2>&1 | grep -q succeeded && echo "10.50.10.$ip - SSH OPEN"
done
Confirm it's kvm-01:
ssh 10.50.10.104 hostname
Or check via virsh if you're already on a machine that can reach it:
# From hypervisor - list VMs virsh list --all
# Get VM IP from libvirt virsh domifaddr <vm-name>
# Or check DHCP leases virsh net-dhcp-leases default
Want me to add this subnet scanning technique to your WRKLOG or a reference doc?
grep -E "awk.*(virsh|arp|ip neigh|domif)" ~/.zsh_history | tail -20
Or check for arp/virsh commands with awk:
grep -E "(arp|virsh|ip neigh).*\|" ~/.zsh_history | tail -30
Common patterns would be:
# ARP table parsing
arp -a | awk '{print $2}' | tr -d '()'
# virsh VM IP lookup
virsh domifaddr kvm-01 | awk '/ipv4/ {print $4}' | cut -d'/' -f1
# Neighbor table
ip neigh | awk '/10.50/ {print $1, $5}'
Run those greps and paste output - we'll find it.
netapi ise dc query "
SELECT COLUMN_NAME
FROM ALL_TAB_COLUMNS
WHERE TABLE_NAME = 'RADIUS_AUTHENTICATIONS'
ORDER BY COLUMN_NAME
FETCH FIRST 30 ROWS ONLY
"
Query Results
┏━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ COLUMN_NAME ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ ACCESS_SERVICE │
│ AUDIT_SESSION_ID │
│ AUTHENTICATION_METHOD │
│ AUTHENTICATION_PROTOCOL │
│ AUTHORIZATION_PROFILES │
│ AUTHORIZATION_RULE │
│ CALLING_STATION_ID │
│ CHECKSUM │
│ CREDENTIAL_CHECK │
│ DEVICE_NAME │
│ DEVICE_TYPE │
│ ENDPOINT_PROFILE │
│ FAILED │
│ FAILURE_REASON │
│ FRAMED_IPV6_ADDRESS │
│ FRAMED_IP_ADDRESS │
│ ID │
│ IDENTITY_GROUP │
│ IDENTITY_STORE │
│ ISE_NODE │
│ LOCATION │
│ MDM_SERVER_NAME │
│ NAS_IPV6_ADDRESS │
│ NAS_IP_ADDRESS │
│ NAS_PORT_ID │
│ NAS_PORT_TYPE │
│ ORIG_CALLING_STATION_ID │
│ PASSED │
│ POLICY_SET_NAME │
│ POSTURE_STATUS │
└─────────────────────────┘ netapi ise dc query "
SELECT COLUMN_NAME
FROM ALL_TAB_COLUMNS
WHERE TABLE_NAME = 'RADIUS_AUTHENTICATIONS'
AND ROWNUM <= 60
ORDER BY COLUMN_NAME
"
Query Results
┏━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ COLUMN_NAME ┃
┡━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ ACCESS_SERVICE │
│ AUDIT_SESSION_ID │
│ AUTHENTICATION_METHOD │
│ AUTHENTICATION_PROTOCOL │
│ AUTHORIZATION_PROFILES │
│ AUTHORIZATION_RULE │
│ CALLING_STATION_ID │
│ CHECKSUM │
│ CREDENTIAL_CHECK │
│ DEVICE_NAME │
│ DEVICE_TYPE │
│ ENDPOINT_PROFILE │
│ FAILED │
│ FAILURE_REASON │
│ FRAMED_IPV6_ADDRESS │
│ FRAMED_IP_ADDRESS │
│ ID │
│ IDENTITY_GROUP │
│ IDENTITY_STORE │
│ ISE_NODE │
│ LOCATION │
│ MDM_SERVER_NAME │
│ NAS_IPV6_ADDRESS │
│ NAS_IP_ADDRESS │
│ NAS_PORT_ID │
│ NAS_PORT_TYPE │
│ ORIG_CALLING_STATION_ID │
│ PASSED │
│ POLICY_SET_NAME │
│ POSTURE_STATUS │
│ RESPONSE_TIME │
│ SECURITY_GROUP │
│ SERVICE_TYPE │
│ SYSLOG_MESSAGE_CODE │
│ TIMESTAMP │
│ TIMESTAMP_TIMEZONE │
│ USERNAME │
│ USER_TYPE │
└─────────────────────────┘ netapi ise dc query "
SELECT
CALLING_STATION_ID,
FRAMED_IP_ADDRESS,
USERNAME,
ENDPOINT_PROFILE,
TIMESTAMP_TIMEZONE
FROM RADIUS_AUTHENTICATIONS
WHERE USERNAME LIKE '%p50%'
ORDER BY TIMESTAMP_TIMEZONE DESC
FETCH FIRST 10 ROWS ONLY
"
Query Results
┏━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┳━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ CALLING_STATION_ID ┃ FRAMED_IP_ADDRESS ┃ USERNAME ┃ ENDPOINT_PROFILE ┃ TIMESTAMP_TIMEZONE ┃
┡━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━╇━━━━━━━━━━━━━━━━━━━━━━━━━━━━┩
│ 14:F6:D8:7B:31:80 │ │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-14 17:27:00.730000 │
│ 14:F6:D8:7B:31:80 │ 10.50.10.121 │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-14 16:50:17.308000 │
│ 14:F6:D8:7B:31:80 │ │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-14 14:49:05.856000 │
│ 14:F6:D8:7B:31:80 │ │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-13 22:41:21.582000 │
│ 14:F6:D8:7B:31:80 │ │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-13 14:52:09.635000 │
│ 14:F6:D8:7B:31:80 │ │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-12 18:32:06.004000 │
│ 14:F6:D8:7B:31:80 │ 10.50.10.121 │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-11 20:11:58.467000 │
│ 14:F6:D8:7B:31:80 │ │ modestus-p50.inside.domusdigitalis.dev │ Linux-Workstation │ 2026-02-11 12:11:57.040000 │
└────────────────────┴───────────────────┴────────────────────────────────────────┴───────────────────┴────────────────────────────┘# check what clients are listening on port 22
for ip in {100..141}; do
timeout 1 nc -zv 10.50.10.$ip 22 2>&1 | grep -q succeeded && echo "10.50.10.$ip - SSH OPEN"
done
10.50.10.104 - SSH OPEN
10.50.10.130 - SSH OPENActive Deployment Documents
| Document | URL | |-------------------------|-----------------------------------------------------------------------------------------------------| | Xianming Linux EAP-TLS | https://docs.domusdigitalis.dev/captures/2026/02/DEPLOY-2026-02-14-xianming-ding-linux-ad-auth.html | | Printer EAP-TTLS | https://docs.domusdigitalis.dev/infra-ops/runbooks/printer-eap-ttls.html | | iPSK Manager Deployment | https://docs.domusdigitalis.dev/infra-ops/runbooks/ipsk-manager-deployment.html |
Dependency Chain
FreeIPA (Rocky 9 VM)
│
├──► Printer EAP-TTLS (FreeIPA LDAP identity source)
│ └── DOMUS_Printers endpoint group (already created)
│ └── DACL_CORP_PRINTERS (pending)
│ └── AuthZ_DOMUS_Printers (pending)
│
└──► Future: Linux workstation LDAP alternative to AD
● Updated todo list with the full chain. The Rocky 9 ISO should be done downloading soon - once FreeIPA is up, we can:
-
Join FreeIPA to ISE as LDAP identity source
-
Create printer service account
-
Create DACL + AuthZ profile
-
Configure Brother printer EAP-TTLS
Xianming delivery is separate (uses AD, not FreeIPA) but also due Monday.
Client UUID:
❯ dsec list d000 dev/identity 2>/dev/null || dsec list d000 dev 2>/dev/null | head -20
╭── Domains ───────────────────────────────────────╮
│ d001: CHLA
│ d000: Personal Infrastructure
╰────────────────────────────────────────────────╯
╭── Environments ──────────────────────────────────╮
│ d000: dev/(app,cicd,http,identifiers,identity,network,pki,storage,vault), lab/(app,http,identifiers,identity,network,storage), production/(app,identifiers,identity,network,pki,storage), staging/(app,identifiers,identity,network,pki,storage)
│ d001: dev, dev/(network,storage), lab/(network), prod/(network), staging/(network)
╰────────────────────────────────────────────────╯pfSense networking
Network Architecture Documented:
| Interface | IP | Purpose |
|-----------|------------------|---------------------------------|
| eno1 | 192.168.1.225/24 | Host management (SSH) |
| eno8np3 | (bridge member) | 10GbE uplink to physical switch |
| virbr0 | 10.50.1.99/24 | VM bridge (eno8np3 + vnet*) |
Diagrams Created:
| File | Content |
|------------------------------------|--------------------------------------|
| kvm-network-architecture.d2 | Full KVM hypervisor network topology |
| netscaler-services-architecture.d2 | All services with VIP load balancing |
Runbook Updated:
runbooks/freeipa-deployment.adoc now uses correct --network bridge=virbr0
---
Ready to deploy FreeIPA?
sudo virt-install \
--name ipa-01 \
--memory 4096 \
--vcpus 2 \
--disk path=/var/lib/libvirt/images/ipa-01.qcow2,size=50,format=qcow2 \
--cdrom /var/lib/libvirt/images/Rocky-9-latest-x86_64-minimal.iso \
--network bridge=virbr0,model=virtio \
--os-variant rocky9 \
--graphics vnc,listen=0.0.0.0 \
--console pty,target_type=serial \
--noautoconsole# checking location of all qcow2 files on kvm server
evanusmodestus@supermicro300-9d1:~$ sudo find / -name "*qcow2" -size +1G 2>/dev/null | head -20
/mnt/onboard-ssd/home-dc02.qcow2
/mnt/onboard-ssd/vms/ise-01.qcow2
/mnt/onboard-ssd/vms/ise-02.qcow2
/mnt/onboard-ssd/vms/home-dc01.qcow2
/mnt/onboard-ssd/vms/C9800-CL-universalk9.17.15.03.qcow2
/mnt/onboard-ssd/vms/pfSense-FW01.qcow2
/mnt/onboard-ssd/vms/keycloak-01.qcow2
/mnt/onboard-ssd/vms/cert-manager.qcow2
/mnt/onboard-ssd/vm-backups/arch-dev-complete-backup/arch-dev-MASTER-BACKUP.qcow2
/mnt/onboard-ssd/libvirt/images/ipsk-manager.qcow2| location change of qcow2 |
sudo virt-install \
--name ipa-01 \
--memory 4096 \
--vcpus 2 \
--disk path=/mnt/onboard-ssd/vms/ipa-01.qcow2,size=50,format=qcow2 \
--cdrom /var/lib/libvirt/images/Rocky-9-latest-x86_64-minimal.iso \
--network bridge=virbr0,model=virtio \
--os-variant rocky9 \
--graphics vnc,listen=0.0.0.0 \
--console pty,target_type=serial \
--noautoconsole
The key change: --disk path=/mnt/onboard-ssd/vms/ipa-01.qcow2 sed -i '1,2d' /tmp/bind-01-cloud-init/user-data
Breakdown:
- sed -i = edit in-place
- '1,2d' = lines 1 through 2, delete
Verify:
head -3 /tmp/bind-01-cloud-init/user-data
Should now show:
#cloud-config
hostname: bind-01
fqdn: bind-01.inside.domusdigitalis.dev
Also check if there's a stray EOF at the end:
tail -3 /tmp/bind-01-cloud-init/user-data
If you see a literal EOF line, remove it:
sed -i '/^EOF$/d' /tmp/bind-01-cloud-init/user-data# On kvm-01
cd /tmp/bind-01-cloud-init
cat > user-data << 'EOF'
#cloud-config
hostname: bind-01
fqdn: bind-01.inside.domusdigitalis.dev
manage_etc_hosts: true
users:
- name: evanusmodestus
groups: wheel
sudo: ALL=(ALL) NOPASSWD:ALL
shell: /bin/bash
lock_passwd: false
plain_text_passwd: changeme123
ssh_authorized_keys:
- ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKyR+PEMRC0ACGPRvPfwMKPPOTwUMxM2LqHmAHK3Xp5Q evanusmodestus
runcmd:
- nmcli connection delete 'Wired connection 1' 2>/dev/null || true
- nmcli con add type ethernet ifname enp1s0 con-name mgmt ipv4.addresses 10.50.1.90/24 ipv4.gateway 10.50.1.1 ipv4.dns 10.50.1.1 ipv4.method manual
- nmcli con up mgmt
- dnf install -y bind bind-utils
EOF
genisoimage -output /mnt/onboard-ssd/vms/bind-01-cloud-init.iso -volid cidata -joliet -rock meta-data user-data
sudo virsh destroy bind-01
sudo virsh start bind-01
Password will be changeme123. Change it after login.# Check interface name
ip link
# Add static IP (probably enp1s0)
sudo nmcli con add type ethernet ifname enp1s0 con-name mgmt \
ipv4.addresses 10.50.1.90/24 ipv4.gateway 10.50.1.1 \
ipv4.dns 10.50.1.1 ipv4.method manual
sudo nmcli con up mgmt
Then verify:
ip a show enp1s0
ping -c2 10.50.1.1
Once networking is up, you can SSH in and we'll configure BIND.mkdir -p ~/.ssh && chmod 700 ~/.ssh
cat >> ~/.ssh/authorized_keys << 'EOF'
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFHfsGSAFAkqwYj6EGS9sA2MROjs28zM6LJds3gagsCkAAAACHNzaDpkMDAw evanusmodestus@d000-yubikey
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIEBZ+kus4aTHzQt1zNnEnGxJs+Lf56vrCdcyvqLhpp9hAAAACHNzaDpkMDAw evanusmodestus@d000-secondary
EOF
chmod 600 ~/.ssh/authorized_keys[evanusmodestus@bind-01 ~]$ nmcli con show mgmt | grep ipv4.addr
ipv4.addresses: 10.50.1.90/24
"evanusmodestus@bind-01 ~]$ nmcli con show mgmt | grep -E "ipv4\.(addr|gate|dns)
ipv4.dns: 10.50.1.1
ipv4.dns-search: --
ipv4.dns-options: --
ipv4.dns-priority: 0
ipv4.addresses: 10.50.1.90/24
ipv4.gateway: 10.50.1.1# Delete the wrong connection
sudo nmcli con delete mgmt
# Add with correct interface
sudo nmcli con add type ethernet ifname eth0 con-name mgmt \
ipv4.addresses 10.50.1.90/24 ipv4.gateway 10.50.1.1 \
ipv4.dns 10.50.1.1 ipv4.method manual
# Bring it up (will replace System eth0)
sudo nmcli con up mgmt
Then verify:
nmcli -g IP4.ADDRESS device show eth0
[evanusmodestus@bind-01 ~]$ nmcli -g IP4 device show eth0
IP4:10.50.1.90/24:10.50.1.1:dst = 10.50.1.0/24, nh = 0.0.0.0, mt = 100 | dst = 0.0.0.0/0, nh = 10.50.1.1, mt = 100:10.50.1.1:::
[evanusmodestus@bind-01 ~]$sudo tee /var/named/inside.domusdigitalis.dev.zone << 'EOF'
$TTL 86400
@ IN SOA bind-01.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
2026021401 ; Serial (YYYYMMDDNN)
3600 ; Refresh
1800 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
; Name servers
@ IN NS bind-01.inside.domusdigitalis.dev.
; Gateway (.1)
pfsense-01 IN A 10.50.1.1
; Network Devices (.10-19)
3560cx-01 IN A 10.50.1.10
9300-01 IN A 10.50.1.11
; Identity Services (.20-29)
ise-01 IN A 10.50.1.20
ise-02 IN A 10.50.1.21
; iPSK Manager (.30-39)
ipsk-mgr-01 IN A 10.50.1.30
ipsk-mgr-02 IN A 10.50.1.31
; Wireless (.40-49)
9800-wlc-01 IN A 10.50.1.40
wlc-01 IN A 10.50.1.40
; Windows Servers (.50-59)
home-dc01 IN A 10.50.1.50
home-dc02 IN A 10.50.1.51
; PKI Services (.60-69)
certmgr-01 IN A 10.50.1.60
certmgr-02 IN A 10.50.1.61
; Storage/Git (.70-79)
nas-01 IN A 10.50.1.70
nas-02 IN A 10.50.1.71
gitea-01 IN A 10.50.1.70
; IdP/SSO (.80-89)
keycloak-01 IN A 10.50.1.80
keycloak-02 IN A 10.50.1.81
; DNS Services (.90-99)
bind-01 IN A 10.50.1.90
bind-02 IN A 10.50.1.91
kvm-01 IN A 10.50.1.99
; LDAP/Directory (.100-109)
ipa-01 IN A 10.50.1.100
ipa-02 IN A 10.50.1.101
; Load Balancers (.110-119)
netscaler-01 IN A 10.50.1.110
netscaler-02 IN A 10.50.1.111
; IPMI/BMC (.200-209)
ipmi-01 IN A 10.50.1.200
; Aliases
ise IN CNAME ise-01
keycloak IN CNAME keycloak-01
ipsk IN CNAME ipsk-mgr-01
dc IN CNAME home-dc01
ipa IN CNAME ipa-01
dns IN CNAME bind-01
vault IN CNAME certmgr-01
nas IN CNAME nas-01
gitea IN CNAME gitea-01
wlc IN CNAME 9800-wlc-01
lb IN CNAME netscaler-01Documentation Created
-
Added
examples/hunting/network-scanning.adocto domus-linux-ops -
Updated
security/hunting/index.adocwith Network Scanning section -
Techniques now includable via
include::example$hunting/network-scanning.adoc[tag=parallel-nc]
References
-
Threat Hunting (linux-ops)
-
FreeIPA Documentation: www.freeipa.org/page/Documentation
-
RHEL 9 IdM Guide: access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/installing_identity_management/index