Wireless & EAP Patterns

Wireless and EAP authentication patterns I’ve actually used. Every entry has a date and context.

Entries

2026-04-03: WiFi EAP-TLS Configuration with nmcli

Problem: Configure WiFi to authenticate via EAP-TLS with Vault-issued client certificate.

Context: P16g deployment, Domus-Secure SSID, ISE RADIUS backend. WiFi backend must be wpa_supplicant (not iwd) for enterprise 802.1X. Certificate issued by Vault PKI intermediate (pki_int/issue/domus-client), trusted by ISE via DOMUS-ISSUING-CA.

The Fix:

sudo nmcli connection add \
    type wifi \
    con-name "Domus-WiFi-EAP-TLS" \
    ifname wlan0 \
    ssid "Domus-Secure" \
    wifi-sec.key-mgmt wpa-eap \
    802-1x.eap tls \
    802-1x.identity "${HOSTNAME}.inside.domusdigitalis.dev" \
    802-1x.ca-cert /etc/ssl/certs/DOMUS-CA-CHAIN.pem \
    802-1x.client-cert /etc/ssl/certs/${HOSTNAME}-eaptls.pem \
    802-1x.private-key /etc/ssl/private/${HOSTNAME}-eaptls.key \
    802-1x.private-key-password-flags 4 \
    connection.autoconnect yes

  • private-key-password-flags 4 is CRITICAL for passwordless keys. Without it, NetworkManager prompts for a password that doesn’t exist: "Secrets were required, but not provided."

  • Do NOT use identity-flags for WiFi — causes "invalid property" error. Only valid for wired connections.

  • Do NOT bounce WiFi from an SSH session over that same WiFi — nmcli connection down kills the link instantly. Use nohup or run locally.

Rule: nmcli EAP-TLS requires client-cert, private-key, and ca-cert paths. Identity must match certificate CN. Use private-key-password-flags 4 for passwordless keys.

Worklog: WRKLOG-2026-04-03

2026-04-02: iPSK WiFi Registration for New Device

Problem: New machine has no certificates yet — needs initial WiFi access for bootstrapping.

Context: P16g deployment, DOMUS-IoT SSID with iPSK (identity-based PSK). ISE policy checks the device MAC against iPSK Manager via secure ODBC. The MAC must be registered in the DOMUS-IoT group BEFORE WiFi will work.

The Fix:

Register the wireless MAC in iPSK Manager:

# From the live ISO -- identify the wireless MAC
ip -o link show | grep 'link/ether' | awk '{for(i=1;i<=NF;i++) if($i=="link/ether") print $2, $(i+1)}'

Then from iPSK Manager web UI:

  1. Open https://ipsk-mgr-01.{home-domain-internal}

  2. Add the wireless MAC to the DOMUS-IoT identity group

  3. ISE picks up the entry via secure ODBC — no manual ISE config needed

Connect from the live ISO using iwctl:

iwctl
# Inside iwctl:
device list
station wlan0 scan
station wlan0 get-networks
station wlan0 connect "DOMUS-IoT"
# Enter iPSK password when prompted
exit

Verify connectivity:

ping -c 3 archlinux.org
ip -4 addr show wlan0 | awk '/inet / {print $2}'

Verify ISE authentication from the Razer:

netapi ise dc auth-history <P16G-MAC> --hours 1
netapi ise mnt session <P16G-MAC>

Rule: iPSK provides initial network access. EAP-TLS is the target. iPSK is the bootstrap path. Register MAC in iPSK Manager first, then connect.

Worklog: WRKLOG-2026-04-02

2026-04-03: WiFi Backend Switch — iwd to wpa_supplicant

Problem: Enterprise 802.1X requires wpa_supplicant, not iwd. Arch defaults to iwd.

Context: P16g deployment. After initial iPSK connection (which works with iwd), migrating to EAP-TLS requires wpa_supplicant for proper 802.1X handshake support.

The Fix:

# Tell NetworkManager to use wpa_supplicant
sudo mkdir -p /etc/NetworkManager/conf.d
echo -e "[device]\nwifi.backend=wpa_supplicant" | sudo tee /etc/NetworkManager/conf.d/wifi_backend.conf
# Disable iwd completely
sudo systemctl stop iwd 2>/dev/null
sudo systemctl disable iwd 2>/dev/null
sudo systemctl mask iwd
# Enable wpa_supplicant
sudo systemctl enable wpa_supplicant
sudo systemctl start wpa_supplicant
sudo systemctl restart NetworkManager

Rule: Arch defaults to iwd. Enterprise 802.1X requires wpa_supplicant. Mask iwd to prevent it from interfering.

Worklog: WRKLOG-2026-04-03

2026-04-03: Wired 802.1X EAP-TLS with nmcli

Problem: Configure wired Ethernet for 802.1X EAP-TLS authentication.

Context: P16g deployment. Same Vault-issued certificate used for both wired and wireless. Wired connection uses identity-flags 0 (stores identity in connection file), which is NOT valid for WiFi.

The Fix:

# Find the wired interface name
WIRED_IF=$(ip -o link show | awk -F': ' '/state UP/ && !/lo|wlan/ {print $2; exit}')
echo "Wired interface: $WIRED_IF"
sudo nmcli connection add \
    type ethernet \
    con-name "Domus-Wired-EAP-TLS" \
    ifname "$WIRED_IF" \
    802-1x.eap tls \
    802-1x.identity "${HOSTNAME}.inside.domusdigitalis.dev" \
    802-1x.identity-flags 0 \
    802-1x.ca-cert /etc/ssl/certs/DOMUS-CA-CHAIN.pem \
    802-1x.client-cert /etc/ssl/certs/${HOSTNAME}-eaptls.pem \
    802-1x.private-key /etc/ssl/private/${HOSTNAME}-eaptls.key \
    802-1x.private-key-password-flags 4 \
    connection.autoconnect yes
sudo nmcli connection up "Domus-Wired-EAP-TLS"

Verify:

nmcli connection show "Domus-Wired-EAP-TLS" | grep -E "802-1x.eap|802-1x.identity|GENERAL.STATE"

Rule: Wired EAP-TLS uses identity-flags 0 (stores identity in connection file). WiFi does NOT support this flag. Both use private-key-password-flags 4 for passwordless keys.

Worklog: WRKLOG-2026-04-03

Template