EAP-TLS Patterns

EAP-TLS authentication patterns I’ve actually used. Every entry has a date and context.

2026-04-03: Certificate CN Must Match System Identity

Problem: EAP-TLS authentication failed — cert had CN=modestus-t16g but hostname was corrected to modestus-p16g mid-deployment.

Context: P16g deployment. Initial hostname was modestus-t16g (T-series naming), corrected to modestus-p16g (P-series). Certificate issued with old name. ISE authorization checks identity against CN.

The Fix:

# Re-issue cert with correct CN
HOSTNAME="modestus-p16g"
vault write -format=json pki_int/issue/domus-client \
    common_name="${HOSTNAME}.inside.domusdigitalis.dev" \
    ttl=8760h \
    | tee /tmp/${HOSTNAME}-vault-cert.json \
    | jq '{common_name: .data.common_name, serial: .data.serial_number}' \
    > /tmp/${HOSTNAME}-vault-summary.json

# Update nmcli identity to match new CN
nmcli connection modify "Domus-Wired-EAP-TLS" \
    802-1x.identity "${HOSTNAME}.inside.domusdigitalis.dev"

nmcli connection modify "Domus-WiFi-EAP-TLS" \
    802-1x.identity "${HOSTNAME}.inside.domusdigitalis.dev"

Rule: Certificate CN and nmcli 802-1x.identity MUST match. If hostname changes, re-issue the cert AND update nmcli. Three things must align: certificate CN, nmcli identity, and /etc/hostname.

Worklog: WRKLOG-2026-04-03

2026-04-03: Wired vs WiFi nmcli Differences

Problem: WiFi 802.1X connection creation fails with "invalid property identity-flags" when copying the wired config pattern.

Context: P16g EAP-TLS deployment, creating both wired and WiFi connections.

The Fix:

# WIRED — identity-flags 0 is valid (stores identity in connection file)
sudo nmcli connection add \
    type ethernet \
    con-name "Domus-Wired-EAP-TLS" \
    ifname "$WIRED_IF" \
    802-1x.eap tls \
    802-1x.identity "modestus-p16g.inside.domusdigitalis.dev" \
    802-1x.identity-flags 0 \
    802-1x.ca-cert /etc/ssl/certs/DOMUS-CA-CHAIN.pem \
    802-1x.client-cert /etc/ssl/certs/modestus-p16g-eaptls.pem \
    802-1x.private-key /etc/ssl/private/modestus-p16g-eaptls.key \
    802-1x.private-key-password-flags 4 \
    connection.autoconnect yes

# WIFI — NO identity-flags (causes "invalid property" error)
sudo nmcli connection add \
    type wifi \
    con-name "Domus-WiFi-EAP-TLS" \
    ifname wlan0 \
    ssid "Domus-Secure" \
    wifi-sec.key-mgmt wpa-eap \
    802-1x.eap tls \
    802-1x.identity "modestus-p16g.inside.domusdigitalis.dev" \
    802-1x.ca-cert /etc/ssl/certs/DOMUS-CA-CHAIN.pem \
    802-1x.client-cert /etc/ssl/certs/modestus-p16g-eaptls.pem \
    802-1x.private-key /etc/ssl/private/modestus-p16g-eaptls.key \
    802-1x.private-key-password-flags 4 \
    connection.autoconnect yes

Rule: identity-flags 0 is wired-only. WiFi stores identity by default — adding identity-flags causes an error. private-key-password-flags 4 is required for passwordless keys on BOTH types.

Worklog: WRKLOG-2026-04-03

2026-04-03: WiFi Backend Switch (iwd to wpa_supplicant)

Problem: Enterprise 802.1X EAP-TLS requires wpa_supplicant, but Arch defaults to iwd as the WiFi backend.

Context: P16g deployment, NetworkManager WiFi backend configuration.

The Fix:

# Configure NetworkManager to use wpa_supplicant
sudo mkdir -p /etc/NetworkManager/conf.d
echo -e "[device]\nwifi.backend=wpa_supplicant" | \
    sudo tee /etc/NetworkManager/conf.d/wifi_backend.conf

# Disable iwd completely
sudo systemctl stop iwd 2>/dev/null
sudo systemctl disable iwd 2>/dev/null
sudo systemctl mask iwd

# Enable wpa_supplicant + restart NetworkManager
sudo systemctl enable wpa_supplicant
sudo systemctl start wpa_supplicant
sudo systemctl restart NetworkManager

Rule: iwd does not support enterprise 802.1X. Switch to wpa_supplicant backend before creating EAP-TLS connections. Mask iwd to prevent it from interfering.

Worklog: WRKLOG-2026-04-03

2026-04-03: Never Bounce WiFi Over SSH

Problem: Running nmcli connection down for WiFi from an SSH session over that same WiFi kills the session instantly. connection up never runs.

Context: P16g deployment, attempting to activate WiFi EAP-TLS from SSH over iPSK WiFi.

The Fix:

# Option A: Run locally on the machine
sudo nmcli connection down "Domus-WiFi-EAP-TLS" && \
    sudo nmcli connection up "Domus-WiFi-EAP-TLS"

# Option B: nohup survives the SSH disconnect
echo 'sleep 2 && sudo nmcli connection down "Domus-WiFi-EAP-TLS" && sudo nmcli connection up "Domus-WiFi-EAP-TLS"' > /tmp/bounce-wifi.sh
chmod +x /tmp/bounce-wifi.sh
nohup /tmp/bounce-wifi.sh &
# Wait 30s, then SSH back in (DHCP may reassign IP)

Rule: Never bounce a network connection from an SSH session that depends on that connection. Use nohup with a sleep, or walk to the machine.

Worklog: WRKLOG-2026-04-03