Linux Research: Objectives & Technical Requirements
Objective
Enable Linux workstations in the research department with full 802.1X EAP-TLS authentication, including:
-
Certificate-based authentication (EAP-TLS)
-
Dynamic ACL (dACL) enforcement from ISE
-
UFW firewall integration for local enforcement
Current Blocker
Certificate "password required" issue with nmcli
When configuring EAP-TLS via NetworkManager/nmcli, the system prompts for a certificate password even when the private key is unencrypted or password is provided.
Status: Fix documented but needs implementation and testing.
Technical Requirements
Certificate Configuration
# Certificate files required
/etc/ssl/certs/client-cert.pem # Client certificate
/etc/ssl/private/client-key.pem # Private key (0600 permissions)
/etc/ssl/certs/ca-chain.pem # CA trust chainNetworkManager 802.1X Profile
nmcli connection add \
type 802-3-ethernet \
con-name "wired-eaptls" \
802-1x.eap tls \
802-1x.identity "workstation@inside.chla.org" \
802-1x.client-cert /etc/ssl/certs/client-cert.pem \
802-1x.private-key /etc/ssl/private/client-key.pem \
802-1x.ca-cert /etc/ssl/certs/ca-chain.pemISE Policy Requirements
| Component | Configuration |
|---|---|
Authentication Policy |
EAP-TLS with certificate authentication profile |
Authorization Policy |
Linux_Research identity group → dACL + VLAN |
dACL |
Permit DNS, NTP, AD; permit research resources; deny all else |
Certificate Authentication Profile |
Match SAN or CN to endpoint identity |