Phase 1: Remote Access Setup

Boot the USB

Power on P16g, press F12 for boot menu (ThinkPad)
Select USB UEFI entry → Arch Linux install medium
Verify UEFI mode (directory must exist — if empty or missing, you’re in Legacy):
```
ls /sys/firmware/efi/efivars | head -5
```
Fix HiDPI text (3.2K Tandem OLED = unreadable at native resolution):
```
setfont ter-132b
```

Identify Interfaces & MACs

ip -o link show | grep 'link/ether' | awk '{for(i=1;i<=NF;i++) if($i=="link/ether") print $2, $(i+1)}'

Example output (ThinkPad P16g)

enp134s0: a8:2b:dd:8f:23:e6
wlan0: e0:d5:5d:6c:e1:66

wlan0 is the wireless MAC — register this in iPSK Manager. enp* is the wired NIC (no cable needed for WiFi install).

Register MAC in iPSK Manager

WiFi requires iPSK authentication. ISE policy checks the device MAC against the iPSK Manager via secure ODBC. The MAC must be registered in the DOMUS-IoT group BEFORE WiFi will work.

From the Razer (or phone):

Open ipsk-mgr-01.inside.domusdigitalis.dev
Add the P16g wireless MAC to the DOMUS-IoT identity group
ISE picks up the entry via secure ODBC — no manual ISE config needed

The iPSK password for DOMUS-IoT is in gopass. The P16g will use this PSK to authenticate. Once certs are deployed (Phase 8), migrate the device to DOMUS-Secure with 802.1X EAP-TLS.

Connect to WiFi

iwctl

# Inside iwctl:
device list
station wlan0 scan
station wlan0 get-networks
station wlan0 connect "DOMUS-IoT"
# Enter iPSK password when prompted
exit

Verify Network Connectivity

ping -c 3 archlinux.org

# IP assignment
ip -4 addr show wlan0 | awk '/inet / {print $2}'

# Default gateway
ip route | awk '/default/ {print $3}'

# DNS servers
cat /etc/resolv.conf

# WiFi connection details (SSID, signal, frequency)
iw dev wlan0 link

Enable SSH

These are the last commands typed on the P16g console. Everything after this is from the Razer.

passwd

systemctl start sshd

ip -4 -o addr show | awk '$2!="lo" {print $2, $4}'

SSH from the Razer

Everything after this is remote.

ssh root@<P16G-IP>

Post-SSH Setup

timedatectl set-ntp true

timedatectl status

reflector --country US --age 12 --protocol https --sort rate --save /etc/pacman.d/mirrorlist

Live Environment Tooling

Install essential tools on the live ISO BEFORE partitioning. These make the install process comfortable — proper editor, session persistence, and CLI tools.

pacman -Sy neovim git tmux nodejs npm ripgrep fd gcc make unzip curl wget

Package Why

Package	Why
`neovim`	Editor for configs during install (mkinitcpio, fstab, boot entries)
`git`	lazy.nvim clones plugins; clone domus-nvim
`tmux`	Session persistence — survives WiFi drops
`nodejs npm`	Mason LSP servers (pyright, tsserver, etc.)
`ripgrep`	Telescope live grep
`fd`	Telescope file finder
`gcc make`	Treesitter parsers compile from source
`unzip`	Mason extracts some tools with it
`curl wget`	Mason downloads binaries

neovim

Editor for configs during install (mkinitcpio, fstab, boot entries)

git

lazy.nvim clones plugins; clone domus-nvim

tmux

Session persistence — survives WiFi drops

nodejs npm

Mason LSP servers (pyright, tsserver, etc.)

ripgrep

Telescope live grep

fd

Telescope file finder

gcc make

Treesitter parsers compile from source

unzip

Mason extracts some tools with it

curl wget

Mason downloads binaries

# Clone domus-nvim for a proper editor during install
git clone https://github.com/EvanusModestus/domus-nvim.git /root/.config/nvim

# First launch — lazy.nvim installs plugins, Mason installs LSP servers,
# Treesitter downloads parsers. Takes 1-2 minutes. Wait for it to finish.
nvim

# After plugins finish, quit and verify clean relaunch (no errors)
# :q then:
nvim

# Start tmux session (protects against WiFi disconnects)
tmux new -s install

If WiFi drops and SSH dies, the tmux session keeps running on the P16g. Reconnect with ssh root@<IP> then tmux attach -t install.

Verify ISE Authentication (from Razer)

Confirm the P16g authenticated correctly through ISE via iPSK.

netapi Built-In Commands

# Endpoint identity and profiler data
netapi ise dc endpoint <P16G-MAC>

# Authentication timeline — confirm iPSK PASSED
netapi ise dc auth-history <P16G-MAC> --hours 1

# Active MnT session
netapi ise mnt session <P16G-MAC>

# MnT auth status
netapi ise mnt auth-status <P16G-MAC>

Example (P16g MAC: E0:D5:5D:6C:E1:66)

netapi ise dc endpoint E0:D5:5D:6C:E1:66
netapi ise dc auth-history E0:D5:5D:6C:E1:66 --hours 1
netapi ise mnt session E0:D5:5D:6C:E1:66

Raw DataConnect SQL (validated columns)

# Auth detail by MAC
netapi ise dc query "
SELECT username, mac_address, authentication_method,
       nas_ip_address, passed, failed, timestamp
FROM radius_authentications
WHERE mac_address = '<P16G-MAC>'
  AND timestamp > SYSDATE - 1
ORDER BY timestamp DESC
"

# Endpoint profiler data
netapi ise dc query "
SELECT mac_address, endpoint_profile, identity_group, create_time
FROM endpoints
WHERE mac_address = '<P16G-MAC>'
"

# All MAB authentications today (iPSK uses MAB)
netapi ise dc query "
SELECT mac_address, authentication_method, passed, timestamp
FROM radius_authentications
WHERE authentication_method = 'mab'
  AND timestamp > SYSDATE - 1
ORDER BY timestamp DESC
FETCH FIRST 20 ROWS ONLY
"

# Schema discovery (find valid column names for any table)
netapi ise dc query "SELECT table_name FROM all_tables WHERE owner = 'ISENODE' ORDER BY table_name"

Expected Results

Field Expected Value

Field	Expected Value
Policy Set	`Domus_MAB`
AuthZ Profile	`Domus-IoT-iPSK`
Auth Method	`mab`
Passed	`Pass`
Profiler	`Intel-Device`
NAD	`Home-9800-WLC` (10.50.1.40)
NAD Port	`capwap_*` (wireless)

Policy Set

Domus_MAB

AuthZ Profile

Domus-IoT-iPSK

Auth Method

mab

Passed

Pass

Profiler

Intel-Device

NAD

Home-9800-WLC (10.50.1.40)

NAD Port

capwap_* (wireless)