Dr. Shahab Linux Workstation

1. Overview

Arch Linux workstation deployment for Dr. Shahab’s research environment with full 802.1X EAP-TLS authentication via NetworkManager.

1.1. Deployment Goals

  • Arch Linux installation with full disk encryption (LUKS)

  • NetworkManager-based 802.1X EAP-TLS for wired network

  • Research network access (VLAN 40)

  • Domain integration via SSSD/realmd

  • Zabbix monitoring agent

2. Requirements

Requirement Details Status

Arch Linux

Rolling release installation

Pending

802.1X EAP-TLS

NetworkManager wired configuration

Pending

Certificate

Vault-issued workstation certificate

Pending

Domain Join

SSSD/realmd integration with AD

Pending

Disk Encryption

LUKS full disk encryption

Pending

Monitoring

Zabbix Agent 2 integration

Pending

3. Deployment Checklist

  • Install Arch Linux with LUKS encryption

  • Configure NetworkManager for 802.1X EAP-TLS

  • Request workstation certificate from Vault PKI

  • Import certificate to system store

  • Configure wired 802.1X connection profile

  • Test authentication and VLAN assignment

  • Join to inside.domusdigitalis.dev via realmd

  • Install and configure Zabbix Agent 2

  • Verify research network access

  • Document final configuration

4. Technical Approach

4.1. Authentication Method

Using NetworkManager instead of wpa_supplicant for desktop usability:

# Create 802.1X wired connection
nmcli connection add type ethernet \
  con-name "Wired-802.1X" \
  ifname enp0s31f6 \
  802-1x.eap tls \
  802-1x.identity "dr-shahab-ws.inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/dr-shahab-ws-eaptls.pem \
  802-1x.private-key /etc/ssl/private/dr-shahab-ws-eaptls.key

4.2. Certificate Issuance

# Issue certificate via Vault
dsource d000 dev/vault
netapi vault pki-issue dr-shahab-ws.inside.domusdigitalis.dev \
  --role domus-workstation \
  --ttl 8760h \
  -o /tmp/dr-shahab-certs

5. Related Documentation

5.1. This Project

5.2. domus-ise-linux (Linux 802.1X)

Reference documentation in the domus-ise-linux component:

  • 04-linux-client/networkmanager-wired - NetworkManager Wired 802.1X

  • 04-linux-client/domain-join - Domain Join via SSSD

  • 04-linux-client/disk-encryption - LUKS Disk Encryption

  • 04-linux-client/monitoring - Zabbix Agent Setup

  • 02-pki/certificate-enrollment - Certificate Enrollment

  • 03-ise-config/authentication-policy - Authentication Policy

  • 03-ise-config/authorization-policy - Authorization Policy