Linux EAP-TLS Methodology

Overview

Comprehensive methodology for deploying 802.1X EAP-TLS authentication on Linux workstations in enterprise environments. Developed through real-world deployments at home enterprise and CHLA.

Primary Documentation: domus-ise-linux (ise-linux)

Scope

Area Coverage

PKI

Vault PKI, Windows AD CS, certificate profiles

Identity

Active Directory integration, SSSD, Kerberos

Network

NetworkManager, wpa_supplicant, wired/wireless 802.1X

ISE

Policy sets, authorization rules, certificate authentication profiles

Troubleshooting

End-to-end validation, common failure modes

Architecture

Authentication Flow

Linux Workstation
    │
    ├── Certificate: /etc/ssl/certs/<hostname>-eaptls.pem
    ├── Private Key: /etc/ssl/private/<hostname>-eaptls.key
    └── CA Chain: /etc/ssl/certs/ca-chain.pem
    │
    ▼
Network Switch/AP (802.1X Authenticator)
    │
    ▼
Cisco ISE (RADIUS)
    │
    ├── Certificate Validation (DOMUS-ROOT-CA trust)
    ├── AD Group Lookup (GRP-Linux-Admin-Workstations)
    └── Authorization Profile Assignment (VLAN, dACL)
    │
    ▼
Network Access Granted

Key Components

Component Home Enterprise Enterprise (CHLA)

PKI

Vault (DOMUS-ROOT-CA)

Windows AD CS or Vault

Identity Store

Active Directory

Active Directory

RADIUS

Cisco ISE

Cisco ISE

Client OS

Arch Linux

Ubuntu/RHEL

Documentation Structure

The methodology is documented in domus-ise-linux with 4 main sections:

01-Infrastructure

  • Network architecture overview

  • Deployment models (standalone vs domain-joined)

  • Prerequisites and planning

02-PKI

  • Certificate enrollment procedures

  • Vault PKI integration

  • Windows AD CS (legacy)

  • Troubleshooting certificate issues

03-ISE-Config

  • Policy set configuration

  • Certificate authentication profiles

  • Authorization policies

  • AD group integration

04-Linux-Client

  • Domain join procedures

  • NetworkManager 802.1X profiles

  • wpa_supplicant configuration

  • Privilege separation

  • Troubleshooting

Deployments

Environment Workstations PKI Status

Home Enterprise

modestus-razer, modestus-p50, modestus-aw

Vault PKI

Production

CHLA (Dr. Shahab)

Research workstations

TBD

Planning

Key Runbooks

From domus-infra-ops:

From domus-ise-linux:

  • Domain Join (ise-linux)

  • NetworkManager Wired 802.1X (ise-linux)

  • NetworkManager WiFi 802.1X (ise-linux)

  • End-to-End Validation (ise-linux)

Lessons Learned

Critical Success Factors

  1. Port 464 (kpasswd) - Required for domain join, often missed in firewall rules

  2. AES encryption - Modern DCs reject RC4; explicit AES config in krb5.conf required

  3. Certificate SAN - Must include hostname for ISE certificate validation

  4. AD group membership - Computer accounts need $ suffix (e.g., modestus-razer$)

Common Failure Modes

Symptom Cause Fix

"Subject not found"

Wrong policy set (802.1X vs MAB)

Check ISE policy set ordering

"KDC has no support for encryption type"

Missing AES config in krb5.conf

Add explicit encryption types

Domain join fails silently

Port 464 blocked

Add kpasswd to firewall/dACL

SSSD shows Offline

DNS SRV records missing

Restart Netlogon, verify DNS

Related Projects