Linux Research Workstation

1. Overview

Reusable deployment pattern for Linux research workstations with full 802.1X EAP-TLS authentication via NetworkManager. This template can be used for any research environment requiring secure network access.

1.1. Deployment Goals

  • Arch Linux installation with full disk encryption (LUKS)

  • NetworkManager-based 802.1X EAP-TLS for wired network

  • Research network access (VLAN 40)

  • Domain integration via SSSD/realmd

  • Zabbix monitoring agent

2. Requirements

Requirement Details Status

Arch Linux

Rolling release installation

Pending

802.1X EAP-TLS

NetworkManager wired configuration

Pending

Certificate

Vault-issued workstation certificate

Pending

Domain Join

SSSD/realmd integration with AD

Pending

Disk Encryption

LUKS full disk encryption

Pending

Monitoring

Zabbix Agent 2 integration

Pending

3. Deployment Checklist

  • Install Arch Linux with LUKS encryption

  • Configure NetworkManager for 802.1X EAP-TLS

  • Request workstation certificate from Vault PKI

  • Import certificate to system store

  • Configure wired 802.1X connection profile

  • Test authentication and VLAN assignment

  • Join to inside.domusdigitalis.dev via realmd

  • Install and configure Zabbix Agent 2

  • Verify research network access

  • Document final configuration

4. Technical Approach

4.1. Authentication Method

Using NetworkManager instead of wpa_supplicant for desktop usability:

# Create 802.1X wired connection
# Replace <hostname> with actual workstation name
nmcli connection add type ethernet \
  con-name "Wired-802.1X" \
  ifname enp0s31f6 \
  802-1x.eap tls \
  802-1x.identity "<hostname>.inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/<hostname>-eaptls.pem \
  802-1x.private-key /etc/ssl/private/<hostname>-eaptls.key

4.2. Certificate Issuance

# Issue certificate via Vault
# Replace <hostname> with actual workstation name
dsource d000 dev/vault
netapi vault pki-issue <hostname>.inside.domusdigitalis.dev \
  --role domus-workstation \
  --ttl 8760h \
  -o /tmp/<hostname>-certs

5. Related Documentation

5.1. This Project

5.2. domus-ise-linux (Linux 802.1X)

Reference documentation in the domus-ise-linux component:

  • 04-linux-client/networkmanager-wired - NetworkManager Wired 802.1X

  • 04-linux-client/domain-join - Domain Join via SSSD

  • 04-linux-client/disk-encryption - LUKS Disk Encryption

  • 04-linux-client/monitoring - Zabbix Agent Setup

  • 02-pki/certificate-enrollment - Certificate Enrollment

  • 03-ise-config/authentication-policy - Authentication Policy

  • 03-ise-config/authorization-policy - Authorization Policy