Home Network Infrastructure Overview

Overview

This document describes the Domus Digitalis home enterprise network infrastructure supporting Linux workstation 802.1X EAP-TLS authentication.

This is a HOME ENTERPRISE deployment, not a lab or test environment. All configurations follow enterprise security standards with production-grade infrastructure.

Network Topology

Home Network Topology

Infrastructure Components

Core Networking

Component Model/Version IP Address Role

Internet Gateway

HUMAX BGW320-500

192.168.1.254

AT&T Fiber 1Gbps

Firewall/Router

VyOS 1.4 (HA Pair)

10.50.1.1

Inter-VLAN routing, DHCP, Firewall (VRRP VIP)

Access Switch

Cisco 3560-CX

10.50.1.10

802.1X Authenticator, VLAN Trunking

Wireless Controller

Cisco C9800-CL

10.50.1.40

CAPWAP controller for Aironet APs

Wireless AP

Cisco Aironet 4800

10.50.10.101

WiFi 5/6 (802.11ax)

Authentication & Identity Services

Component Model/Version IP Address Role

ISE Primary

Cisco ISE 3.4

10.50.1.20

Primary (Admin + PSN + MnT) - ISE 3.4 ACTIVE

ISE Secondary

Cisco ISE 3.2p9

10.50.1.21

Secondary (Admin + PSN + MnT) - PLANNED

Active Directory

Windows Server 2025 Core

10.50.1.50

AD DS + DNS (PKI on Vault)

Domain

inside.domusdigitalis.dev

N/A

Internal AD domain

Hypervisor Platform

Component Specification

Model

Supermicro E300-9D

CPU

Intel Xeon D-2146NT (16-core, 32-thread)

RAM

128GB DDR4 ECC

Storage

NVMe + NFS (Synology DS1621+)

Networking

Dual 10GbE (Intel X710)

Management IP

10.50.1.99

All infrastructure VMs (VyOS, ISE, DC, WLC) run on this hypervisor using KVM/QEMU.

VLAN Architecture

VLAN Architecture

VLAN Segmentation

VLAN Name Subnet Purpose

Infrastructure VLANs (servers/services)

100

INFRA

10.50.1.0/24

Network hardware, hypervisors, k3s nodes

110

SECURITY

10.50.110.0/24

Crown jewels: Vault, ISE, secrets

120

SERVICES

10.50.120.0/24

General VMs: Keycloak, Gitea, FreeIPA, BIND

Client VLANs (endpoints only)

10

DATA

10.50.10.0/24

Corporate wired/wireless devices

20

VOICE

10.50.20.0/24

VoIP phones (QoS)

30

GUEST

10.50.30.0/24

Guest portal (internet only)

40

IOT

10.50.40.0/24

IoT devices, limited access

999

CRITICAL_AUTH

 — 

802.1X failure quarantine (no gateway)
VLAN 40 (IOT/Research) is the primary VLAN for Linux workstations requiring EAP-TLS machine authentication.

VLAN 40 - Research Network (Linux Workstations)

This is the primary VLAN for Linux workstations with strict security requirements:

Security Posture:

  • 802.1X EAP-TLS machine authentication REQUIRED

  • Client certificates issued by Vault PKI (DOMUS-ISSUING-CA)

  • Active Directory domain join REQUIRED

  • AD group membership: GRP-Linux-Admin-Workstations

  • ISE authorization rule: Linux_Admin_EAP-TLS

  • ISE authorization profile: Linux_EAPTLS_Admins

  • Downloadable ACL: LINUX_EAPTLS_PERMIT_ALL

Current Devices:

  • modestus-razer - Razer Blade 15 (Arch Linux)

  • modestus-p50 - ThinkPad P50 (Arch Linux)

Both workstations are:

  • Domain-joined to inside.domusdigitalis.dev

  • Members of GRP-Linux-Admin-Workstations

  • Configured with 802.1X wired + wireless

  • Using NetworkManager for connection management

Authentication Flow

802.1X EAP-TLS Sequence

  1. EAPOL Start - Client sends EAPOL-Start to switch

  2. RADIUS Access-Request - Switch forwards to ISE with client certificate

  3. AD Validation - ISE validates:

    • Computer account exists in AD

    • Computer is member of GRP-Linux-Admin-Workstations

  4. Certificate Validation - ISE checks:

    • Certificate issued by trusted ROOT CA

    • Certificate not revoked (CRL check)

    • Certificate subject matches computer account

  5. Authorization Decision - ISE applies policy:

    • Rule: Linux_Admin_EAP-TLS

    • Profile: Linux_EAPTLS_Admins

    • VLAN: 40

    • dACL: LINUX_EAPTLS_PERMIT_ALL

  6. Access Granted - Switch receives Access-Accept:

    • Assigns port to VLAN 40

    • Downloads ACL from ISE

    • Allows client network access

Network Services

DNS Resolution

Internal DNS (BIND):

  • Domain: inside.domusdigitalis.dev

  • Primary NS: 10.50.1.90 (bind-01)

  • Secondary NS: 10.50.1.91 (bind-02)

  • Forwarders: 1.1.1.1, 8.8.8.8

Key Records:

  • home-dc01.inside.domusdigitalis.dev → 10.50.1.91

  • ise-pan.inside.domusdigitalis.dev → 10.50.1.20

  • ise-psn.inside.domusdigitalis.dev → 10.50.1.20

  • wlc.inside.domusdigitalis.dev → 10.50.1.40

DHCP Scopes

VLAN Range Lease Time

10 (Data)

10.50.10.50 - 10.50.10.200

24 hours

20 (Voice)

10.50.20.50 - 10.50.20.200

12 hours

30 (Guest)

10.50.30.50 - 10.50.30.200

2 hours

40 (Research)

10.50.40.50 - 10.50.40.200

24 hours

999 (Critical Auth)

Limited pool

1 hour

Firewall Rules Summary

Default Policy: Deny all inter-VLAN traffic

Allowed Traffic:

  • VLAN 40 → All (Research has full network access)

  • VLAN 10 → Internet, Management (limited)

  • VLAN 30 → Internet only (Guest isolation)

  • All → DNS (10.50.1.90)

  • All → DHCP

Blocked Traffic:

  • VLAN 30 (Guest) → Internal networks

  • VLAN 999 → All except ISE portal

PKI Architecture

PKI Migration Complete (2026-02): HOME-ROOT-CA (Windows AD CS) has been replaced by DOMUS-ROOT-CA (HashiCorp Vault). All new certificates are issued via Vault PKI.

Certificate Authority Hierarchy

ROOT CA:

  • Name: DOMUS-ROOT-CA

  • Type: Offline Root (Vault PKI)

  • Server: vault-01 (HashiCorp Vault)

  • Validity: 10 years

  • Key: RSA 4096-bit

ISSUING CA:

  • Name: DOMUS-ISSUING-CA

  • Type: Online Issuing CA (Vault pki_int)

  • Validity: 5 years

  • Issues: Client, server, and EAP-TLS certificates

Vault PKI Roles:

  • domus-client - Client/EAP-TLS certificates (1 year TTL)

  • domus-server - Server certificates (1 year TTL)

Legacy (DEPRECATED):

  • HOME-ROOT-CA (Windows AD CS) - No longer issuing certificates

  • See Vault PKI Cert Issuance (infra-ops) for current procedures

Certificate Deployment

Linux Workstations:

  • Certificate: /etc/ssl/certs/<hostname>-eaptls.pem

  • Private Key: /etc/ssl/private/<hostname>-eaptls.key

  • CA Chain: /etc/ssl/certs/domus-ca-chain.pem (Root + Issuing)

  • Subject: O=Domus Digitalis, OU=Endpoints, CN=<hostname>.inside.domusdigitalis.dev

  • Issued via: vault write pki_int/issue/domus-client

Monitoring & Management

ISE Monitoring

  • Live Logs: Operations → RADIUS → Live Logs

  • MnT API: netapi ise mnt session <MAC>

  • DataConnect: netapi ise dc session <MAC>

Network Monitoring

Log Aggregation

All infrastructure components send logs to centralized syslog (future: Splunk/ELK)

Backup Strategy

  • Infrastructure VMs: Daily snapshots (NAS)

  • ISE Config: Weekly backups via CLI

  • VyOS Config: Daily config archive to NAS

  • AD: System State backups (daily)

  • Certificates: Exported to encrypted vault

References