Workstation Deployment Status

Executive Summary

Deployment Status: 2 of 3 workstations fully operational

Fully Operational	modestus-razer, modestus-p50 (WiFi only)
Pending	modestus-aw (domain join + cert)
Blocked	None

Fully Operational

modestus-razer, modestus-p50 (WiFi only)

Pending

modestus-aw (domain join + cert)

Blocked

None

Validation Summary

Component	Status	Priority	Owner	Notes
Endpoint Configuration
modestus-razer (Hostname)	PASS	REQUIRED	Evan	modestus-razer.inside.domusdigitalis.dev
modestus-p50 (Hostname)	PASS	REQUIRED	Gabriel	modestus-p50.inside.domusdigitalis.dev
modestus-aw (Hostname)	PENDING	REQUIRED	Evan	Pending domain join
OS Version	PASS	REQUIRED	—	Arch Linux (all workstations)
PKI & Certificates
Vault PKI (DOMUS-ROOT-CA)	PASS	REQUIRED	Evan	Vault pki_int issuing certs
modestus-razer Certificate	PASS	REQUIRED	Evan	Vault PKI, expires 2027
modestus-p50 Certificate	PASS	REQUIRED	Gabriel	Vault PKI, issued 2026-02-02
modestus-aw Certificate	PENDING	REQUIRED	Evan	Pending Vault PKI issuance
Active Directory
AD Domain Controller (home-dc01)	PASS	REQUIRED	Evan	Windows Server 2025 Core
modestus-razer Domain Join	PASS	REQUIRED	Evan	SSSD active, Kerberos working
modestus-p50 Domain Join	NOT READY	REQUIRED	Gabriel	Packages installed, not joined
modestus-aw Domain Join	NOT READY	REQUIRED	Evan	Packages needed, not joined
AD Group (GRP-Linux-Admin-Workstations)	PENDING	REQUIRED	Evan	Pending creation on home-dc01
802.1X Authentication
modestus-razer Wired 802.1X	PASS	REQUIRED	Evan	EAP-TLS active, NetworkManager
modestus-razer WiFi 802.1X	PASS	REQUIRED	Evan	EAP-TLS on Domus-Secure
modestus-p50 WiFi 802.1X	PASS	REQUIRED	Gabriel	EAP-TLS active
modestus-aw Wired 802.1X	PENDING	REQUIRED	Evan	Pending cert + NM config
ISE Configuration
ISE Endpoint Identity Groups	PASS	REQUIRED	Evan	Linux-Workstations, Linux-Research-Workstations
ISE Certificate Auth Profile	PASS	REQUIRED	Evan	Maps Subject CN to AD
ISE dACLs	PASS	REQUIRED	Evan	DACL_Research_Onboard, Linux_Posture_Compliant
ISE Authorization Profiles	PASS	REQUIRED	Evan	Linux_Research_Onboard, Linux_Research_Compliant
ISE AuthZ Rule (AD Group Condition)	PENDING	REQUIRED	Evan	Pending AD group creation
Security & Compliance
LUKS Disk Encryption	PASS	REQUIRED	—	All workstations encrypted
ClamAV (Posture)	PENDING	DEFERRED	Evan	Setup documented, not deployed
Zabbix Monitoring	PENDING	DEFERRED	Evan	Agent available, config pending

Component

Status

Priority

Owner

Notes

Endpoint Configuration

modestus-razer (Hostname)

PASS

REQUIRED

Evan

modestus-razer.inside.domusdigitalis.dev

modestus-p50 (Hostname)

PASS

REQUIRED

Gabriel

modestus-p50.inside.domusdigitalis.dev

modestus-aw (Hostname)

PENDING

REQUIRED

Evan

Pending domain join

OS Version

PASS

REQUIRED

—

Arch Linux (all workstations)

PKI & Certificates

Vault PKI (DOMUS-ROOT-CA)

PASS

REQUIRED

Evan

Vault pki_int issuing certs

modestus-razer Certificate

PASS

REQUIRED

Evan

Vault PKI, expires 2027

modestus-p50 Certificate

PASS

REQUIRED

Gabriel

Vault PKI, issued 2026-02-02

modestus-aw Certificate

PENDING

REQUIRED

Evan

Pending Vault PKI issuance

Active Directory

AD Domain Controller (home-dc01)

PASS

REQUIRED

Evan

Windows Server 2025 Core

modestus-razer Domain Join

PASS

REQUIRED

Evan

SSSD active, Kerberos working

modestus-p50 Domain Join

NOT READY

REQUIRED

Gabriel

Packages installed, not joined

modestus-aw Domain Join

NOT READY

REQUIRED

Evan

Packages needed, not joined

AD Group (GRP-Linux-Admin-Workstations)

PENDING

REQUIRED

Evan

Pending creation on home-dc01

802.1X Authentication

modestus-razer Wired 802.1X

PASS

REQUIRED

Evan

EAP-TLS active, NetworkManager

modestus-razer WiFi 802.1X

PASS

REQUIRED

Evan

EAP-TLS on Domus-Secure

modestus-p50 WiFi 802.1X

PASS

REQUIRED

Gabriel

EAP-TLS active

modestus-aw Wired 802.1X

PENDING

REQUIRED

Evan

Pending cert + NM config

ISE Configuration

ISE Endpoint Identity Groups

PASS

REQUIRED

Evan

Linux-Workstations, Linux-Research-Workstations

ISE Certificate Auth Profile

PASS

REQUIRED

Evan

Maps Subject CN to AD

ISE dACLs

PASS

REQUIRED

Evan

DACL_Research_Onboard, Linux_Posture_Compliant

ISE Authorization Profiles

PASS

REQUIRED

Evan

Linux_Research_Onboard, Linux_Research_Compliant

ISE AuthZ Rule (AD Group Condition)

PENDING

REQUIRED

Evan

Pending AD group creation

Security & Compliance

LUKS Disk Encryption

PASS

REQUIRED

—

All workstations encrypted

ClamAV (Posture)

PENDING

DEFERRED

Evan

Setup documented, not deployed

Zabbix Monitoring

PENDING

DEFERRED

Evan

Agent available, config pending

Workstation Details

modestus-razer (Razer Blade 18)

Hardware

Razer Blade 18 (Intel Ultra 9 275HX, RTX 5090)

Owner

Evan

Wired Interface

enp130s0

WiFi Interface

wlan0

Wired MAC

98:BB:1E:1F:A7:13

WiFi MAC

(check with ip link show wlan0)

Deployment Status

Component Details Status Priority

Component	Details	Status	Priority
Domain Join	`inside.domusdigitalis.dev` via SSSD	PASS	REQUIRED
CA Certificate	`/etc/ssl/certs/DOMUS-ROOT-CA.pem`	PASS	REQUIRED
Client Certificate	`/etc/ssl/certs/modestus-razer-eaptls.pem` (Vault PKI)	PASS	REQUIRED
Wired 802.1X	`Wired-802.1X` - EAP-TLS on enp130s0	PASS	REQUIRED
WiFi 802.1X	`Domus-Secure-802.1X` - EAP-TLS on wlan0	PASS	REQUIRED
LUKS Encryption	Full disk encryption enabled	PASS	REQUIRED

Domain Join

inside.domusdigitalis.dev via SSSD

PASS

REQUIRED

CA Certificate

/etc/ssl/certs/DOMUS-ROOT-CA.pem

PASS

REQUIRED

Client Certificate

/etc/ssl/certs/modestus-razer-eaptls.pem (Vault PKI)

PASS

REQUIRED

Wired 802.1X

Wired-802.1X - EAP-TLS on enp130s0

PASS

REQUIRED

WiFi 802.1X

Domus-Secure-802.1X - EAP-TLS on wlan0

PASS

REQUIRED

LUKS Encryption

Full disk encryption enabled

PASS

REQUIRED

Certificate Details

Subject:  CN=modestus-razer.inside.domusdigitalis.dev
Issuer:   DOMUS-ISSUING-CA (Vault PKI)
Expires:  2027-xx-xx

modestus-p50 (ThinkPad P50)

Hardware

ThinkPad P50 (Intel i7-6820HQ, Quadro M2000M)

Owner

Gabriel

Wired Interface

enp0s31f6

WiFi Interface

wlan0

Wired MAC

C8:5B:76:C6:59:62

WiFi MAC

14:F6:D8:7B:31:80

Deployment Status

Component Details Status Priority

Component	Details	Status	Priority
Domain Join	Packages installed, not joined	NOT READY	REQUIRED
CA Certificate	`/etc/ssl/certs/DOMUS-ROOT-CA.pem`	PASS	REQUIRED
Client Certificate	`/etc/ssl/certs/modestus-p50-eaptls.pem` (Vault PKI, 2026-02-02)	PASS	REQUIRED
Wired 802.1X	No wired connection (no cable)	N/A	OPTIONAL
WiFi 802.1X	EAP-TLS active on Domus-Secure	PASS	REQUIRED
LUKS Encryption	Full disk encryption enabled	PASS	REQUIRED

Domain Join

Packages installed, not joined

NOT READY

REQUIRED

CA Certificate

/etc/ssl/certs/DOMUS-ROOT-CA.pem

PASS

REQUIRED

Client Certificate

/etc/ssl/certs/modestus-p50-eaptls.pem (Vault PKI, 2026-02-02)

PASS

REQUIRED

Wired 802.1X

No wired connection (no cable)

N/A

OPTIONAL

WiFi 802.1X

EAP-TLS active on Domus-Secure

PASS

REQUIRED

LUKS Encryption

Full disk encryption enabled

PASS

REQUIRED

Next Steps

Domain join via runbook: Domain Join
Add to AD group GRP-Linux-Admin-Workstations
Verify ISE authorization with AD group condition

modestus-aw (Alienware)

Hardware

Alienware Workstation

Owner

Evan

Wired Interface

(TBD)

WiFi Interface

wlan0

Wired MAC

(TBD)

WiFi MAC

(TBD)

Deployment Status

Component	Details	Status	Priority
Domain Join	Packages needed, not joined	NOT READY	REQUIRED
CA Certificate	Not installed	NOT READY	REQUIRED
Client Certificate	Pending Vault PKI issuance	NOT READY	REQUIRED
Wired 802.1X	Pending configuration	NOT READY	REQUIRED
WiFi 802.1X	Pending configuration	NOT READY	REQUIRED
LUKS Encryption	TBD	PENDING	REQUIRED

Component

Details

Status

Priority

Domain Join

Packages needed, not joined

NOT READY

REQUIRED

CA Certificate

Not installed

NOT READY

REQUIRED

Client Certificate

Pending Vault PKI issuance

NOT READY

REQUIRED

Wired 802.1X

Pending configuration

NOT READY

REQUIRED

WiFi 802.1X

Pending configuration

NOT READY

REQUIRED

LUKS Encryption

TBD

PENDING

REQUIRED

Next Steps

Run pre-flight check: Pre-Flight Script
Install packages: sudo pacman -S sssd samba
Domain join: Domain Join Runbook
Issue certificate from Vault PKI
Configure NetworkManager 802.1X: NetworkManager Wired

Quick Commands

Check Current Status

# Check domain join status
realm list

# Check certificates
ls -la /etc/ssl/certs/*-eaptls.pem
ls -la /etc/ssl/private/*-eaptls.key

# Check ISE sessions
dsource d000 dev/network
netapi ise mnt sessions

Verify ISE Authentication

# modestus-razer
netapi ise mnt session 98:BB:1E:1F:A7:13

# modestus-p50 (WiFi)
netapi ise mnt session 14:F6:D8:7B:31:80

Workstation Deployment Status

Executive Summary

Validation Summary

Workstation Details

modestus-razer (Razer Blade 18)

Deployment Status

Certificate Details

modestus-p50 (ThinkPad P50)

Deployment Status

Next Steps

modestus-aw (Alienware)

Deployment Status

Next Steps

Quick Commands

Check Current Status

Verify ISE Authentication

Related Documentation