Linux 802.1X EAP-TLS - Home Enterprise
Purpose
This guide documents the home enterprise deployment of Linux 802.1X EAP-TLS authentication with Cisco ISE, Active Directory Certificate Services, and domain-joined Linux workstations.
|
This is a HOME ENTERPRISE deployment, not a lab or test environment. All configurations follow enterprise security standards with production-grade infrastructure. |
Key Features:
-
Machine certificate authentication via AD CS (EAP-TLS)
-
Active Directory domain-joined Linux workstations
-
ISE policy enforcement with AD group-based authorization
-
NetworkManager and wpa_supplicant integration
-
Automated certificate lifecycle management
-
VLAN-based network segmentation
Live Deployment Status
| Workstation | Wired 802.1X | WiFi 802.1X | Domain | Certificate |
|---|---|---|---|---|
modestus-razer (Razer Blade 18) |
ACTIVE |
ACTIVE |
Joined |
Valid (2028) |
modestus-p50 (ThinkPad P50) |
ACTIVE |
Pending |
Joined |
Valid |
|
This documentation is written from a live, working deployment. The Razer Blade 18 running Arch Linux is currently authenticated via EAP-TLS on both wired (enp130s0) and wireless (Domus-Secure) networks using certificates issued by the home enterprise PKI. |
Network Architecture
Complete network topology showing:
-
KVM hypervisor infrastructure (ISE, pfSense, DC, WLC)
-
Physical network devices (3560-CX switch, Aironet AP)
-
Linux workstations (modestus-razer, modestus-p50)
-
802.1X authentication flow
-
VLAN segmentation
Infrastructure Overview
Complete home datacenter infrastructure:
-
Security & Access Control - pfSense, ISE x2 (standalone), Keycloak IdP
-
PKI - Two-tier (HOME-ROOT-CA → HOME-ISSUING-CA), Let’s Encrypt
-
Wireless - 9800 WLC, iPSK Manager HA, Aironet 4800
-
Compute & Storage - KVM hypervisor, Synology NAS, Gitea, IPMI
-
Switching - 3560-CX with C3PL/IBNS 2.0
-
netapi CLI - Unified API management layer
VLAN Architecture
Network segmentation with security zones:
-
VLAN 100 (Management) - Infrastructure only
-
VLAN 10 (Data) - 802.1X EAP-TLS (Domus-Secure WiFi)
-
VLAN 20 (Voice) - VoIP devices
-
VLAN 30 (Guest) - Guest portal with Internet-only access
-
VLAN 40 (IoT) - iPSK devices (Domus-IoT WiFi)
-
VLAN 666 (Native) - Unused native VLAN (security)
-
VLAN 999 (Critical Auth) - Authentication failure fallback
Infrastructure Components
Network & Security
| Hostname | IP Address | Role |
|---|---|---|
pfsense-01 |
10.50.1.1 |
Firewall/Router, DNS Resolver, DHCP, API-driven |
3560cx-01 |
10.50.1.10 |
Wired Access Switch (C3PL IBNS 2.0) |
9800-wlc-01 |
10.50.1.40 |
Cisco 9800 Wireless LAN Controller |
ise-01 |
10.50.1.20 |
ISE Primary (Admin, MnT, PSN, pxGrid) |
ise-02 |
10.50.1.21 |
ISE Secondary (Admin, MnT, PSN) |
ipsk-mgr-01/02 |
10.50.1.30/31 |
iPSK Manager (IoT/BYOD onboarding) - HA pair |
Identity & PKI
| Hostname | IP Address | Role |
|---|---|---|
home-dc01 |
10.50.1.50 |
Windows Domain Controller, AD CS (HOME-ROOT-CA → HOME-ISSUING-CA) |
keycloak-01 |
10.50.1.80 |
Keycloak Identity Provider (SAML/OIDC) |
certmgr-01 |
10.50.1.60 |
Let’s Encrypt certificate automation |
Compute & Storage
| Hostname | IP Address | Role |
|---|---|---|
kvm-01 |
10.50.1.99 |
KVM Hypervisor (ISE, pfSense, DC, WLC VMs) |
ipmi-01 |
10.50.1.200 |
Out-of-band management (IPMI/BMC) |
nas-01 |
10.50.1.70 |
Synology NAS Primary (rack, powered off) |
nas-02 |
10.50.1.71 |
Synology NAS Secondary (active, Borg backups) |
gitea-01 |
10.50.1.70 |
Self-hosted Git (runs on NAS) |
API-Driven Infrastructure
All infrastructure is managed via netapi - a unified CLI for API-driven operations:
# Network
netapi pfsense dns list # DNS management
netapi ios exec "show run" # Switch configuration
# Identity & Access
netapi ise mnt sessions # Active 802.1X sessions
netapi ise get-authz-rules # Authorization policies
# Certificates
netapi ise get-system-certs # ISE certificate status|
DNS: All DNS resolution via pfSense DNS Resolver with API-managed host overrides. Git: All configuration and documentation hosted on self-hosted Gitea instance. |