Deployment Models: Standalone vs AD-Joined

Overview

802.1X EAP-TLS can be deployed in two architectures:

Aspect	Standalone (Home Lab)	AD-Joined (Enterprise)
AD Membership	No domain join	Device joins Active Directory
Certificate Source	Manual enrollment from CA	Auto-enrollment via Group Policy
Certificate Renewal	Manual (script-assisted)	Automatic via ADCS
User Authentication	Local accounts	AD accounts (Kerberos/LDAP)
Policy Management	Manual configuration	Group Policy Objects (GPO)
Example	This home lab (Domus)	HOME Linux Workstation

Aspect

Standalone (Home Lab)

AD-Joined (Enterprise)

AD Membership

No domain join

Device joins Active Directory

Certificate Source

Manual enrollment from CA

Auto-enrollment via Group Policy

Certificate Renewal

Manual (script-assisted)

Automatic via ADCS

User Authentication

Local accounts

AD accounts (Kerberos/LDAP)

Policy Management

Manual configuration

Group Policy Objects (GPO)

Example

This home lab (Domus)

HOME Linux Workstation

Security Comparison

Both models provide identical 802.1X security.

EAP-TLS security is based on:

Mutual TLS authentication (client and server both present certificates)
Certificate signed by trusted CA
Private key protection on the endpoint

AD membership adds operational management, not authentication security.

What AD-Join Provides

Automated certificate lifecycle — Certificates auto-enroll and auto-renew
Centralized revocation — Revoke via AD/ADCS, ISE checks CRL/OCSP
Group Policy — Push configurations, security baselines
Single sign-on — Kerberos tickets after 802.1X auth
Audit trail — AD logs all authentication events

What Standalone Provides

Simplicity — No domain infrastructure required
Independence — Device operates without AD availability
Lab flexibility — Test configurations without affecting production
Lower overhead — No DC, no GPO, no replication

When to Use Each Model

Use Standalone When:

Home lab or proof-of-concept
Isolated research environments
Devices that cannot join AD (embedded systems, IoT)
Testing before enterprise deployment

Use AD-Joined When:

Enterprise production deployment
Certificate lifecycle automation is required
Centralized management is needed
Compliance requires audit trails
Multiple devices need consistent policy

Certificate Management Comparison

Standalone (Manual)

# Generate CSR
openssl req -new -key /etc/ssl/private/machine.key \
  -out /tmp/machine.csr -subj "/CN=hostname.inside.domusdigitalis.dev"

# Submit to CA (web enrollment or certreq)
# Download and install certificate

# Renewal: repeat process before expiry

AD-Joined (Automatic)

# Certificate auto-enrolls via GPO
# Template: "Workstation Authentication"
# Renewal: Automatic at 80% of validity period

Trust Architecture

Both models use the same trust chain:

The only difference is how the client certificate is issued and renewed.

This Lab’s Architecture

This home lab (PRJ-ISE-HOME-LINUX) uses the standalone model:

Linux workstations are NOT domain-joined
Certificates are manually enrolled from HOME-ROOT-CA (Windows AD CS)
Certificate files stored in /etc/ssl/certs/ and /etc/ssl/private/
Renewal is manual (documented in Certificate Enrollment)

This proves EAP-TLS works on Linux without AD membership, validating the approach before enterprise deployment where AD-join would be required.

Certificate Enrollment — Manual enrollment process
Trust Chain — CA hierarchy