Home Network Infrastructure Overview

Overview

This document describes the Domus Digitalis home enterprise network infrastructure supporting Linux workstation 802.1X EAP-TLS authentication.

This is a HOME ENTERPRISE deployment, not a lab or test environment. All configurations follow enterprise security standards with production-grade infrastructure.

Network Topology

Home Network Topology

Infrastructure Components

Core Networking

Component Model/Version IP Address Role

Internet Gateway

HUMAX BGW320-500

192.168.1.254

AT&T Fiber 1Gbps

Firewall/Router

pfSense CE 2.7.2

10.50.1.1

Inter-VLAN routing, DNS, DHCP, Firewall

Access Switch

Cisco 3560-CX

10.50.1.10

802.1X Authenticator, VLAN Trunking

Wireless Controller

Cisco C9800-CL

10.50.1.40

CAPWAP controller for Aironet APs

Wireless AP

Cisco Aironet 4800

10.50.10.101

WiFi 5/6 (802.11ax)

Authentication & Identity Services

Component Model/Version IP Address Role

ISE PAN/Admin

Cisco ISE 3.2

10.50.1.20

Primary Admin Node + PSN

ISE PSN

Cisco ISE 3.2

10.50.1.21

Secondary Policy Services Node

Active Directory

Windows Server 2022

10.50.1.50

AD DS + AD CS (ROOT CA)

Domain

inside.domusdigitalis.dev

N/A

Internal AD domain

Hypervisor Platform

Component Specification

Model

Supermicro E300-9D

CPU

Intel Xeon D-2146NT (16-core, 32-thread)

RAM

128GB DDR4 ECC

Storage

NVMe + NFS (Synology DS1621+)

Networking

Dual 10GbE (Intel X710)

Management IP

10.50.1.99

All infrastructure VMs (pfSense, ISE, DC, WLC) run on this hypervisor using KVM/QEMU.

VLAN Architecture

VLAN Architecture

VLAN Segmentation

VLAN Network Purpose Access Control

100

10.50.1.0/24

Management

Infrastructure only (ISE, DC, Switch, WLC, KVM)

10

10.50.10.0/24

Corporate Data

Authenticated users (EAP-PEAP, EAP-TLS)

20

10.50.20.0/24

Voice

IP phones, video conferencing (QoS priority)

30

10.50.30.0/24

Guest

Captive portal, Internet-only access

40

10.50.40.0/24

Research / Linux Workstations

EAP-TLS machine authentication required

999

N/A

Critical Auth Fallback

Auth failures, DHCP/DNS only, ISE remediation portal

VLAN 40 - Research Network (Linux Workstations)

This is the primary VLAN for Linux workstations with strict security requirements:

Security Posture:

  • 802.1X EAP-TLS machine authentication REQUIRED

  • Client certificates issued by AD CS (HOME-ROOT-CA)

  • Active Directory domain join REQUIRED

  • AD group membership: GRP-Linux-Admin-Workstations

  • ISE authorization rule: Linux_Admin_EAP-TLS

  • ISE authorization profile: Linux_EAPTLS_Admins

  • Downloadable ACL: LINUX_EAPTLS_PERMIT_ALL

Current Devices:

  • modestus-razer - Razer Blade 15 (Arch Linux)

  • modestus-p50 - ThinkPad P50 (Arch Linux)

Both workstations are:

  • Domain-joined to inside.domusdigitalis.dev

  • Members of GRP-Linux-Admin-Workstations

  • Configured with 802.1X wired + wireless

  • Using NetworkManager for connection management

Authentication Flow

802.1X EAP-TLS Sequence

  1. EAPOL Start - Client sends EAPOL-Start to switch

  2. RADIUS Access-Request - Switch forwards to ISE with client certificate

  3. AD Validation - ISE validates:

    • Computer account exists in AD

    • Computer is member of GRP-Linux-Admin-Workstations

  4. Certificate Validation - ISE checks:

    • Certificate issued by trusted ROOT CA

    • Certificate not revoked (CRL check)

    • Certificate subject matches computer account

  5. Authorization Decision - ISE applies policy:

    • Rule: Linux_Admin_EAP-TLS

    • Profile: Linux_EAPTLS_Admins

    • VLAN: 40

    • dACL: LINUX_EAPTLS_PERMIT_ALL

  6. Access Granted - Switch receives Access-Accept:

    • Assigns port to VLAN 40

    • Downloads ACL from ISE

    • Allows client network access

Network Services

DNS Resolution

Internal DNS (pfSense):

  • Domain: inside.domusdigitalis.dev

  • Primary NS: 10.50.1.1 (pfSense)

  • Secondary NS: 10.50.1.50 (home-dc01)

  • Forwarders: 1.1.1.1, 8.8.8.8

Key Records:

  • home-dc01.inside.domusdigitalis.dev → 10.50.1.50

  • ise-pan.inside.domusdigitalis.dev → 10.50.1.20

  • ise-psn.inside.domusdigitalis.dev → 10.50.1.21

  • wlc.inside.domusdigitalis.dev → 10.50.1.40

DHCP Scopes

VLAN Range Lease Time

10 (Data)

10.50.10.50 - 10.50.10.200

24 hours

20 (Voice)

10.50.20.50 - 10.50.20.200

12 hours

30 (Guest)

10.50.30.50 - 10.50.30.200

2 hours

40 (Research)

10.50.40.50 - 10.50.40.200

24 hours

999 (Critical Auth)

Limited pool

1 hour

Firewall Rules Summary

Default Policy: Deny all inter-VLAN traffic

Allowed Traffic:

  • VLAN 40 → All (Research has full network access)

  • VLAN 10 → Internet, Management (limited)

  • VLAN 30 → Internet only (Guest isolation)

  • All → DNS (10.50.1.1)

  • All → DHCP

Blocked Traffic:

  • VLAN 30 (Guest) → Internal networks

  • VLAN 999 → All except ISE portal

PKI Architecture

Certificate Authority Hierarchy

ROOT CA:

  • Name: HOME-ROOT-CA

  • Type: Enterprise Root CA

  • Server: home-dc01 (Windows Server 2022)

  • Validity: 20 years

  • Key: RSA 4096-bit

Certificate Templates:

  • Linux-Workstation-Auth - Client authentication

  • User-EAP-TLS - User authentication (future)

  • Web-Server - HTTPS certificates

Certificate Deployment

Linux Workstations:

  • Certificate: /etc/ssl/certs/<hostname>-eaptls.pem

  • Private Key: /etc/ssl/private/<hostname>-eaptls.key

  • CA Certificate: /etc/ssl/certs/HOME-ROOT-CA.pem

  • Subject: O=Domus Digitalis, OU=Endpoints, CN=<hostname>.inside.domusdigitalis.dev

Monitoring & Management

ISE Monitoring

  • Live Logs: Operations → RADIUS → Live Logs

  • MnT API: netapi ise mnt session <MAC>

  • DataConnect: netapi ise dc session <MAC>

Network Monitoring

Log Aggregation

All infrastructure components send logs to centralized syslog (future: Splunk/ELK)

Backup Strategy

  • Infrastructure VMs: Daily snapshots (NAS)

  • ISE Config: Weekly backups via CLI

  • pfSense Config: Weekly AutoConfigBackup

  • AD: System State backups (daily)

  • Certificates: Exported to encrypted vault

References