New Machine Deployment Checklist

Pre-Requisites

Step Action Status

Step	Action	Status
1	Verify network connectivity to DC (10.50.1.50)	[ ]
2	Verify network connectivity to ISE (10.50.1.21)	[ ]
3	Confirm DNS resolution works for `inside.domusdigitalis.dev`	[ ]
4	Identify wired interface name (`ip link show`)	[ ]

Verify network connectivity to DC (10.50.1.50)

[ ]

Verify network connectivity to ISE (10.50.1.21)

[ ]

Confirm DNS resolution works for inside.domusdigitalis.dev

[ ]

Identify wired interface name (ip link show)

[ ]

Phase 1: Certificate Enrollment

1.1 Generate Private Key

# Replace HOSTNAME with actual hostname (e.g., modestus-razer)
HOSTNAME=$(cat /etc/hostname)

# Generate 4096-bit key (no password for service use)
sudo openssl genrsa -out /etc/ssl/private/$<your-hostname>-eaptls.key 4096

# Secure permissions
sudo chmod 600 /etc/ssl/private/$<your-hostname>-eaptls.key
sudo chown root:root /etc/ssl/private/$<your-hostname>-eaptls.key

1.2 Generate CSR

HOSTNAME=$(cat /etc/hostname)
DOMAIN="inside.domusdigitalis.dev"

sudo openssl req -new \
  -key /etc/ssl/private/$<your-hostname>-eaptls.key \
  -out /tmp/$<your-hostname>.csr \
  -subj "/CN=$<your-hostname>.$inside.domusdigitalis.dev"

# Verify CSR
openssl req -in /tmp/$<your-hostname>.csr -noout -subject

1.3 Submit to AD CS

HOSTNAME=$(cat /etc/hostname)

# Copy CSR to DC
scp /tmp/$<your-hostname>.csr home-dc01:C:/Certs/

# Sign certificate (run on DC or via SSH)
ssh home-dc01 "certreq -submit \
  -config \"HOME-DC01.inside.domusdigitalis.dev\\HOME-ROOT-CA\" \
  -attrib \"CertificateTemplate:Linux-Workstation-Auth\" \
  \"C:\\Certs\\$<your-hostname>.csr\" \"C:\\Certs\\$<your-hostname>.cer\""

# Retrieve signed certificate
scp home-dc01:C:/Certs/$<your-hostname>.cer /tmp/

1.4 Install Certificate

HOSTNAME=$(cat /etc/hostname)

# Convert to PEM
sudo openssl x509 -in /tmp/$<your-hostname>.cer \
  -out /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Verify chain
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem \
  /etc/ssl/certs/$<your-hostname>-eaptls.pem

# Check EKU (must show "TLS Web Client Authentication")
openssl x509 -in /etc/ssl/certs/$<your-hostname>-eaptls.pem \
  -noout -text | grep -A2 "Extended Key Usage"

Phase 2: wpa_supplicant Configuration

2.1 Create Config Directory

sudo mkdir -p /etc/wpa_supplicant

2.2 Create Wired Config

HOSTNAME=$(cat /etc/hostname)
DOMAIN="inside.domusdigitalis.dev"

sudo tee /etc/wpa_supplicant/wpa_supplicant-wired.conf << EOF
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=2
ap_scan=0
fast_reauth=1

network={
    key_mgmt=IEEE8021X
    eap=TLS
    identity="$<your-hostname>.$inside.domusdigitalis.dev"
    ca_cert="/etc/ssl/certs/HOME-ROOT-CA.pem"
    client_cert="/etc/ssl/certs/$<your-hostname>-eaptls.pem"
    private_key="/etc/ssl/private/$<your-hostname>-eaptls.key"
    eapol_flags=0
}
EOF

# Secure config
sudo chmod 600 /etc/wpa_supplicant/wpa_supplicant-wired.conf

2.3 Manual Test

# Get your wired interface name
IFACE=$(ip -br link | grep -E "^en|^eth" | awk '{print $1}' | head -1)
echo "Wired interface: $IFACE"

# Test manually (Ctrl+C to stop)
sudo wpa_supplicant -i $IFACE \
  -c /etc/wpa_supplicant/wpa_supplicant-wired.conf \
  -D wired

# Expected output:
# - "CTRL-EVENT-EAP-SUCCESS"
# - "CTRL-EVENT-CONNECTED"

Phase 3: Systemd Service

3.1 Enable Service

# Get interface name
IFACE=$(ip -br link | grep -E "^en|^eth" | awk '{print $1}' | head -1)

# Enable and start service
sudo systemctl enable wpa_supplicant-wired@$<interface-name>.service
sudo systemctl start wpa_supplicant-wired@$<interface-name>.service

# Check status
sudo systemctl status wpa_supplicant-wired@$<interface-name>

3.2 Verify Authentication

IFACE=$(ip -br link | grep -E "^en|^eth" | awk '{print $1}' | head -1)

# Check wpa_supplicant status
sudo wpa_cli -i $IFACE status

# View logs
sudo journalctl -u wpa_supplicant-wired@$<interface-name> --since "5 minutes ago"

Phase 4: Verification

4.1 ISE Session Check

# Get MAC address
IFACE=$(ip -br link | grep -E "^en|^eth" | awk '{print $1}' | head -1)
MAC=$(ip link show $IFACE | grep ether | awk '{print $2}')

# Check ISE session (requires netapi)
netapi ise mnt session $MAC

4.2 Switch Session Check

# Find your switch port and check session
netapi ios exec "show authentication sessions"

Quick Reference: Interface Names

Machine	Wired Interface	MAC Address
ThinkPad P50 (modestus-p50)	enp0s31f6	C8:5B:76:C6:59:62
Razer Blade 18 (modestus-razer)	enp130s0	98:BB:1E:1F:A7:13
Generic USB Ethernet	enp0sXXuX or enpXsXuX	varies

Machine

Wired Interface

MAC Address

ThinkPad P50 (modestus-p50)

enp0s31f6

C8:5B:76:C6:59:62

Razer Blade 18 (modestus-razer)

enp130s0

98:BB:1E:1F:A7:13

Generic USB Ethernet

enp0sXXuX or enpXsXuX

varies

Find your interface: ip -br link show | grep -v "lo\|docker\|veth\|virbr"

Example: modestus-razer Deployment

This walkthrough shows the exact commands for deploying 802.1X on the Razer Blade 18.

Pre-Flight Check

# 1. Verify connectivity (you should be on WiFi)
ping -c 2 10.50.1.50  # DC
ping -c 2 10.50.1.21  # ISE

# 2. Confirm interface name
ip -br link show enp130s0

# 3. Verify CA cert exists
ls -la /etc/ssl/certs/HOME-ROOT-CA.pem

Certificate Enrollment

# Generate private key
sudo openssl genrsa -out /etc/ssl/private/modestus-razer-eaptls.key 4096
sudo chmod 600 /etc/ssl/private/modestus-razer-eaptls.key

# Generate CSR
sudo openssl req -new \
  -key /etc/ssl/private/modestus-razer-eaptls.key \
  -out /tmp/modestus-razer.csr \
  -subj "/CN=modestus-razer.inside.domusdigitalis.dev"

# Copy to DC
scp /tmp/modestus-razer.csr home-dc01:C:/Certs/

On Windows DC (PowerShell as Admin)

# Sign the CSR
certreq -submit `
  -config "{ad-server}\HOME-ROOT-CA" `
  -attrib "CertificateTemplate:Linux-Workstation-Auth" `
  "C:\Certs\modestus-razer.csr" "C:\Certs\modestus-razer.cer"

Back on Linux

# Retrieve and install
scp home-dc01:C:/Certs/modestus-razer.cer /tmp/
sudo openssl x509 -in /tmp/modestus-razer.cer \
  -out /etc/ssl/certs/modestus-razer-eaptls.pem

# Verify
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem \
  /etc/ssl/certs/modestus-razer-eaptls.pem

wpa_supplicant Configuration

# Create config
sudo tee /etc/wpa_supplicant/wpa_supplicant-wired.conf << 'EOF'
ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
eapol_version=2
ap_scan=0
fast_reauth=1

network={
    key_mgmt=IEEE8021X
    eap=TLS
    identity="modestus-razer.inside.domusdigitalis.dev"
    ca_cert="/etc/ssl/certs/HOME-ROOT-CA.pem"
    client_cert="/etc/ssl/certs/modestus-razer-eaptls.pem"
    private_key="/etc/ssl/private/modestus-razer-eaptls.key"
    eapol_flags=0
}
EOF

sudo chmod 600 /etc/wpa_supplicant/wpa_supplicant-wired.conf

Manual Test (BEFORE enabling service)

Test manually first while you still have WiFi connectivity!

# Plug in ethernet cable first!

# Run wpa_supplicant in foreground (Ctrl+C to stop)
sudo wpa_supplicant -i enp130s0 \
  -c /etc/wpa_supplicant/wpa_supplicant-wired.conf \
  -D wired

# Watch for:
# - "CTRL-EVENT-EAP-STARTED"
# - "CTRL-EVENT-EAP-SUCCESS"
# - "CTRL-EVENT-CONNECTED"

# If you see errors, Ctrl+C and troubleshoot before enabling service

Enable Service (only after successful test)

# Enable service
sudo systemctl enable wpa_supplicant-wired@enp130s0.service
sudo systemctl start wpa_supplicant-wired@enp130s0.service

# Verify
sudo systemctl status wpa_supplicant-wired@enp130s0
sudo wpa_cli -i enp130s0 status

Rollback (If Locked Out)

If 802.1X fails and you lose network:

# Stop wpa_supplicant
sudo systemctl stop wpa_supplicant-wired@<interface>
sudo systemctl disable wpa_supplicant-wired@<interface>

# Kill any manual instances
sudo pkill wpa_supplicant

# Network should fall back to MAB or open mode
# (depends on switch configuration)

Checklist Summary

Private key generated and secured
CSR created and submitted to AD CS
Certificate signed with correct EKU
Certificate chain verified
wpa_supplicant config created
Manual test successful
Systemd service enabled
ISE shows authenticated session