Workstation Deployment Status

Overview

This page tracks the deployment status of 802.1X EAP-TLS authentication for each Linux workstation in the home lab.

modestus-p50 (ThinkPad P50)

Hardware

ThinkPad P50 (Intel i7-6820HQ, Quadro M2000M)

Wired Interface

enp0s31f6

WiFi Interface

wlan0

Wired MAC

C8:5B:76:C6:59:62

WiFi MAC

14:F6:D8:7B:31:80

Deployment Status

Task Details Status

Domain Join

inside.domusdigitalis.dev

[x] Done

CA Certificate

/etc/ssl/certs/HOME-ROOT-CA.pem

[x] Done

Client Certificate

/etc/ssl/certs/modestus-p50-eaptls.pem

[x] Done

Private Key

/etc/ssl/private/modestus-p50-eaptls.key

[x] Done

wpa_supplicant (Wired)

wpa_supplicant-wired@enp0s31f6.service

[x] Disabled (migrated)

wpa_supplicant (WiFi)

wpa_supplicant-wifi@wlan0.service

[x] Active

NetworkManager (Wired)

Wired-802.1X connection - EAP-TLS working

[x] Done (2026-01-26)

NetworkManager (WiFi)

Migrate from wpa_supplicant

[ ] Pending

Next Steps

  1. Stop wpa_supplicant-wired@enp0s31f6.service

  2. Create NetworkManager wired 802.1X connection

  3. Verify ISE session

  4. Stop wpa_supplicant-wifi@wlan0.service

  5. Create NetworkManager WiFi connection for Domus-Secure

  6. Verify ISE session

modestus-razer (Razer Blade 18)

Hardware

Razer Blade 18 (Intel Ultra 9 275HX, RTX 5090)

Wired Interface

enp130s0

WiFi Interface

wlan0

Wired MAC

98:BB:1E:1F:A7:13

WiFi MAC

(check with ip link show wlan0)

Deployment Status

Task Details Status

Domain Join

INSIDE.DOMUSDIGITALIS.DEV via SSSD

[x] Done (2026-01-27)

CA Certificate

/etc/ssl/certs/HOME-ROOT-CA.pem

[x] Done

Client Certificate

/etc/ssl/certs/modestus-razer-eaptls.pem (expires 2028-01-28)

[x] Done

Private Key

/etc/ssl/private/modestus-razer-eaptls.key (600 perms)

[x] Done

NetworkManager (Wired)

Wired-802.1X - EAP-TLS on enp130s0

[x] Done (2026-01-27)

NetworkManager (WiFi)

Domus-Secure-802.1X - EAP-TLS on wlan0

[x] Done (2026-01-27)

wpa_supplicant

Migrated to NetworkManager - services inactive

[x] Done

Certificate Details

Subject:  CN=modestus-razer.inside.domusdigitalis.dev
Issuer:   HOME-ROOT-CA (Two-tier PKI: ROOT-CA → ISSUING-CA)
Expires:  Jan 28, 2028 GMT

Verified Working

  • Wired 802.1X EAP-TLS authentication to ISE

  • WiFi 802.1X EAP-TLS to Domus-Secure SSID

  • Zero-trust dACL applied (LINUX_RESEARCH_ZERO_TRUST_V2)

  • AD domain membership with SSSD/Kerberos

Quick Commands

Check Current Status

# P50 - Check wpa_supplicant services
systemctl status wpa_supplicant-wired@enp0s31f6
systemctl status wpa_supplicant-wifi@wlan0

# Razer - Check domain join status
realm list

# Check certificates
ls -la /etc/ssl/certs/*-eaptls.pem
ls -la /etc/ssl/private/*-eaptls.key

# Check ISE sessions
dsource d000 dev/network
netapi ise mnt sessions

Verify ISE Authentication

# P50
netapi ise mnt session C8:5B:76:C6:59:62  # Wired
netapi ise mnt session 14:F6:D8:7B:31:80  # WiFi

# Razer (after deployment)
netapi ise mnt session 98:BB:1E:1F:A7:13  # Wired

Troubleshooting Notes

ISE MnT Connection Timeout (2026-01-26)

Symptom: netapi ise mnt session times out connecting to ise-01

Cause: ISE_MNT_FQDN in dsec pointed to ise-01 (offline), but only ise-02 was active.

Fix:

DSEC_EVAL_VERIFIED=true dsec edit d000 dev/network

# Change:
# ISE_MNT_FQDN={<ise-02-hostname>}  # ise-01 (offline)
# To:
# ISE_MNT_FQDN={<ise-01-hostname>}  # ise-02 (active)

dsource d000 dev/network
Revert when ise-01 comes back online, or update device numbering to match hostnames.

Related Documentation