Zero-Trust Validation
Validate that your 802.1X deployment is working correctly and that zero-trust network segmentation is properly enforced.
1. Deployment Readiness Check
Before connecting to the network, verify all prerequisites are met.
1.1. Pre-Connection Checklist
-
LUKS encryption verified (
lsblk -fshows crypto_LUKS) -
AD domain joined (
realm listshows configured) -
Machine certificate installed in
/etc/ssl/certs -
Private key installed in
/etc/ssl/privatewith 600 permissions -
Root CA certificate installed
-
NetworkManager 802.1X connection configured
-
System clock synchronized via NTP
1.2. Readiness Check Script
#!/bin/bash
# deployment-readiness.sh - Verify all prerequisites before 802.1X connection
echo "=== Deployment Readiness Check ==="
echo ""
PASS=0
FAIL=0
check() {
local name="$1"
local cmd="$2"
if eval "$cmd" >/dev/null 2>&1; then
echo "[PASS] $name"
((PASS++))
else
echo "[FAIL] $name"
((FAIL++))
fi
}
echo "1. Domain Join Status:"
check "Domain joined" "realm list | grep -q 'configured:'"
realm list 2>/dev/null | grep -E "(realm-name|configured)" | sed 's/^/ /'
echo ""
echo "2. Disk Encryption:"
check "LUKS encryption" "lsblk -f | grep -q crypto_LUKS"
lsblk -f 2>/dev/null | grep crypto_LUKS | head -3 | sed 's/^/ /'
echo ""
echo "3. Certificate Status:"
CERT="/etc/ssl/certs/$(hostname -s)-eaptls.pem"
KEY="/etc/ssl/private/$(hostname -s)-eaptls.key"
check "Machine certificate exists" "test -f $CERT"
check "Private key exists" "test -f $KEY"
check "Key permissions (600)" "stat -c %a $KEY 2>/dev/null | grep -q 600"
if [ -f "$CERT" ]; then
echo " Certificate expires: $(openssl x509 -in $CERT -noout -enddate 2>/dev/null | cut -d= -f2)"
fi
echo ""
echo "4. NetworkManager 802.1X:"
check "NM connection exists" "nmcli connection show 'Wired-802.1X' >/dev/null 2>&1"
nmcli connection show "Wired-802.1X" 2>/dev/null | grep -E "802-1x\.(eap|identity|client-cert)" | sed 's/^/ /'
echo ""
echo "5. Time Synchronization:"
check "NTP synchronized" "timedatectl show --property=NTPSynchronized --value | grep -q yes"
timedatectl status 2>/dev/null | grep -E "(Local time|NTP)" | sed 's/^/ /'
echo ""
echo "6. Root CA Trust:"
check "Root CA installed" "test -f /etc/ssl/certs/HOME-ROOT-CA.pem"
echo ""
echo "=== Summary ==="
echo "Passed: $PASS"
echo "Failed: $FAIL"
if [ $FAIL -eq 0 ]; then
echo ""
echo "All checks passed. Ready for 802.1X connection."
exit 0
else
echo ""
echo "Some checks failed. Resolve issues before connecting."
exit 1
fi2. 802.1X Connection Verification
After connecting, verify authentication succeeded.
2.1. Connection Status Script
#!/bin/bash
# 8021x-status.sh - Check 802.1X connection status
echo "=== 802.1X Connection Status ==="
echo ""
echo "1. NetworkManager Connection:"
nmcli connection show --active | grep -E "(NAME|Wired-802.1X)"
echo ""
echo "2. Interface Status:"
nmcli device status | grep -E "(DEVICE|ethernet)"
echo ""
echo "3. IP Configuration:"
IFACE=$(nmcli -t -f DEVICE connection show --active | head -1)
ip addr show "$IFACE" 2>/dev/null | grep -E "(inet |link/ether)"
echo ""
echo "4. Default Gateway:"
ip route show default
echo ""
echo "5. DNS Configuration:"
cat /etc/resolv.conf | grep -E "(nameserver|search)"
echo ""
echo "6. 802.1X Details:"
nmcli connection show "Wired-802.1X" 2>/dev/null | grep -E "802-1x\." | head -103. Zero-Trust ACL Validation
|
Zero-trust means the dACL blocks lateral movement to internal systems while permitting required services. Both conditions must be verified. |
3.1. Zero-Trust Test Script
#!/bin/bash
# test-zero-trust.sh - Validate zero-trust ACL is properly applied
#
# Tests that:
# 1. Permitted traffic (DNS, AD, internet) works
# 2. Blocked traffic (internal hosts, management) fails
#
# If blocked tests PASS (reach internal hosts), dACL is BROKEN!
echo "=== Zero-Trust ACL Validation ==="
echo ""
PASS=0
FAIL=0
# Test function for permitted traffic (should succeed)
test_permit() {
local name="$1"
local cmd="$2"
echo -n "Test: $name ... "
if eval "$cmd" >/dev/null 2>&1; then
echo "PASS"
((PASS++))
else
echo "FAIL (should be permitted)"
((FAIL++))
fi
}
# Test function for blocked traffic (should fail/timeout)
test_block() {
local name="$1"
local cmd="$2"
echo -n "Test: $name ... "
if ! eval "$cmd" >/dev/null 2>&1; then
echo "CORRECTLY BLOCKED"
((PASS++))
else
echo "FAIL - NOT BLOCKED (dACL broken!)"
((FAIL++))
fi
}
echo "=== Testing PERMITTED traffic ==="
echo ""
# DNS
test_permit "DNS to gateway (10.50.1.1)" \
"timeout 3 nslookup google.com 10.50.1.1"
test_permit "DNS to DC (10.50.1.50)" \
"timeout 3 nslookup google.com 10.50.1.50"
# Internet
test_permit "HTTPS to internet" \
"timeout 5 curl -s --connect-timeout 3 https://www.google.com"
test_permit "Internet ICMP (8.8.8.8)" \
"timeout 3 ping -c 1 8.8.8.8"
# AD Services
test_permit "Kerberos to DC (10.50.1.50:88)" \
"timeout 3 nc -zw2 10.50.1.50 88"
test_permit "LDAP to DC (10.50.1.50:389)" \
"timeout 3 nc -zw2 10.50.1.50 389"
test_permit "LDAPS to DC (10.50.1.50:636)" \
"timeout 3 nc -zw2 10.50.1.50 636"
# ISE
test_permit "ISE Admin (10.50.1.21:8443)" \
"timeout 3 nc -zw2 10.50.1.21 8443"
echo ""
echo "=== Testing BLOCKED traffic (should timeout) ==="
echo ""
# Internal ICMP should be blocked
test_block "Ping to pfSense (10.50.1.1) - should FAIL" \
"timeout 2 ping -c 1 10.50.1.1"
test_block "Ping to switch (10.50.1.10) - should FAIL" \
"timeout 2 ping -c 1 10.50.1.10"
# Management access should be blocked
test_block "SSH to switch (10.50.1.10:22) - should FAIL" \
"timeout 2 nc -zw1 10.50.1.10 22"
test_block "HTTPS to pfSense (10.50.1.1:443) - should FAIL" \
"timeout 2 nc -zw1 10.50.1.1 443"
# NAS access should be blocked (unless explicitly permitted)
test_block "SMB to NAS (10.50.1.70:445) - should FAIL" \
"timeout 2 nc -zw1 10.50.1.70 445"
echo ""
echo "=== Summary ==="
echo "Passed: $PASS"
echo "Failed: $FAIL"
echo ""
if [ $FAIL -eq 0 ]; then
echo "Zero-trust ACL is properly configured."
exit 0
else
echo "WARNING: Some tests failed!"
echo "If blocked tests passed, the zero-trust ACL is NOT working!"
exit 1
fi3.2. Expected Results
All 12+ tests should show:
=== Testing PERMITTED traffic ===
Test: DNS to gateway (10.50.1.1) ... PASS
Test: DNS to DC (10.50.1.50) ... PASS
Test: HTTPS to internet ... PASS
Test: Internet ICMP (8.8.8.8) ... PASS
Test: Kerberos to DC (10.50.1.50:88) ... PASS
Test: LDAP to DC (10.50.1.50:389) ... PASS
Test: LDAPS to DC (10.50.1.50:636) ... PASS
Test: ISE Admin (10.50.1.21:8443) ... PASS
=== Testing BLOCKED traffic (should timeout) ===
Test: Ping to pfSense (10.50.1.1) - should FAIL ... CORRECTLY BLOCKED
Test: Ping to switch (10.50.1.10) - should FAIL ... CORRECTLY BLOCKED
Test: SSH to switch (10.50.1.10:22) - should FAIL ... CORRECTLY BLOCKED
Test: HTTPS to pfSense (10.50.1.1:443) - should FAIL ... CORRECTLY BLOCKED
Test: SMB to NAS (10.50.1.70:445) - should FAIL ... CORRECTLY BLOCKED|
If any "should FAIL" tests show PASS, the zero-trust dACL is BROKEN! This means lateral movement is possible - the workstation can reach internal systems it shouldn’t. |
4. Traffic Flow Verification
Test specific application-layer connectivity.
4.1. Traffic Test Script
#!/bin/bash
# test-traffic.sh - Verify application connectivity
echo "=== Traffic Flow Verification ==="
echo ""
echo "1. DNS Resolution:"
nslookup google.com | grep -A1 "Name:"
echo ""
echo "2. Internet Connectivity:"
curl -s -o /dev/null -w 'HTTP Status: %{http_code}\n' https://www.google.com
echo ""
echo "3. AD Domain Controller:"
echo -n "Kerberos (88): "
nc -zw3 10.50.1.50 88 && echo "OK" || echo "FAIL"
echo -n "LDAP (389): "
nc -zw3 10.50.1.50 389 && echo "OK" || echo "FAIL"
echo -n "LDAPS (636): "
nc -zw3 10.50.1.50 636 && echo "OK" || echo "FAIL"
echo ""
echo "4. ISE Services:"
echo -n "Admin Portal (8443): "
nc -zw3 10.50.1.21 8443 && echo "OK" || echo "FAIL"
echo -n "Posture (8905): "
nc -zw3 10.50.1.21 8905 && echo "OK" || echo "FAIL"
echo ""
echo "5. NTP Sync:"
timedatectl show --property=NTPSynchronized5. ISE Session Verification
Verify correct authorization profile was applied.
5.1. Using netapi
# Source credentials
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
# Get session details by MAC
netapi ise mnt session <MAC_ADDRESS>
# Detailed session context
netapi ise dc session <MAC_ADDRESS>5.2. Expected Session Output
Session ID: 0a3201150000xxxx
User Name: modestus-p50.inside.domusdigitalis.dev
MAC Address: c8:5b:76:c6:59:62
IP Address: 10.50.10.101
VLAN: 10
Authorization Profile: Linux_EAPTLS_Admins
Authentication Method: EAP-TLS
dACL: LINUX_RESEARCH_ZERO_TRUST_V2
Policy Set: Domus-Wired 802.1X6. Switch-Side Verification
7. Complete Validation Workflow
Run this sequence after any configuration changes:
#!/bin/bash
# complete-validation.sh - Full validation after configuration changes
MAC="<your-mac-address>"
echo "=== 1. Local System Checks ==="
./deployment-readiness.sh
echo ""
echo "=== 2. 802.1X Connection ==="
./8021x-status.sh
echo ""
echo "=== 3. Zero-Trust ACL ==="
./test-zero-trust.sh
echo ""
echo "=== 4. ISE Session ==="
source <(DSEC_SECURITY_MODE=permissive ~/.secrets/bin/dsec source d000 dev/network)
echo "Authorization Profile:"
netapi ise mnt session "$MAC" | grep -E "(Authorization|dACL|Vlan)"
echo ""
echo "=== 5. Switch Status ==="
netapi ios exec "show access-session int Gi1/0/5 d" | grep -E "(Status|Vlan|ACS ACL)"
echo ""
echo "=== Validation Complete ==="8. Troubleshooting Validation Failures
8.1. Permitted Traffic Fails
If DNS, AD, or internet tests fail:
-
Check if 802.1X authentication succeeded
-
Verify correct VLAN assignment
-
Check dACL permits required services
-
Verify DNS servers are reachable
-
Check for local firewall (UFW) blocking
8.2. Blocked Traffic Succeeds (Critical!)
If "should FAIL" tests pass:
-
dACL not applied - Check ISE authorization profile has dACL assigned
-
Wrong dACL - Verify dACL content blocks internal subnets
-
Wrong authorization rule - Check rule ordering in ISE
-
Switch not downloading dACL - Verify RADIUS accounting working