WRKLOG-2026-03-13
Summary
WiFi connectivity troubleshooting day. EAP-TLS authentication succeeds but DHCP fails, requiring fallback to wired. Root cause analysis initiated.
Today’s Priorities (2026-03-13)
| Priority | Task | Status | Notes |
|---|---|---|---|
P0 |
WiFi DHCP failure RCA |
[x] RESOLVED |
Root cause: IP conflict + MAC randomization - see RCA-2026-03-13-001 |
P0 |
Create WPA2-PSK fallback connection |
[x] DOCUMENTED |
Commands in nmcli.adoc |
P1 |
k3s NAT verification |
[ ] PENDING |
Carried over - NAT rule 170, test pod internet |
P2 |
Wazuh indexer recovery |
[ ] PENDING |
Depends on NAT working |
Session 1: WiFi DHCP Failure Analysis - RESOLVED
Symptom
nmcli conn up Domus-WiFi-EAP-TLS fails with:
Error: Connection activation failed: IP configuration could not be reserved (no available address, timeout, etc.)
Root Cause Identified
NOT a DHCP issue. The error message was misleading.
<warn> device (wlan0): IP address 10.50.1.200 cannot be configured because it is already in use in the network by host 3C:EC:EF:43:50:42Two issues found:
-
Static IP conflict: WiFi configured with
10.50.1.200which was in use by Dell device3C:EC:EF:43:50:42 -
MAC randomization:
wifi.cloned-mac-addresswas set todefault, causing ISE session tracking issues
Resolution Applied
# Find free IP
for ip in 201 202 203 204 205; do
ping -c 1 -W 1 10.50.1.$ip >/dev/null 2>&1 && \
echo "10.50.1.$ip IN USE" || echo "10.50.1.$ip FREE"
done
# Change to free IP
nmcli c mod Domus-WiFi-EAP-TLS ipv4.addresses "10.50.1.201/24"
nmcli c mod Domus-WiFi-EAP-TLS ipv4.gateway "10.50.1.1"
nmcli c mod Domus-WiFi-EAP-TLS ipv4.dns "10.50.1.90,10.50.1.91"
nmcli c mod Domus-WiFi-EAP-TLS ipv4.method manual
# Fix MAC randomization
nmcli c mod Domus-WiFi-EAP-TLS wifi.cloned-mac-address permanent
# Reconnect - SUCCESS
nmcli c up Domus-WiFi-EAP-TLSLessons Learned
-
Error "IP configuration could not be reserved" applies to static IP conflicts, not just DHCP
-
VyOS DHCP was fine (phone had lease, wired had lease)
-
MAC randomization breaks EAP-TLS session tracking in ISE
-
Always check
journalctl -u NetworkManagerfor the real error
Carried Over
| Task | Details | Original Date |
|---|---|---|
k3s NAT rule 170 |
Test pod internet access after NAT applied |
2026-03-12 |
Wazuh indexer |
Restart after NAT confirmed |
2026-03-11 |
Notes
-
Created first RCA document using case-studies template
-
Need WPA2-PSK fallback for when EAP-TLS infrastructure is unavailable