Investigation: P16g WiFi Data VLAN 10

Investigation

Phase 1 — Profile Comparison

Three profiles target the same SSID (Domus-Secure) with the same EAP-TLS credentials but differ in critical ways:

Setting Data-VLAN10 Mgmt-VLAN100 Impact

Setting	Data-VLAN10	Mgmt-VLAN100	Impact
`mac-address-randomization`	`default` (randomizes)	`never`	ISE cannot match endpoint if MAC changes
`cloned-mac-address`	`--` (not set)	`permanent`	ISE endpoint group lookup requires stable MAC
`ipv4.method`	`auto` (DHCP)	`manual` (10.50.1.204/24)	VLAN 10 DHCP scope may not exist or may not be reachable
`autoconnect-priority`	`0`	`5`	Mgmt profile wins autoconnect over Data
`connection.timestamp`	`0` (never connected)	`1780267069` (connected today)	Data profile has never successfully authenticated

mac-address-randomization

default (randomizes)

never

ISE cannot match endpoint if MAC changes

cloned-mac-address

-- (not set)

permanent

ISE endpoint group lookup requires stable MAC

ipv4.method

auto (DHCP)

manual (10.50.1.204/24)

VLAN 10 DHCP scope may not exist or may not be reachable

autoconnect-priority

0

5

Mgmt profile wins autoconnect over Data

connection.timestamp

0 (never connected)

1780267069 (connected today)

Data profile has never successfully authenticated

Both profiles use identical EAP-TLS settings:

Identity: modestus-p16g.inside.domusdigitalis.dev
CA cert: /etc/ssl/certs/DOMUS-CA-CHAIN.pem
Client cert: /etc/ssl/certs/modestus-p16g-eaptls.pem
Private key: /etc/ssl/private/modestus-p16g-eaptls.key

Phase 2 — MAC Address Randomization (Primary Suspect)

ISE authenticates EAP-TLS by certificate identity but uses the endpoint MAC for:

Endpoint group assignment (which determines authorization profile)
VLAN assignment via authorization policy
Endpoint profiling and posture

If the MAC is randomized, ISE may:

Create a new endpoint entry each connection attempt
Fail to match the endpoint group → wrong authorization profile → wrong VLAN
Assign a default/quarantine VLAN instead of VLAN 10

Verify current MAC state

# Check the actual hardware MAC
ip link show wlan0 | awk '/link\/ether/{print $2}'

# Check what NM is sending for each profile
nmcli -g 802-11-wireless.cloned-mac-address,802-11-wireless.mac-address-randomization con show "Domus-WiFi-Data-VLAN10"
nmcli -g 802-11-wireless.cloned-mac-address,802-11-wireless.mac-address-randomization con show "Domus-WiFi-Mgmt-VLAN100"

Fix MAC randomization on Data-VLAN10

nmcli con modify "Domus-WiFi-Data-VLAN10" \
  802-11-wireless.mac-address-randomization never \
  802-11-wireless.cloned-mac-address permanent

Phase 3 — ISE Policy Verification

The question: does ISE have an authorization policy that assigns VLAN 10 for WiFi EAP-TLS clients?

Check ISE RADIUS live logs

# Attempt connection and capture the RADIUS exchange
nmcli con up "Domus-WiFi-Data-VLAN10"

# Watch wpa_supplicant for EAP details
journalctl -u NetworkManager --since "1 min ago" --no-pager \
  | grep -iE 'eap|tls|radius|reject|accept|vlan|authorize'

# Full supplicant debug
journalctl -u wpa_supplicant --since "1 min ago" --no-pager 2>/dev/null

Check ISE admin GUI

Operations → RADIUS → Live Logs
  Filter by: Endpoint MAC = <P16g wlan0 hardware MAC>
  Look for:
    - Authentication result (Pass/Fail)
    - Authorization profile applied
    - VLAN attribute in authorization result
    - Failure reason if rejected

Phase 4 — DHCP Scope for VLAN 10

If ISE authenticates and assigns VLAN 10, the client needs a DHCP address in 10.50.1.0/24 (or 10.50.10.0/24 — depends on VLAN 10 subnet mapping).

Verify DHCP is available on VLAN 10

# After connecting, check if DHCP offer arrives
journalctl -u NetworkManager --since "1 min ago" --no-pager \
  | grep -iE 'dhcp|address|lease|offer|nak'

# If DHCP times out, verify the VLAN interface is actually on VLAN 10
# (ISE assigns VLAN via RADIUS attribute, WLC enforces it)
ip addr show wlan0

Phase 5 — Wired Connection Diagnosis

Domus-Wired-Mgmt-VLAN100 is failing with config-failed in a tight loop.

Diagnose wired failure

# Check if ethernet cable is connected / link is up
ip link show enp134s0

# Check NM detailed reason
journalctl -u NetworkManager --since "10 min ago" --no-pager \
  | grep -A2 'enp134s0.*failed'

# Check if 802.1X supplicant is even starting
journalctl -u NetworkManager --since "10 min ago" --no-pager \
  | grep -i 'enp134s0.*supplicant'

If enp134s0 has no carrier (state DOWN), the failures are expected — NM retries autoconnect on an interface with no link. Either:

Plug in the ethernet cable, or
Disable autoconnect to stop the loop: nmcli con modify "Domus-Wired-Mgmt-VLAN100" connection.autoconnect no

Phase 6 — Create a Test Profile

Create a dedicated WiFi test profile with correct settings for VLAN 10 troubleshooting:

Create Domus-WiFi-Data-VLAN10-Test profile

nmcli con add \
  con-name "Domus-WiFi-Data-VLAN10-Test" \
  type wifi \
  ifname wlan0 \
  ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "modestus-p16g.inside.domusdigitalis.dev" \
  802-1x.ca-cert "/etc/ssl/certs/DOMUS-CA-CHAIN.pem" \
  802-1x.client-cert "/etc/ssl/certs/modestus-p16g-eaptls.pem" \
  802-1x.private-key "/etc/ssl/private/modestus-p16g-eaptls.key" \
  wifi.cloned-mac-address permanent \
  wifi.mac-address-randomization never \
  ipv4.method auto \
  connection.autoconnect no \
  connection.autoconnect-priority 0

Activate and monitor

# Disconnect current WiFi first
nmcli con down "Domus-IoT"

# Bring up test profile
nmcli con up "Domus-WiFi-Data-VLAN10-Test"

# Monitor in real-time (run in another terminal/tmux pane)
journalctl -u NetworkManager -f --no-pager \
  | grep -iE 'eap|tls|vlan|dhcp|fail|reject|assoc'

Verify the result

# Check assigned IP — should be in 10.50.1.0/24 or 10.50.10.0/24
ip -4 addr show wlan0

# Check routing
ip route show dev wlan0

# Verify DNS resolution
dig +short modestus-p16g.inside.domusdigitalis.dev

Clean up test profile (if not needed)

nmcli con delete "Domus-WiFi-Data-VLAN10-Test"

Root Cause (Preliminary)

Primary hypothesis: MAC address randomization on Domus-WiFi-Data-VLAN10 prevents ISE endpoint matching.

The Mgmt-VLAN100 profile works because it forces mac-address-randomization: never and cloned-mac-address: permanent. The Data-VLAN10 profile uses defaults — which on modern Linux means the MAC is randomized per-connection. ISE sees a new unknown endpoint each time, cannot match it to an authorization profile, and either rejects or assigns a fallback VLAN.

Secondary hypothesis: No ISE authorization policy maps WiFi EAP-TLS to VLAN 10.

Both profiles connect to SSID Domus-Secure. ISE may only have an authorization rule for VLAN 100 (management), not VLAN 10 (data). If the VLAN assignment is static in the WLC WLAN profile rather than dynamic via RADIUS, then the connection profile name is cosmetic — all Domus-Secure clients land on whatever VLAN the WLC assigns.

Tertiary: Wired failure is likely no carrier. The config-failed loop on enp134s0 fires instantly (no supplicant negotiation visible), suggesting the NIC has no link. If the cable were connected, the failure would take longer (EAP timeout) and show supplicant state changes.

Evidence Supporting MAC Hypothesis

Mgmt-VLAN100 (works): mac-address-randomization: never, cloned-mac-address: permanent
Data-VLAN10 (never connected): mac-address-randomization: default, cloned-mac-address: --
Prior RCA-2026-03-13-001 documented MAC randomization as a contributing factor in WiFi DHCP failure
ISE endpoint groups rely on stable MAC addresses for authorization policy matching

Next Steps

[ ] Fix MAC randomization on Data-VLAN10 (Phase 2 commands)
[ ] Attempt connection and check ISE live logs (Phase 3)
[ ] If auth succeeds but no IP — investigate DHCP scope for VLAN 10 (Phase 4)
[ ] If auth fails — check ISE authorization policy for WiFi VLAN 10 assignment (Phase 3 GUI check)
[ ] Create test profile if modifying existing profile is risky (Phase 6)
[ ] Diagnose wired failure separately (Phase 5)