Resolution: P16g WiFi Data VLAN 10

Resolution

Status: Pending investigation results

Option A — Fix Existing Data-VLAN10 Profile

# Fix MAC randomization (the likely root cause)
nmcli con modify "Domus-WiFi-Data-VLAN10" \
  802-11-wireless.mac-address-randomization never \
  802-11-wireless.cloned-mac-address permanent

# Verify the change
nmcli -g 802-11-wireless.mac-address-randomization,802-11-wireless.cloned-mac-address \
  con show "Domus-WiFi-Data-VLAN10"
# Expected: never,permanent

# Disconnect IoT and attempt Data-VLAN10
nmcli con down "Domus-IoT"
nmcli con up "Domus-WiFi-Data-VLAN10"

# Verify IP assignment
ip -4 addr show wlan0

Option B — Use Test Profile

If modifying the existing profile is undesirable, use the test profile created in Investigation Phase 6.

Option C — ISE Policy Change Required

If EAP-TLS authenticates but VLAN 10 is not assigned, the ISE authorization policy needs a rule for WiFi clients on the data VLAN. This requires:

  1. ISE admin access

  2. New authorization profile: WiFi_Data_VLAN10 with Tunnel-Private-Group-ID = 10

  3. Authorization policy rule matching WiFi + EAP-TLS + endpoint group → WiFi_Data_VLAN10

Verification

# Confirm VLAN 10 assignment — IP should be in 10.50.1.0/24
ip -4 addr show wlan0

# Confirm routing
ip route show dev wlan0

# Confirm ISE reachability
ping -c3 {ise-01-ip}

# Confirm DNS
dig +short {ise-01-hostname}