RCA-2026-03-16-001: Analysis

Root Cause

5 Whys Analysis

Why # Question and Answer

1

Why did EAP-TLS authentication fail?
Because: Client rejected ISE’s certificate as untrusted

2

Why did client reject ISE’s certificate?
Because: Client couldn’t verify ISE cert chain - "unknown CA"

3

Why couldn’t client verify the chain?
Because: Client only had intermediate CA, not ROOT CA

4

Why did client only have intermediate CA?
Because: Vault pki_int/issue returns issuing_ca (intermediate), not root

5

Why wasn’t ROOT CA explicitly configured?
Because: Documentation didn’t specify ROOT vs intermediate CA requirement

Root Cause Statement

EAP-TLS clients require the ROOT CA certificate to verify the authentication server’s certificate chain. Using only the intermediate CA causes "unknown CA" errors because the client cannot establish trust to the root of the PKI hierarchy.

Secondary Root Cause

NetworkManager’s 802-1x.private-key-password-flags cannot be modified after connection creation. Setting this flag via nmcli con mod has no effect - the flag must be set during nmcli connection add.

Contributing Factors

Factor Description Preventable?

Vault PKI output

vault write pki_int/issue returns intermediate CA in issuing_ca field, easy to assume this is the CA to use

Yes - documentation

nmcli behavior

nmcli con mod silently accepts private-key-password-flags but doesn’t apply it

No - NetworkManager design

SSID confusion

Initial connection used wrong SSID (DomusWifi vs Domus-Secure)

Yes - documentation

No pre-flight check

No verification step to confirm correct CA before deployment

Yes - process