RCA-2026-03-16-001: Fix Applied

Resolution

Immediate Actions (What was done)

Retrieved ROOT CA from Vault: vault read -field=certificate pki/cert/ca
Installed ROOT CA on client: /etc/ssl/certs/DOMUS-ROOT-CA.pem
Deleted broken connection: nmcli con delete "Domus-WiFi-EAP-TLS"
Created new connection with ALL flags at creation time:

sudo nmcli connection add \
    con-name "Domus-WiFi-EAP-TLS" \
    type wifi \
    ssid "Domus-Secure" \
    wifi-sec.key-mgmt wpa-eap \
    802-1x.eap tls \
    802-1x.identity "p50.inside.domusdigitalis.dev" \
    802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem \
    802-1x.client-cert /etc/ssl/certs/p50-client.crt \
    802-1x.private-key /etc/ssl/private/p50-client.key \
    802-1x.private-key-password-flags 4

Verification

# Verify connection active
nmcli con show --active | grep -E 'WiFi.*EAP'

# Verify IP on correct VLAN
ip -4 -o addr show wlp4s0 | awk '{print $4}'
# Expected: 10.50.10.x (VLAN 10 - Data)

# Verify ISE session
netapi ise -f json mnt sessions | jq '.[] | select(.user_name | test("p50"; "i"))'

The MODEL: 802.1X EAP-TLS WiFi Setup

This is the verified working process. Use for all future EAP-TLS deployments.

Prerequisites

# 1. Get ROOT CA from Vault (NOT issuing_ca from pki_int)
dsource d000 dev/vault
vault read -field=certificate pki/cert/ca > /tmp/domus-root-ca.crt

# 2. Issue client certificate
vault write pki_int/issue/domus-client \
    common_name="hostname.inside.domusdigitalis.dev" \
    ttl="8760h" \
    -format=json > /tmp/client-cert.json

# 3. Extract cert and key
jq -r '.data.certificate' /tmp/client-cert.json > /tmp/client.crt
jq -r '.data.private_key' /tmp/client-cert.json > /tmp/client.key

Install on Target

# Transfer files
scp /tmp/domus-root-ca.crt /tmp/client.crt /tmp/client.key user@target:/tmp/

# On target - install certificates
sudo cp /tmp/domus-root-ca.crt /etc/ssl/certs/DOMUS-ROOT-CA.pem
sudo cp /tmp/client.crt /etc/ssl/certs/$(hostname)-client.crt
sudo cp /tmp/client.key /etc/ssl/private/$(hostname)-client.key
sudo chmod 600 /etc/ssl/private/$(hostname)-client.key

Create Connection (Critical: All Flags at Creation)

sudo nmcli connection add \
    con-name "Domus-WiFi-EAP-TLS" \
    type wifi \
    ssid "Domus-Secure" \
    wifi-sec.key-mgmt wpa-eap \
    802-1x.eap tls \
    802-1x.identity "$(hostname).inside.domusdigitalis.dev" \
    802-1x.ca-cert /etc/ssl/certs/DOMUS-ROOT-CA.pem \
    802-1x.client-cert /etc/ssl/certs/$(hostname)-client.crt \
    802-1x.private-key /etc/ssl/private/$(hostname)-client.key \
    802-1x.private-key-password-flags 4

Common Errors Quick Reference

Error Fix

Error	Fix
"Secrets were required, but not provided"	Delete connection, recreate with `private-key-password-flags 4` at creation
ISE 12520 "unknown CA"	Use ROOT CA (`pki/cert/ca`), not intermediate (`pki_int/…/issuing_ca`)
Wrong VLAN assigned	Check SSID - must be 802.1X enabled SSID, not MAB SSID
Connection hangs	Check ISE rejected endpoints: `netapi ise get-rejected-endpoints`

"Secrets were required, but not provided"

Delete connection, recreate with private-key-password-flags 4 at creation

ISE 12520 "unknown CA"

Use ROOT CA (pki/cert/ca), not intermediate (pki_int/…/issuing_ca)

Wrong VLAN assigned

Check SSID - must be 802.1X enabled SSID, not MAB SSID

Connection hangs

Check ISE rejected endpoints: netapi ise get-rejected-endpoints

Applicability

This RCA applies to:

Any Linux system using NetworkManager for 802.1X EAP-TLS
Ubuntu, Fedora, RHEL, Arch with NetworkManager
Both WiFi and wired 802.1X (same CA requirements)
Any Vault PKI environment with ROOT + intermediate CA hierarchy

Known affected systems:

P50 ThinkPad (Ubuntu 25.10) - RESOLVED
CHLA research Ubuntu workstation - PENDING (same issue suspected)