RCA-2026-03-16-001: 802.1X EAP-TLS CA Chain Failure

Executive Summary

802.1X WiFi EAP-TLS authentication failed on Ubuntu 25.10 (P50) with ISE error 12520 "unknown CA". Root cause was two-fold: (1) client was configured with intermediate CA instead of ROOT CA, preventing verification of ISE’s certificate chain, and (2) NetworkManager’s private-key-password-flags must be set at connection creation time, not modified after. Resolution required using ROOT CA only and recreating the connection with correct flags. This RCA serves as a MODEL for similar EAP-TLS deployments.

Timeline

Time Event

Time	Event
2026-03-16 ~10:00	P50 WiFi connected to Domus-IoT (MAB) instead of Domus-Secure (802.1X)
2026-03-16 ~10:15	Created WiFi EAP-TLS connection with wrong SSID (DomusWifi)
2026-03-16 ~10:30	Fixed SSID to Domus-Secure, connection failing with "Secrets were required"
2026-03-16 ~11:00	Added `private-key-password-flags 4` via `nmcli con mod` - still failing
2026-03-16 ~11:30	Checked ISE logs - error 12520 "client rejected ISE local-certificate"
2026-03-16 ~12:00	Compared working config (modestus-razer) - identified CA difference
2026-03-16 ~12:15	Root cause identified: intermediate CA vs ROOT CA
2026-03-16 ~12:30	Fix implemented: ROOT CA + flags at creation time
2026-03-16 ~12:35	P50 authenticated, VLAN 10, IP 10.50.10.107

2026-03-16 ~10:00

P50 WiFi connected to Domus-IoT (MAB) instead of Domus-Secure (802.1X)

2026-03-16 ~10:15

Created WiFi EAP-TLS connection with wrong SSID (DomusWifi)

2026-03-16 ~10:30

Fixed SSID to Domus-Secure, connection failing with "Secrets were required"

2026-03-16 ~11:00

Added private-key-password-flags 4 via nmcli con mod - still failing

2026-03-16 ~11:30

Checked ISE logs - error 12520 "client rejected ISE local-certificate"

2026-03-16 ~12:00

Compared working config (modestus-razer) - identified CA difference

2026-03-16 ~12:15

Root cause identified: intermediate CA vs ROOT CA

2026-03-16 ~12:30

Fix implemented: ROOT CA + flags at creation time

2026-03-16 ~12:35

P50 authenticated, VLAN 10, IP 10.50.10.107

Problem Statement

Symptoms

WiFi connection showed "Secrets were required, but not provided"
wpa_supplicant logs showed TLS handshake failure
ISE MNT showed failed authentication attempts
Client kept falling back to Domus-IoT (MAB network)

Metric	Value
Severity	P3 (personal infrastructure)
Duration	~2.5 hours troubleshooting
Users/Systems Affected	1 workstation (P50)
Data Loss	None

Severity

P3 (personal infrastructure)

Duration

~2.5 hours troubleshooting

Users/Systems Affected

1 workstation (P50)

Data Loss

None

Business Impact

Lost productivity: 2.5 hours troubleshooting
Learning value: HIGH - identified MODEL process for future deployments
Similar issue exists at CHLA research Ubuntu workstation

Metadata

Field	Value
RCA ID	RCA-2026-03-16-001
Author	Evan Rosado
Date Created	2026-03-16
Last Updated	2026-03-16
Status	Final
Review Date	2026-04-16 (30 days)

Field

Value

RCA ID

RCA-2026-03-16-001

Author

Evan Rosado

Date Created

2026-03-16

Last Updated

2026-03-16

Status

Final

Review Date

2026-04-16 (30 days)