RCA-2026-03-16-001: Prevention
Preventive Measures
Short-term (This week)
| Action | Owner | Status |
|---|---|---|
Update CR-2026-03-12 with MODEL process |
Evan |
[x] Complete |
Create this RCA as reference |
Evan |
[x] Complete |
Test MODEL on CHLA research workstation |
Evan |
[ ] Pending |
Long-term (This quarter)
| Action | Owner | Status |
|---|---|---|
Add pre-flight CA verification to 802.1X runbook |
Evan |
[ ] Pending |
Create |
Evan |
[ ] Pending |
Document ROOT vs intermediate CA in Vault PKI docs |
Evan |
[ ] Pending |
Detection
How was it detected?
-
Manual observation - connection failing
-
ISE MNT logs showing error 12520
-
wpa_supplicant journal logs showing TLS failure
Detection Gap
Could have been detected earlier with:
-
Pre-deployment certificate chain verification:
# Verify CA can validate ISE cert chain openssl verify -CAfile /etc/ssl/certs/DOMUS-ROOT-CA.pem /path/to/ise-cert.pem -
NetworkManager connection validation before
nmcli con up
Lessons Learned
What went well
-
ISE MNT logs clearly identified the error (12520)
-
Comparing working config (modestus-razer) quickly revealed the difference
-
Documentation was updated immediately as MODEL
What could be improved
-
Should have compared working config FIRST before hours of troubleshooting
-
Should have verified CA chain before deployment
-
nmcli con modbehavior should have been tested
Key Takeaways
|