RCA-2026-03-13-001: WiFi EAP-TLS DHCP Failure

Executive Summary

WiFi connection to Domus-Secure SSID fails after successful EAP-TLS authentication. The 802.1X authentication completes, WPA key negotiation succeeds, but IP configuration fails. Root cause: Static IP 10.50.1.200 configured on WiFi connection is already in use by another device (MAC 3C:EC:EF:43:50:42). Additionally, MAC address randomization was enabled, causing ISE session tracking issues.

Timeline

Time	Event
2026-03-13 10:54:45	EAP-TLS authentication started on wlan0
2026-03-13 10:54:46	EAP-TLS authentication completed successfully (all certs validated)
2026-03-13 10:55:06	WPA key negotiation completed, CTRL-EVENT-CONNECTED
2026-03-13 10:55:06	(Expected: DHCP DISCOVER sent, DHCP OFFER received)
2026-03-13 10:55:07	CTRL-EVENT-DISCONNECTED reason=250 (DHCP timeout)
2026-03-13 10:55:07+	Retry loop: reconnect attempts, AP adds client to ignore list
2026-03-13 10:55:41	SSID temporarily disabled after multiple failures

Time

Event

2026-03-13 10:54:45

EAP-TLS authentication started on wlan0

2026-03-13 10:54:46

EAP-TLS authentication completed successfully (all certs validated)

2026-03-13 10:55:06

WPA key negotiation completed, CTRL-EVENT-CONNECTED

2026-03-13 10:55:06

(Expected: DHCP DISCOVER sent, DHCP OFFER received)

2026-03-13 10:55:07

CTRL-EVENT-DISCONNECTED reason=250 (DHCP timeout)

2026-03-13 10:55:07+

Retry loop: reconnect attempts, AP adds client to ignore list

2026-03-13 10:55:41

SSID temporarily disabled after multiple failures

Problem Statement

Symptoms

nmcli conn up Domus-WiFi-EAP-TLS fails with "IP configuration could not be reserved"
EAP-TLS authentication succeeds (verified in wpa_supplicant logs)
WPA handshake completes successfully
No IP address assigned
Connection drops ~1 second after association
AP adds client to ignore list due to rapid reconnection attempts

Expected Behavior

After successful EAP-TLS authentication and WPA handshake:

Client sends DHCP DISCOVER
DHCP server (pfSense) responds with DHCP OFFER
Client sends DHCP REQUEST
Server responds with DHCP ACK
Client configured with IP, gateway, DNS

Actual Behavior

EAP-TLS succeeds
WPA handshake completes
DHCP DISCOVER sent (presumed)
No DHCP response received
NetworkManager times out after ~1 second
Connection dropped with reason=250

Impact

Severity

Metric	Value
Severity	P2 - Degraded (wired fallback available)
Duration	Ongoing until resolved
Users/Systems Affected	1 (modestus-razer WiFi)
Data Loss	None

Metric

Value

Severity

P2 - Degraded (wired fallback available)

Duration

Ongoing until resolved

Users/Systems Affected

1 (modestus-razer WiFi)

Data Loss

None

Business Impact

Reduced mobility (must use wired connection)
Cannot test WiFi-dependent scenarios
Blocks validation of WiFi EAP-TLS deployment

Metadata

Field	Value
RCA ID	RCA-2026-03-13-001
Author	Evan Rosado
Date Created	2026-03-13
Last Updated	2026-03-14
Status	Resolved
Review Date	2026-04-12 (30 days from incident)

Field

Value

RCA ID

RCA-2026-03-13-001

Author

Evan Rosado

Date Created

2026-03-13

Last Updated

2026-03-14

Status

Resolved

Review Date

2026-04-12 (30 days from incident)