RCA-2026-03-13-001: Analysis

Root Cause

Why #	Question and Answer
1	Why did the connection fail? Because: NetworkManager could not configure the IP address
2	Why couldn’t NetworkManager configure the IP? Because: Static IP 10.50.1.200 was already in use by another device
3	Why was the IP already in use? Because: Device 3C:EC:EF:43:50:42 had claimed that IP (likely wired interface or another device)
4	Why was WiFi configured with a static IP? Because: MGMT VLAN access was desired for admin rights (intentional config)
5	Why did initial diagnosis point to DHCP? Because: Error message "IP configuration could not be reserved" was misleading - it applies to both DHCP and static IP failures

# Hypothesis Verification Method

#	Hypothesis	Verification Method
1	VyOS DHCP service down or unresponsive	SSH to vyos-01/02, check `show dhcp server leases`
2	WiFi VLAN 10 (DATA) not trunked properly	Check VyOS eth1 VLAN subinterfaces, verify AP trunk
3	ISE not assigning VLAN 10 correctly	`netapi ise mnt sessions --mac <MAC>` - check AuthZ VLAN
4	AP not passing DHCP to correct VLAN	Check WLC client details, VLAN assignment
5	DHCP pool exhausted on 10.50.10.0/24	Check lease count vs pool size (.100-.199 = 100 addresses)
6	Client MAC not receiving offers	tcpdump on VyOS to see if DISCOVER arrives

VyOS DHCP service down or unresponsive

SSH to vyos-01/02, check show dhcp server leases

WiFi VLAN 10 (DATA) not trunked properly

Check VyOS eth1 VLAN subinterfaces, verify AP trunk

ISE not assigning VLAN 10 correctly

netapi ise mnt sessions --mac <MAC> - check AuthZ VLAN

AP not passing DHCP to correct VLAN

Check WLC client details, VLAN assignment

DHCP pool exhausted on 10.50.10.0/24

Check lease count vs pool size (.100-.199 = 100 addresses)

Client MAC not receiving offers

tcpdump on VyOS to see if DISCOVER arrives

Static IP conflict + MAC randomization

WiFi connection configured with static IP 10.50.1.200 (MGMT VLAN for admin access)
IP 10.50.1.200 already in use by device 3C:EC:EF:43:50:42
MAC randomization was set to default, causing ISE to see different MAC than expected

Factor	Description	Preventable?
Short DHCP timeout	NetworkManager default DHCP timeout may be too aggressive	Yes - increase ipv4.dhcp-timeout
No fallback connection	No WPA2-PSK fallback for when EAP-TLS infra fails	Yes - create hotspot connection
Wired worked	Wired EAP-TLS working rules out cert issues, ISE auth	N/A (diagnostic)

Factor

Description

Preventable?

Short DHCP timeout

NetworkManager default DHCP timeout may be too aggressive

Yes - increase ipv4.dhcp-timeout

No fallback connection

No WPA2-PSK fallback for when EAP-TLS infra fails

Yes - create hotspot connection

Wired worked

Wired EAP-TLS working rules out cert issues, ISE auth

N/A (diagnostic)