Troubleshooting

Shell Issues

"cd: too many arguments"

Cause: Shell alias conflicts with CLI.

Solution: Use a smart function instead of alias:

# zsh/bash (~/.config/shell/atelier.shell)
netapi() {
    if [[ $# -eq 0 ]]; then
        cd ~/atelier/_projects/personal/netapi
    else
        uv run netapi "$@"
    fi
}
# fish (~/.config/shell/atelier.fish)
function netapi
    if test (count $argv) -eq 0
        cd ~/atelier/_projects/personal/netapi
    else
        uv run netapi $argv
    end
end

"not valid in this context"

Cause: Tildes in dsec values not expanding.

Solution: Fixed in dsec 2026-01-14 - dsec now uses double-quoted exports.

JSON Issues

JSON parse error with jq

Cause: Rich formatting interfering with JSON output.

Solution: Fixed in netapi 2026-01-14 - netapi uses plain print() for JSON output.

Certificate Issues

SSL certificate verify failed

Cause: ISE server certificate not trusted.

Solution: Provide the CA certificate:

export ISE_CA_CERT=~/.secrets/certs/ca/HOME-ROOT-CA.crt.age
netapi ise get-endpoint C8:5B:76:C6:59:62

Failed to decrypt CA

Cause: Age identity not found or incorrect.

Solution: Ensure AGE_IDENTITY points to your identity file:

export AGE_IDENTITY=~/.config/age/identity.txt

DataConnect Issues

ORA-12154: TNS:could not resolve the connect identifier

Cause: Oracle connection string issues.

Solution: Verify host and port are correct:

# Test connectivity
nc -zv ise-01.inside.domusdigitalis.dev 2484

Self-signed certificate warning

Expected behavior: DataConnect uses ISE’s internal Oracle database which presents a self-signed certificate. The client handles this explicitly.

802.1X EAP-TLS Authentication Failures

Error 22045: Identity policy configured for password auth but received certificate auth

ISE Error:

Failure Reason: 22045 Identity policy result is configured for password
based authentication methods but received certificate based authentication request

Cause: The authentication policy is using a password-based identity source (Internal Users, AD, LDAP) but the client is sending EAP-TLS (certificate-based authentication).

Solution: Add an EAP-TLS authentication rule to the policy set that uses a Certificate Authentication Profile:

# Check current authentication policy
netapi ise get-policy-sets

# The policy set needs an authentication rule like:
# - Condition: Network Access.EapAuthentication == EAP-TLS
# - Identity Source: AD_Cert_Profile (or your certificate auth profile)

Via API:

# Add EAP-TLS authentication rule to a policy set
curl -sk -X POST "https://${ISE_PAN_IP}/api/v1/policy/network-access/policy-set/{POLICY_SET_ID}/authentication" \
  -H "Authorization: Basic ${ISE_API_TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{
    "rule": {
      "name": "EAP_TLS_Certificate_Auth",
      "rank": 0,
      "state": "enabled",
      "condition": {
        "conditionType": "ConditionAttributes",
        "isNegate": false,
        "dictionaryName": "Network Access",
        "attributeName": "EapAuthentication",
        "operator": "equals",
        "attributeValue": "EAP-TLS"
      }
    },
    "identitySourceName": "AD_Cert_Profile",
    "ifAuthFail": "REJECT",
    "ifUserNotFound": "REJECT",
    "ifProcessFail": "DROP"
  }'

Both wired AND wireless policy sets need this rule if using EAP-TLS!

A common mistake is configuring wired 802.1X with EAP-TLS authentication but forgetting to add the same rule to the wireless policy set. Each policy set (Corp WIFI, Wired Dot1X, etc.) needs its own EAP_TLS_Certificate_Auth rule.

Client gets TEMP-DISABLED or Excluded

Symptoms:

  • wpa_supplicant shows [TEMP-DISABLED] for the network

  • WLC shows client in Excluded state with reason 802.1X authentication credential

Cause: The client failed authentication multiple times and got excluded.

Solution:

  1. Fix the underlying authentication issue (usually error 22045 above)

  2. Wait for exclusion timer to expire (typically 60 seconds)

  3. Or manually clear from WLC:

# Check exclusion list
netapi wlc run "show wireless exclusionlist"

# Client will auto-clear after timeout, or force reconnect:
sudo wpa_cli -i wlan0 reassociate

Certificate EKU (Extended Key Usage) Issues

Note: ISE may accept certificates with "TLS Web Server Authentication" EKU for EAP-TLS client authentication, depending on your Certificate Authentication Profile settings. However, best practice is to use "TLS Web Client Authentication" (OID 1.3.6.1.5.5.7.3.2) for client certificates.

# Check certificate EKU
openssl x509 -in /etc/ssl/certs/client.pem -noout -text | grep -A1 "Extended Key Usage"

# Expected for client auth:
# TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)

Validation Script

Run the validation script to test all APIs:

eval "$(dsec source d000 dev/network)"
bash ~/atelier/_projects/personal/netapi/scripts/validate-ise.sh

See Also

For development and SDK debugging: