NetworkManager WiFi 802.1X EAP-TLS

Overview

This guide configures WiFi 802.1X EAP-TLS authentication using NetworkManager (nmcli). This is the recommended approach for modern Linux distributions with desktop environments.

For headless servers or minimal installs, see wpa_supplicant WiFi Configuration.

Prerequisites

  • User certificate issued by trusted CA (AD CS or Vault)

  • CA certificate in ISE trust store

  • WLC configured with WPA2-Enterprise SSID

  • ISE policy set configured for WiFi EAP-TLS

Certificate Locations

/etc/ssl/certs/<hostname>-eaptls.pem      # Client certificate
/etc/ssl/private/<hostname>-eaptls.key    # Private key (chmod 600)
/etc/ssl/certs/HOME-ROOT-CA.pem           # CA certificate (AD CS)
# OR
/etc/ssl/certs/DOMUS-ROOT-CA.pem          # CA certificate (Vault)

Step 1: Identify WiFi Interface

# List interfaces
nmcli device status

# Example output:
# DEVICE       TYPE      STATE         CONNECTION
# wlan0        wifi      disconnected  --
# enp0s31f6    ethernet  connected     Wired-802.1X

Enterprise WiFi Backend: wpa_supplicant vs iwd

For enterprise 802.1X environments, NetworkManager MUST use wpa_supplicant as the WiFi backend, not iwd.

  • wpa_supplicant: Industry standard, mature, full EAP support (EAP-TLS, PEAP, EAP-TTLS)

  • iwd: Newer Intel project, limited enterprise 802.1X support, incompatible configuration format

Configure wpa_supplicant Backend

# Create WiFi backend configuration
sudo mkdir -p /etc/NetworkManager/conf.d
echo -e "[device]\nwifi.backend=wpa_supplicant" | sudo tee /etc/NetworkManager/conf.d/wifi_backend.conf

# Disable iwd completely
sudo systemctl stop iwd
sudo systemctl disable iwd
sudo systemctl mask iwd

# Enable wpa_supplicant
sudo systemctl enable wpa_supplicant
sudo systemctl start wpa_supplicant

# Restart NetworkManager
sudo systemctl restart NetworkManager

Some distributions (like Arch Linux) default to iwd. Always verify the backend before configuring enterprise WiFi.

Step 2: Identify WiFi Interface

WiFi interface name varies by system:

  • Common names: wlan0, wlan1, wlp4s0

  • Interface name may change when switching between iwd and wpa_supplicant

  • Always verify the actual interface name before creating connections

 
# Check WiFi interface name
nmcli device status | grep wifi

# Verify it's managed (not "unmanaged")
# Expected: wlan0    wifi    disconnected    --
# Bad:      wlan0    wifi    unmanaged       --

# Alternative: use ip link
ip link show | grep -i wlan

# Or check wireless devices
iw dev

Step 3: Create WiFi 802.1X Connection

Basic Configuration

Arch Linux doesn’t have hostname command by default. Use cat /etc/hostname or the literal hostname.

Do NOT use identity-flags parameter - it’s not valid for WiFi connections and will cause "invalid property" errors. The identity is stored in the connection file by default.

 
# Get your hostname first
MYHOST=$(cat /etc/hostname)
echo "Hostname: $MYHOST"

# Verify WiFi interface name (replace wlan0 if different)
nmcli device status | grep wifi

# Create WiFi 802.1X EAP-TLS connection
sudo nmcli connection add \
  type wifi \
  con-name "Domus-Secure" \
  ifname wlan0 \
  ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "$<your-hostname>.inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/$<your-hostname>-eaptls.pem \
  802-1x.private-key /etc/ssl/private/$<your-hostname>-eaptls.key \
  802-1x.private-key-password-flags 4 \
  connection.autoconnect yes
Table 1. Flag Values:
Flag Meaning

identity-flags=0

Store identity in connection file (not as secret)

private-key-password-flags=4

Not required (key has no password)

With Private Key Password

If your private key has a password:

sudo nmcli connection add \
  type wifi \
  con-name "Domus-Secure" \
  ifname wlan0 \
  ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "$(hostname).inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/$(hostname)-eaptls.pem \
  802-1x.private-key /etc/ssl/private/$(hostname)-eaptls.key \
  802-1x.private-key-password "your-password-here" \
  connection.autoconnect yes

Home Lab Example: modestus-p50

# modestus-p50 connecting to Domus-Secure SSID
sudo nmcli connection add \
  type wifi \
  con-name "Domus-Secure" \
  ifname wlan0 \
  ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "modestus-p50.inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/modestus-p50-eaptls.pem \
  802-1x.private-key /etc/ssl/private/modestus-p50-eaptls.key \
  connection.autoconnect yes

Step 3: Activate Connection

# Bring up the connection
sudo nmcli connection up "Domus-Secure"

Step 4: Verify Authentication

# Check connection status
nmcli connection show "Domus-Secure"

# Check device status
nmcli device show wlan0

# View assigned IP
ip addr show wlan0

# Check WiFi details
nmcli device wifi list

# Check ISE authentication (from ISE or via netapi)
dsource d000 dev/network
netapi ise mnt session $(cat /sys/class/net/wlan0/address)

Comprehensive Troubleshooting Commands

This section provides quick reference commands for diagnosing wireless 802.1X issues using both NetworkManager (nmcli) and ISE automation (netapi).

NetworkManager Status Commands

# Quick connection status check
nmcli connection show --active | grep -E "NAME|Domus-Secure"

# Detailed connection configuration
nmcli connection show "Domus-Secure-802.1X"

# Check certificate paths and flags
nmcli connection show "Domus-Secure-802.1X" | grep -E "(802-1x.ca-cert|802-1x.client-cert|802-1x.private-key|password-flags)"

# Verify password-flags are correct (should be 4 for passwordless keys)
nmcli connection show "Domus-Secure-802.1X" | grep password-flags

# Check WiFi interface status
nmcli device status | grep wifi

# Show wireless networks in range
nmcli device wifi list

# Check current WiFi connection details
iw dev wlan0 info

# Verify VLAN assignment via IP address
ip addr show wlan0 | grep inet
# Expected for VLAN 10: 10.50.10.x/24
# Expected for VLAN 40: 10.50.40.x/24

ISE Session Verification Commands

# Get wireless MAC address
MAC=$(ip link show wlan0 | grep -oP 'link/ether \K[^ ]+')
echo "Wireless MAC: $MAC"

# Load ISE credentials (from dsec vault)
dsource d000 dev/network

# Check active ISE session
netapi ise mnt session $MAC

# Get detailed authentication diagnostics
netapi ise dc session $MAC

# Check which authorization profile was applied
netapi ise dc session $MAC | grep -i "authorization profile"

# List authorization rules in Corp WIFI policy set
netapi ise get-authz-rules "Corp WIFI"

# Verify ISE policy sets
netapi ise get-policy-sets | grep -i "corp wifi"

Certificate Verification Commands

# Verify certificate and private key match
sudo openssl x509 -in /etc/ssl/certs/modestus-razer-eaptls.pem -noout -modulus | md5sum
sudo openssl rsa -in /etc/ssl/private/modestus-razer-eaptls.key -noout -modulus | md5sum
# MD5 hashes MUST match!

# Check certificate expiration
sudo openssl x509 -in /etc/ssl/certs/modestus-razer-eaptls.pem -noout -dates

# Verify certificate subject matches identity
sudo openssl x509 -in /etc/ssl/certs/modestus-razer-eaptls.pem -noout -subject

# Check CA certificate
sudo openssl x509 -in /etc/ssl/certs/HOME-ROOT-CA.pem -noout -subject -issuer

Live Monitoring Commands

# Monitor NetworkManager logs in real-time
journalctl -u NetworkManager -f

# Monitor wpa_supplicant logs
journalctl -t wpa_supplicant -f

# Combined monitoring (NetworkManager + wpa_supplicant)
journalctl -u NetworkManager -t wpa_supplicant -f | grep -i "wlan0\|802.1x\|eap"

# Monitor with specific filters
journalctl -u NetworkManager -f | grep -E "wlan0|EAP|TLS|authentication"

Quick Diagnostic Flow

When troubleshooting wireless 802.1X issues, follow this sequence:

# 1. Verify you're connected to the correct SSID
iw dev wlan0 info | grep ssid
# Expected: ssid Domus-Secure

# 2. Check IP address to verify VLAN assignment
ip addr show wlan0 | grep "inet "
# Expected: 10.50.10.x (VLAN 10 = DATA_VLAN)
# Wrong:    10.50.40.x (VLAN 40 = RESEARCH_VLAN)

# 3. Check ISE session to see which rule matched
MAC=$(ip link show wlan0 | grep -oP 'link/ether \K[^ ]+')
dsource d000 dev/network
netapi ise dc session $MAC

# 4. If wrong VLAN, check authorization rule order
netapi ise get-authz-rules "Corp WIFI"

# 5. Test connectivity
ping -c 3 10.50.1.1  # pfSense gateway

Connection Management Commands

# Disconnect from wireless
sudo nmcli connection down "Domus-Secure-802.1X"

# Reconnect to wireless
sudo nmcli connection up "Domus-Secure-802.1X"

# Delete connection (to recreate from scratch)
sudo nmcli connection delete "Domus-Secure-802.1X"

# Fix password-flags after connection creation
sudo nmcli connection modify "Domus-Secure-802.1X" \
  802-1x.private-key-password-flags 4 \
  802-1x.client-cert-password-flags 4 \
  802-1x.ca-cert-password-flags 4

Modifying Connection

# Change identity
sudo nmcli connection modify "Domus-Secure" \
  802-1x.identity "new-identity@domain"

# Update certificate paths
sudo nmcli connection modify "Domus-Secure" \
  802-1x.client-cert /etc/ssl/certs/new-cert.pem \
  802-1x.private-key /etc/ssl/private/new-key.key

# Change SSID
sudo nmcli connection modify "Domus-Secure" \
  wifi.ssid "New-SSID-Name"

# Disable autoconnect
sudo nmcli connection modify "Domus-Secure" \
  connection.autoconnect no

# Set connection priority (higher = preferred)
sudo nmcli connection modify "Domus-Secure" \
  connection.autoconnect-priority 100

Migration from wpa_supplicant

If currently using wpa_supplicant for WiFi, follow these steps.

1. Verify wpa_supplicant is Running

# Quick status check
systemctl status wpa_supplicant-wifi@wlan0.service | grep -E "Active:|loaded|running"

# Deep validation - confirm EAP-TLS is working
sudo wpa_cli -i wlan0 status | grep -E "wpa_state|eap_state|ssid|key_mgmt"
Expected output (before migration):
Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant-wifi@.service; enabled; preset: disabled)
Active: active (running) since ...
wpa_state=COMPLETED
ssid=Domus-Secure
key_mgmt=WPA2/IEEE 802.1X/EAP

2. Stop and Disable wpa_supplicant

sudo systemctl stop wpa_supplicant-wifi@wlan0.service
sudo systemctl disable wpa_supplicant-wifi@wlan0.service

3. Verify it’s Stopped

systemctl status wpa_supplicant-wifi@wlan0.service | grep -E "Active:|loaded"
Expected output (after stop):
Loaded: loaded (/usr/lib/systemd/system/wpa_supplicant-wifi@.service; disabled; preset: disabled)
Active: inactive (dead)

4. Remove Unmanaged Config (if exists)

# Check if NetworkManager was told to ignore wlan0
cat /etc/NetworkManager/conf.d/unmanaged.conf 2>/dev/null

# Remove if exists
sudo rm -f /etc/NetworkManager/conf.d/unmanaged.conf

# Restart NetworkManager
sudo systemctl restart NetworkManager

5. Verify wlan0 is Managed

nmcli device status | grep wlan0
Expected output:
wlan0    wifi    disconnected    --

Keep wired connected during WiFi migration! If NetworkManager WiFi fails, you still have network access via wired to troubleshoot.

6. Create and Activate Connection

# Create connection (see Step 2 above for full command)
sudo nmcli connection add \
  type wifi \
  con-name "Domus-Secure" \
  ifname wlan0 \
  ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "$(hostname).inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/$(hostname)-eaptls.pem \
  802-1x.private-key /etc/ssl/private/$(hostname)-eaptls.key \
  connection.autoconnect yes

# Activate
sudo nmcli connection up "Domus-Secure"

7. Verify NetworkManager WiFi

# Quick validation
nmcli connection show "Domus-Secure" | grep -E "GENERAL.STATE|connection.type|802-1x|wifi"

# Device status
nmcli device show wlan0 | grep -E "GENERAL.STATE|IP4.ADDRESS|WIFI"
Expected output (success):
GENERAL.STATE:    100 (connected)
connection.type:  802-11-wireless
wifi.ssid:        Domus-Secure
wifi-sec.key-mgmt: wpa-eap
802-1x.eap:       tls
802-1x.identity:  modestus-p50.inside.domusdigitalis.dev
GENERAL.STATE:    100 (connected)
IP4.ADDRESS[1]:   10.50.10.xxx/24

8. ISE Session Verification

# Load credentials
dsource d000 dev/network

# Check ISE session (should show dot1x/EAP-TLS)
netapi ise mnt session $(cat /sys/class/net/wlan0/address)
Expected fields in ISE output:
Method:    dot1x
Protocol:  EAP-TLS
Username:  <hostname>.inside.domusdigitalis.dev
Status:    PASSED
NAD Name:  Home-9800-WLC

Troubleshooting

Check Logs

# NetworkManager logs
journalctl -u NetworkManager -f

# wpa_supplicant logs (NetworkManager uses this internally)
journalctl -t wpa_supplicant -f

# Combined view
journalctl -u NetworkManager -t wpa_supplicant -f

Issue 1: WiFi Interface "unmanaged"

Symptom:

nmcli device status
wlan0    wifi    unmanaged    --

Cause: NetworkManager configuration file explicitly marks the interface as unmanaged.

Solution:

# Check for unmanaged configuration
ls -la /etc/NetworkManager/conf.d/

# Look for files like unmanaged-wlan0.conf
cat /etc/NetworkManager/conf.d/unmanaged-wlan0.conf

# If it contains:
# [keyfile]
# unmanaged-devices=interface-name:wlan0

# Remove it
sudo rm /etc/NetworkManager/conf.d/unmanaged-wlan0.conf

# Restart NetworkManager
sudo systemctl restart NetworkManager

# Verify wlan0 is now managed
nmcli device status | grep wlan

Issue 2: "Secrets Required" Error

Symptom:

Error: Connection activation failed: Secrets were required, but not provided

Cause: NetworkManager is using iwd backend instead of wpa_supplicant, or connection file has invalid syntax.

Solution A: Verify wpa_supplicant backend

# Check backend configuration
cat /etc/NetworkManager/conf.d/wifi_backend.conf

# Should show:
# [device]
# wifi.backend=wpa_supplicant

# If it shows "iwd", fix it
echo -e "[device]\nwifi.backend=wpa_supplicant" | sudo tee /etc/NetworkManager/conf.d/wifi_backend.conf

# Disable iwd
sudo systemctl stop iwd
sudo systemctl disable iwd
sudo systemctl mask iwd

# Restart NetworkManager
sudo systemctl restart NetworkManager

Solution B: Fix connection file syntax

# Edit connection file
sudo nvim /etc/NetworkManager/system-connections/Domus-Secure.nmconnection

# In [802-1x] section, ensure NO semicolon after tls:
# WRONG: eap=tls;
# CORRECT: eap=tls

# Verify all required fields:
# eap=tls
# identity=<hostname>.inside.domusdigitalis.dev
# ca-cert=/etc/ssl/certs/HOME-ROOT-CA.pem
# client-cert=/etc/ssl/certs/<hostname>-eaptls.pem
# private-key=/etc/ssl/private/<hostname>-eaptls.key
# private-key-password-flags=4

# Reload and retry
nmcli connection reload
nmcli connection up "Domus-Secure"

Issue 3: WiFi Interface Disappeared After Disabling iwd

Symptom:

# After stopping iwd
ip link show wlan0
Device "wlan0" does not exist.

# But WiFi hardware exists
rfkill list
1: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no

Cause: iwd created the wlan0 interface. When iwd is stopped without wpa_supplicant taking over, the interface disappears.

Solution:

# Option 1: Reload WiFi driver
lspci -k | grep -A 3 -i wireless  # Find driver name (e.g., iwlwifi)

# Unload dependent modules first
sudo modprobe -r iwlmvm
sudo modprobe -r mac80211
sudo modprobe -r iwlwifi

# Reload driver
sudo modprobe iwlwifi
sudo modprobe mac80211
sudo modprobe iwlmvm

# Check if interface appeared (may be wlan1 instead of wlan0!)
ip link show | grep wlan

# Option 2: Reboot (cleanest solution)
sudo reboot

Interface name may change from wlan0 to wlan1 (or vice versa) when switching between iwd and wpa_supplicant drivers!

Always verify the actual interface name after driver reload:

nmcli device status | grep wifi
# Update connection if interface name changed
nmcli connection modify "Domus-Secure" ifname wlan1

Issue 4: iwd Still Being Used Despite Configuration

Symptom:

journalctl -u NetworkManager | grep -i iwd
device (wlan0): new IWD device state is connecting
GDBus.Error:net.connman.iwd.Failed: Operation failed

Cause: iwd service is still running, or wifi_backend.conf has wrong value.

Solution:

# 1. Completely disable iwd
sudo systemctl stop iwd
sudo systemctl disable iwd
sudo systemctl mask iwd

# 2. Verify backend configuration
cat /etc/NetworkManager/conf.d/wifi_backend.conf

# Must show "wpa_supplicant", not "iwd"
# If wrong, fix it:
echo -e "[device]\nwifi.backend=wpa_supplicant" | sudo tee /etc/NetworkManager/conf.d/wifi_backend.conf

# 3. Ensure wpa_supplicant is running
sudo systemctl enable wpa_supplicant
sudo systemctl start wpa_supplicant

# 4. Restart NetworkManager
sudo systemctl restart NetworkManager

# 5. Verify logs show wpa_supplicant
journalctl -u NetworkManager -n 50 | grep -i "wpa_supplicant\|iwd"

Issue 5: "invalid property 'identity-flags'" Error

Symptom:

Error: invalid property 'identity-flags': 'identity-flags' not among [...]

Cause: identity-flags parameter is not valid for WiFi connections (only for wired 802.1X).

Solution: Remove 802-1x.identity-flags 0 from the connection command. The identity is automatically stored in the connection file.

Lessons Learned: The Password-Flags Issue

CRITICAL LESSON: Password-flags MUST be set correctly for passwordless private keys

This issue affects BOTH wired AND wireless 802.1X configurations and is one of the most common causes of "Secrets were required, but not provided" errors.

The Problem Explained

When using EAP-TLS with passwordless private keys (keys without encryption), NetworkManager must be explicitly told that no password is required. Otherwise, it will prompt for a password that doesn’t exist, causing authentication failure.

Symptom:

Error: Connection activation failed: Secrets were required, but not provided

Why This Happens:

  1. By default, NetworkManager assumes private keys are encrypted

  2. When connecting, it waits for a password prompt

  3. Since the key has no password, the prompt never resolves

  4. Connection fails with "secrets required" error

The Fix:

Set private-key-password-flags=4 which tells NetworkManager: "This key has no password, don’t ask for one"

# For wireless connections:
sudo nmcli connection modify "Domus-Secure-802.1X" \
  802-1x.private-key-password-flags 4 \
  802-1x.client-cert-password-flags 4 \
  802-1x.ca-cert-password-flags 4

# For wired connections:
sudo nmcli connection modify "Wired-802.1X" \
  802-1x.private-key-password-flags 4 \
  802-1x.client-cert-password-flags 4 \
  802-1x.ca-cert-password-flags 4

Flag Values Reference

Flag Value Meaning

0

Agent-owned secret (store in connection file)

1

Not saved (prompt each time)

2

Not required

4

Not required (preferred for passwordless keys)

Real-World Example: modestus-razer Wireless Deployment

Initial Configuration (BROKEN):

# Created connection WITHOUT password-flags parameter
sudo nmcli connection add type wifi con-name "Domus-Secure-802.1X" \
  ifname wlan0 ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "modestus-razer.inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/modestus-razer-eaptls.pem \
  802-1x.private-key /etc/ssl/private/modestus-razer-eaptls.key
  # MISSING: 802-1x.private-key-password-flags 4

# Attempted to connect
sudo nmcli connection up "Domus-Secure-802.1X"
# Error: Connection activation failed: Secrets were required, but not provided

After Fix (WORKING):

# Fixed password-flags
sudo nmcli connection modify "Domus-Secure-802.1X" \
  802-1x.private-key-password-flags 4 \
  802-1x.client-cert-password-flags 4 \
  802-1x.ca-cert-password-flags 4

# Connected successfully
sudo nmcli connection up "Domus-Secure-802.1X"
# Connection successfully activated

# Verified VLAN assignment
ip addr show wlan0 | grep inet
# inet 10.50.10.111/24 brd 10.50.10.255 scope global dynamic noprefixroute wlan0
# ✓ Correct: VLAN 10 (DATA_VLAN)

Why This Applies to Both Wired AND Wireless

The 802-1x.* parameters are shared between wired and wireless connections in NetworkManager:

  • Wired 802.1X: Uses NetworkManager with 802-1x authentication

  • Wireless 802.1X: Uses NetworkManager with 802-1x authentication + WiFi parameters

Both use the same underlying EAP-TLS implementation, so password-flags behavior is identical.

Prevention: Always Include in Initial Configuration

Best Practice for Wireless:

sudo nmcli connection add type wifi con-name "Domus-Secure-802.1X" \
  ifname wlan0 ssid "Domus-Secure" \
  wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "$(hostname).inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/$(hostname)-eaptls.pem \
  802-1x.private-key /etc/ssl/private/$(hostname)-eaptls.key \
  802-1x.private-key-password-flags 4 \  # ← CRITICAL!
  connection.autoconnect yes

Best Practice for Wired:

sudo nmcli connection add type ethernet con-name "Wired-802.1X" \
  ifname enp0s31f6 \
  802-1x.eap tls \
  802-1x.identity "$(hostname).inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/$(hostname)-eaptls.pem \
  802-1x.private-key /etc/ssl/private/$(hostname)-eaptls.key \
  802-1x.private-key-password-flags 4 \  # ← CRITICAL!
  802-1x.identity-flags 0 \
  connection.autoconnect yes

Key Takeaways

  1. Always set private-key-password-flags 4 for passwordless keys

  2. This applies to both wired AND wireless 802.1X

  3. Can be fixed after connection creation with nmcli connection modify

  4. Symptoms include "Secrets required" error despite valid certificates

  5. This is a NetworkManager behavior, not an ISE or certificate issue

Cross-References

Common Issues

Issue Solution

"No secrets provided"

Check certificate paths and permissions, verify wpa_supplicant backend

"TLS handshake failed"

Verify CA cert matches ISE trust store

"Authentication rejected"

Check ISE logs, verify identity matches certificate CN

Connection keeps disconnecting

Check WLC policy profile, verify AAA override and NAC enabled

"Secrets required but not provided"

Set private-key-password-flags 4 (see Lessons Learned above)

SSID not found

Verify SSID spelling, check WiFi radio is enabled

Debug Mode

# Enable debug logging
sudo nmcli general logging level DEBUG domains ALL

# Attempt connection
sudo nmcli connection up "Domus-Secure"

# View debug output
journalctl -u NetworkManager --since "1 minute ago"

# Reset logging
sudo nmcli general logging level INFO domains DEFAULT

Force Reconnection

# Disconnect and reconnect
sudo nmcli connection down "Domus-Secure"
sudo nmcli connection up "Domus-Secure"

# Or restart the device
sudo nmcli device disconnect wlan0
sudo nmcli device connect wlan0

Check WiFi Hardware

# Check if WiFi is blocked
rfkill list

# Unblock if needed
sudo rfkill unblock wifi

# Verify WiFi interface exists
ip link show wlan0

Delete Connection

sudo nmcli connection delete "Domus-Secure"

GUI Alternative

For GNOME/KDE users:

  1. Settings → Wi-Fi → Select "Domus-Secure" network

  2. Security: WPA/WPA2 Enterprise

  3. Authentication: TLS

  4. Identity: hostname.inside.domusdigitalis.dev

  5. CA Certificate: Browse to /etc/ssl/certs/HOME-ROOT-CA.pem

  6. User Certificate: Browse to /etc/ssl/certs/<hostname>-eaptls.pem

  7. User Private Key: Browse to /etc/ssl/private/<hostname>-eaptls.key

  8. Connect

Quick Reference

# Create WiFi 802.1X connection
sudo nmcli connection add type wifi con-name "Domus-Secure" \
  ifname wlan0 ssid "Domus-Secure" wifi-sec.key-mgmt wpa-eap \
  802-1x.eap tls \
  802-1x.identity "$(hostname).inside.domusdigitalis.dev" \
  802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
  802-1x.client-cert /etc/ssl/certs/$(hostname)-eaptls.pem \
  802-1x.private-key /etc/ssl/private/$(hostname)-eaptls.key

# Activate
sudo nmcli connection up "Domus-Secure"

# Status
nmcli device status
nmcli connection show --active

# Logs
journalctl -u NetworkManager -f

# ISE verification
netapi ise mnt session $(cat /sys/class/net/wlan0/address)

Comparison: wpa_supplicant vs NetworkManager

Aspect wpa_supplicant NetworkManager

Config file

/etc/wpa_supplicant/wpa_supplicant-wifi.conf

Stored in /etc/NetworkManager/system-connections/

Service

wpa_supplicant-wifi@wlan0.service

NetworkManager.service

Management

Manual (config file edits)

nmcli or GUI

Desktop integration

Limited

Full (GNOME, KDE, etc.)

Network switching

Manual

Automatic

Related Documentation