Troubleshooting

Critical: iwd vs wpa_supplicant Conflict

iwd and wpa_supplicant cannot coexist for WiFi management. This is the most common cause of inconsistent WiFi behavior on Linux.
Symptoms of Conflict

  • WiFi connects but requires manual DHCP (dhcpcd wlan0) each time

  • Interface state flaps between COMPLETED and DISCONNECTED

  • wpa_state=INTERFACE_DISABLED in wpa_cli status

  • wlan0 interface disappears randomly

Root Cause

Both tools compete for WiFi interface control:

  • iwd: Modern WiFi daemon, good for PSK networks

  • wpa_supplicant: Required for 802.1X EAP-TLS

Solution: Disable iwd, Use wpa_supplicant
# Disable iwd completely
sudo systemctl stop iwd
sudo systemctl disable iwd
sudo systemctl mask iwd  # Prevent accidental start

# Verify iwd is disabled
systemctl is-enabled iwd  # Should show: disabled

# Enable wpa_supplicant for WiFi
sudo systemctl enable wpa_supplicant-wifi@wlan0
sudo systemctl start wpa_supplicant-wifi@wlan0
Table 1. Final Clean Network Stack (Arch Linux)
Layer Tool Status

802.1X Auth (Wired)

wpa_supplicant-wired@enp0s31f6

enabled

802.1X Auth (WiFi)

wpa_supplicant-wifi@wlan0

enabled

DHCP

dhcpcd

enabled

WiFi Management

iwd

disabled

Interface Recovery (wlan0 Disappears)

When wlan0 interface disappears after stopping iwd or during driver issues:

# Check if interface exists
ip link | grep wlan

# If missing, reload Intel WiFi drivers
sudo modprobe -r iwlmvm iwlwifi
sudo modprobe iwlwifi

# Verify interface returns
ip link | grep wlan

# Restart wpa_supplicant
sudo systemctl restart wpa_supplicant-wifi@wlan0

# Force reassociation
sudo wpa_cli -i wlan0 reassociate

DHCP Recovery (dhcpcd Conflicts)

When dhcpcd reports "sending commands to dhcpcd process":

# Kill all existing dhcpcd processes
sudo pkill -9 dhcpcd

# Run dhcpcd with debug (foreground)
sudo dhcpcd -d -B wlan0

# Or background mode
sudo dhcpcd wlan0

# Verify IP assignment
ip addr show wlan0
Table 2. dhcpcd Flags
Flag Purpose

-d

Debug output

-B

Foreground (don’t daemonize)

-n

Notify/rebind existing lease

DNS Resolution Failure (WiFi-Only)

If WiFi is connected but DNS fails, dhcpcd is probably not running.
Symptoms

  • ping www.cisco.com returns "Temporary failure in name resolution"

  • WiFi has IP address (check with ip addr show wlan0)

  • /etc/resolv.conf is empty

Diagnosis
# Check if resolv.conf is empty
cat /etc/resolv.conf

# Check if dhcpcd is running
ps aux | grep dhcpcd
# If only "grep" shows, dhcpcd is NOT running
Solution
# Start dhcpcd for WiFi interface
sudo dhcpcd wlan0

# Verify DNS is now configured
cat /etc/resolv.conf
# Should show nameserver entries from DHCP
Expected resolv.conf (after dhcpcd runs)
# Generated by dhcpcd from wlan0.dhcp
search inside.domusdigitalis.dev home.local
nameserver 10.50.10.1
Why This Happens

The dhcpcd.service doesn’t automatically start dhcpcd for wlan0 after wpa_supplicant authenticates on WiFi. When wired is disconnected, dhcpcd stops managing interfaces and /etc/resolv.conf becomes stale or empty.

Permanent Fix Options

  1. Run dhcpcd without interface argument (manages all interfaces automatically)

  2. Create wpa_supplicant action script to start dhcpcd on CONNECTED event

  3. Add systemd dependency: wpa_supplicant-wifi@wlan0.service wants dhcpcd@wlan0.service

Common Issues

Issue Solution

Certificate chain incomplete

Import ROOT CA to ISE trust store

EKU mismatch

Ensure template has Client Auth EKU

Private key password wrong

Verify in wpa_supplicant.conf

Switch not sending RADIUS

Check AAA configuration on switch

wlan0 interface missing

Reload WiFi driver: modprobe -r iwlmvm iwlwifi && modprobe iwlwifi

iwd + wpa_supplicant conflict

Disable iwd: systemctl disable --now iwd

DHCP not working after auth

Kill stale dhcpcd: pkill -9 dhcpcd && dhcpcd wlan0

Log Analysis

# wpa_supplicant logs
sudo journalctl -u wpa_supplicant-wired@enp0s31f6 -f

# ISE logs via API
netapi ise mnt auth-status <MAC>

Force Reauthentication

# From Linux
sudo wpa_cli -i enp0s31f6 logoff && sudo wpa_cli -i enp0s31f6 logon

# Or bounce switch port
netapi ios bounce Gi1/0/2

Check Session Status

# Via netapi
netapi ise mnt session C8:5B:76:C6:59:62

# Via switch
netapi ios exec "show access-session interface gi1/0/2 details"

Certificate Verification

# Check certificate dates
openssl x509 -in /etc/ssl/certs/workstation01.pem -noout -dates

# Verify chain
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem \
    /etc/ssl/certs/workstation01.pem

# Check EKU
openssl x509 -in /etc/ssl/certs/workstation01.pem -noout -text | grep -A2 "Extended Key"