WiFi wpa_supplicant Configuration

Overview

WiFi 802.1X EAP-TLS requires WPA2-Enterprise (or WPA3-Enterprise) with certificate-based authentication. The configuration differs from wired in key ways:

  • Uses ap_scan=1 for wireless scanning

  • Uses WPA-EAP key management

  • Requires SSID specification

  • Driver is nl80211 (not wired)

Pre-Implementation Recon

Before configuring WiFi EAP-TLS, gather ISE infrastructure information using netapi.

Load Secrets

# Load network secrets (required for ISE API access)
dsource d000 dev/network

# Or using eval directly
eval "$(DSEC_EVAL_VERIFIED=true dsec source d000 dev/network)"

Discover NADs (Network Access Devices)

Identify WiFi infrastructure (WLC, APs) configured in ISE:

# List all NADs
netapi ise -f json get-nads

# Get specific NAD details (e.g., WLC)
netapi ise -f json get-nad -n "Home-9800-WLC"
Example NAD Output
{
  "name": "Home-9800-WLC",
  "modelName": "9800-WLC",
  "NetworkDeviceIPList": [{"ipaddress": "10.50.1.40", "mask": 32}],
  "NetworkDeviceGroupList": ["Device Type#All Device Types#Wireless Controller"]
}

Discover Authorization Profiles

Find existing profiles for WiFi/Linux authentication:

# List all authorization profiles
netapi ise -f json get-authz-profiles

# Get specific profile details
netapi ise -f json get-authz-profile -n "Linux_EAPTLS_Permit"

# Filter for WiFi-related profiles
netapi ise -f json get-authz-profiles | jq '.[] | select(.name | test("WiFi|Wireless|AP_"; "i"))'

Verify Existing Sessions

Check if wired EAP-TLS is working (validates certificate chain):

# Get session by MAC address
netapi ise mnt -f json session <MAC>

# Check recent authentications
netapi ise mnt -f json authentications --records 20

# Filter by authentication method
netapi ise mnt -f json sessions | jq '.[] | select(.authentication_method == "dot1x")'

Pre-Flight Checklist

Before proceeding, verify:

Check Command Expected Result

WiFi NAD exists

netapi ise get-nads

WLC or AP listed

Authorization profile exists

netapi ise get-authz-profiles

Linux/WiFi profile available

Wired EAP-TLS working

netapi ise mnt session <MAC>

Session authorized

Certificate valid

openssl x509 -in cert.pem -noout -dates

Not expired

Configuration File

/etc/wpa_supplicant/wpa_supplicant-wifi.conf

ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
ap_scan=1
fast_reauth=1

network={
    ssid="CorpWiFi-EAP"
    key_mgmt=WPA-EAP
    eap=TLS
    identity="workstation01$@inside.domusdigitalis.dev"
    ca_cert="/etc/ssl/certs/HOME-ROOT-CA.pem"
    client_cert="/etc/ssl/certs/workstation01.pem"
    private_key="/etc/ssl/private/workstation01.key"
    private_key_passwd="<key-password>"
    priority=1
}

Home Lab Example: modestus-p50

This example shows the actual configuration for modestus-p50 connecting to the home lab WiFi.

Table 1. Home Lab Infrastructure
Component Value

WLC

Home-9800-WLC (10.50.1.40)

SSID

Domus-Secure

ISE Policy Set

Corp WIFI (matches Called-Station-ID endsWith Domus-Secure)

Authorization Profile

Linux_EAPTLS_Permit

dACL

DACL_SECURE_FULL or DACL_ADMIN_FULL

VLAN Assignment

10 (Secure)
The Corp WIFI policy set uses EAP-TLS via the "Lookup" service. The existing Linux_EAPTLS_Permit authorization profile works for both wired and wireless when properly matched by policy conditions.

/etc/wpa_supplicant/wpa_supplicant-wifi-wlan0.conf

# =============================================================================
# WiFi 802.1X EAP-TLS Configuration
# =============================================================================
# SSID:        Domus-Secure
# Policy Set:  Corp WIFI
# Auth Method: EAP-TLS (certificate-based)
# Target:      Linux workstations with machine certificates
# =============================================================================

ctrl_interface=/run/wpa_supplicant
ctrl_interface_group=wheel
update_config=1
ap_scan=1
fast_reauth=1

network={
    # --- Network Identity ---
    ssid="Domus-Secure"

    # --- Security Settings ---
    key_mgmt=WPA-EAP
    eap=TLS

    # --- Certificate Configuration ---
    # Identity: Machine FQDN matching certificate CN
    identity="modestus-p50.inside.domusdigitalis.dev"

    # Root CA: Validates ISE server certificate
    ca_cert="/etc/ssl/certs/HOME-ROOT-CA.pem"

    # Client certificate: Machine identity for EAP-TLS
    client_cert="/etc/ssl/certs/modestus-p50-eaptls.pem"

    # Private key: Protected by file permissions (0600 root:root)
    private_key="/etc/ssl/private/modestus-p50-eaptls.key"

    # --- Priority ---
    # Higher value = preferred network
    priority=10
}
This reuses the same certificate from wired EAP-TLS. The certificate identity (modestus-p50.inside.domusdigitalis.dev) is matched by the ISE authentication policy regardless of wired or wireless NAD.

Configuration Parameters

Parameter Description WiFi vs Wired

ap_scan

1 = wpa_supplicant manages scanning

1 for WiFi, 0 for wired

key_mgmt

Key management protocol

WPA-EAP for WiFi, IEEE8021X for wired

ssid

Network name

Required for WiFi

eapol_flags

EAPOL behavior

Omit for WiFi, 0 for wired

priority

Network selection priority

Useful for WiFi roaming

Systemd Service

/etc/systemd/system/wpa_supplicant-wifi@.service

[Unit]
Description=WPA supplicant WiFi EAP-TLS (%i)
Requires=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device
Before=network.target
Wants=network.target

[Service]
Type=simple
ExecStart=/usr/bin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant-wifi.conf -i %i
Restart=on-failure
RestartSec=5

[Install]
WantedBy=multi-user.target

Enable for your WiFi interface:

# Find WiFi interface
ip link show | grep -E '^[0-9]+: wl'

# Enable service (e.g., wlan0)
sudo systemctl enable wpa_supplicant-wifi@wlan0.service
sudo systemctl start wpa_supplicant-wifi@wlan0.service

Manual Testing

# Test configuration manually
sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wifi.conf

# Check status
sudo wpa_cli -i wlan0 status

# Scan networks
sudo wpa_cli -i wlan0 scan
sudo wpa_cli -i wlan0 scan_results

# View connection info
sudo wpa_cli -i wlan0 signal_poll

NetworkManager Integration

If using NetworkManager alongside wpa_supplicant, configure it to ignore your managed interface:

/etc/NetworkManager/conf.d/unmanaged.conf

[keyfile]
unmanaged-devices=interface-name:wlan0

Alternatively, use NetworkManager directly with EAP-TLS:

nmcli connection add type wifi con-name "CorpWiFi" \
    wifi.ssid "CorpWiFi-EAP" \
    wifi-sec.key-mgmt wpa-eap \
    802-1x.eap tls \
    802-1x.identity "workstation01$@inside.domusdigitalis.dev" \
    802-1x.ca-cert /etc/ssl/certs/HOME-ROOT-CA.pem \
    802-1x.client-cert /etc/ssl/certs/workstation01.pem \
    802-1x.private-key /etc/ssl/private/workstation01.key \
    802-1x.private-key-password "<key-password>"

Troubleshooting

DNS Configuration (Critical)

The Linux client MUST be able to resolve ISE, IdP (Keycloak/ADFS), and internal hostnames for SAML authentication to work.

Symptoms of DNS Issues

  • SAML redirect fails after ISE authentication

  • "Server not found" when accessing ISE admin portal

  • Certificate validation fails (can’t reach OCSP/CRL)

Verify DNS Resolution
# Check current DNS server
cat /etc/resolv.conf

# Test resolution of critical services
nslookup ise-01.domain.tld
nslookup ise-02.domain.tld
nslookup keycloak-01.domain.tld    # Or ADFS server
nslookup ca.domain.tld             # Certificate Authority
Fix DNS via NetworkManager (Persistent)
# Find active connection name
nmcli connection show --active

# Set DNS server (use your internal DNS/pfSense)
sudo nmcli connection modify "CONNECTION_NAME" ipv4.dns "10.50.10.1"
sudo nmcli connection modify "CONNECTION_NAME" ipv4.ignore-auto-dns yes

# Apply changes (WARNING: Will briefly disconnect - run locally, not via SSH)
sudo nmcli connection up "CONNECTION_NAME"

# Verify
cat /etc/resolv.conf
nslookup keycloak-01.domain.tld
Running nmcli connection down or nmcli connection up will interrupt network connectivity. Do NOT run these commands over SSH unless you have out-of-band access to the machine.
DHCP Considerations

For production deployment, configure DHCP to hand out the correct DNS servers rather than modifying each client manually. Ensure the DNS server can resolve:

  • ISE PSN hostnames

  • IdP (Keycloak/ADFS) hostnames

  • Certificate Authority hostnames

  • Internal domain names

ROOT CA Trust Store Setup (Critical)

The ROOT CA must be installed in both the wpa_supplicant config AND the system/browser trust stores. Without browser trust, you cannot access ISE admin portal or complete SAML authentication.
Symptoms of Missing ROOT CA Trust

  • ISE web GUI shows "Your connection is not private"

  • SAML redirect to Keycloak/IdP fails with certificate error

  • Browser blocks ISE portal access

System Trust Store (Arch Linux)
# Copy ROOT CA to system trust anchors
sudo cp /etc/ssl/certs/HOME-ROOT-CA.pem /etc/ca-certificates/trust-source/anchors/

# Update system trust store
sudo update-ca-trust

# Verify installation
trust list | grep -i "HOME-ROOT"
Firefox Trust Store

Firefox uses its own certificate store, separate from the system.

# Find Firefox profile directory
ls ~/.mozilla/firefox/ | grep default

# Import ROOT CA (replace profile name)
certutil -d sql:$HOME/.mozilla/firefox/<profile>.default-release \
  -A -t "CT,C,C" -n "HOME-ROOT-CA" \
  -i /etc/ssl/certs/HOME-ROOT-CA.pem

# Verify import
certutil -d sql:$HOME/.mozilla/firefox/<profile>.default-release -L | grep HOME

# Restart Firefox after import
pkill -9 firefox && firefox &
Table 2. Trust Flags Explained
Flag Meaning

C,,

Trusted for SSL (basic)

CT,C,C

Trusted for SSL + email + code signing (full trust)
If Firefox still shows certificate errors after import, try removing and re-adding with CT,C,C flags for full trust.
Chrome/Chromium Trust Store (NSS DB)
# Chrome uses ~/.pki/nssdb
certutil -d sql:$HOME/.pki/nssdb \
  -A -t "CT,C,C" -n "HOME-ROOT-CA" \
  -i /etc/ssl/certs/HOME-ROOT-CA.pem
Debian/Ubuntu System Trust
# Copy to ca-certificates directory
sudo cp HOME-ROOT-CA.pem /usr/local/share/ca-certificates/HOME-ROOT-CA.crt

# Update trust store
sudo update-ca-certificates

# Verify
grep -r "HOME-ROOT" /etc/ssl/certs/

Certificate Requirements

CRITICAL: EAP-TLS client certificates MUST have the correct Extended Key Usage (EKU).

EKU OID Required For

TLS Web Client Authentication

1.3.6.1.5.5.7.3.2

Required for EAP-TLS

TLS Web Server Authentication

1.3.6.1.5.5.7.3.1

Wrong - causes silent rejection
Verify Certificate EKU
# Check EKU - MUST show "TLS Web Client Authentication"
openssl x509 -in /etc/ssl/certs/modestus-p50-eaptls.pem -noout -text | grep -A1 "Extended Key Usage"

# Verify certificate chain
openssl verify -CAfile /etc/ssl/certs/HOME-ROOT-CA.pem /etc/ssl/certs/modestus-p50-eaptls.pem

# Check expiration
openssl x509 -in /etc/ssl/certs/modestus-p50-eaptls.pem -noout -dates

# Check subject CN
openssl x509 -in /etc/ssl/certs/modestus-p50-eaptls.pem -noout -subject
If the certificate has "TLS Web Server Authentication" instead of "TLS Web Client Authentication", ISE will reject at TLS handshake without logging a failure. The certificate must be re-issued with the correct EKU.

Common Issues

Issue Solution

"No suitable network found"

Verify SSID spelling; check WiFi radio is enabled

"EAP: method not registered"

Install wpa_supplicant with TLS support

"TLS: Certificate verification failed"

Check ca_cert path; verify trust chain

"EAP: Received EAP-Failure" with no ISE logs

Certificate has wrong EKU (Server Auth instead of Client Auth)

Authentication loops / reason=23

Check ISE policy allows WiFi NAD; verify certificate EKU

"ctrl_iface exists and seems to be in use"

Stale socket file - clean up (see below)

"SSID-TEMP-DISABLED"

Too many failures - re-enable network (see below)

Stale Socket Cleanup

If wpa_supplicant fails with "ctrl_iface exists and seems to be in use":

# Kill any existing wpa_supplicant for wlan0
sudo pkill -f "wpa_supplicant.*wlan0"

# Remove stale socket
sudo rm -f /run/wpa_supplicant/wlan0

# Bring interface up
sudo ip link set wlan0 up

# Restart wpa_supplicant
sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wifi-wlan0.conf -d

Re-enable Temp-Disabled Network

After multiple authentication failures, wpa_supplicant temporarily disables the network:

# Check network status
sudo wpa_cli -i wlan0 list_networks

# If network shows [TEMP-DISABLED], re-enable it
sudo wpa_cli -i wlan0 enable_network 0

# Force reconnection attempt
sudo wpa_cli -i wlan0 reassociate

Debug Mode

# Clean start with debug output
sudo pkill -f "wpa_supplicant.*wlan0"
sudo rm -f /run/wpa_supplicant/wlan0
sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wifi-wlan0.conf -d 2>&1 | tee /tmp/wpa.log

# Extra verbose (includes TLS handshake details)
sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant/wpa_supplicant-wifi-wlan0.conf -dd 2>&1 | tee /tmp/wpa.log
Table 3. Key Debug Messages to Watch For
Message Meaning

EAP: EAP entering state IDENTITY

EAP started - RADIUS is receiving requests

TLS: Using TLS version

TLS negotiation beginning

EAP: Received EAP-Failure

ISE rejected - check certificate or policy

CTRL-EVENT-CONNECTED

Success!

reason=23 (IEEE_802_1X_AUTH_FAILED)

802.1X authentication failed

WLC Authorization Failure After ISE Success

This scenario is particularly confusing: ISE shows authentication succeeded (Event 5200) but the client disconnects immediately.

Symptoms

  • ISE Live Logs show Event 5200 "Authentication succeeded"

  • ISE sends VLAN and dACL attributes in Access-Accept

  • Client shows wpa_state=ASSOCIATED then goes to DISCONNECTED

  • wpa_cli shows suppPortStatus=Unauthorized despite ISE success

wpa_cli Status During Failure
wpa_state=ASSOCIATED
Supplicant PAE state=AUTHENTICATING
suppPortStatus=Unauthorized
EAP state=IDLE
selectedMethod=13 (EAP-TLS)
ISE Access-Accept Attributes (from Live Logs)
Tunnel-Private-Group-ID=(tag=1) DATA_VLAN
cisco-av-pair: ACS:CiscoSecure-Defined-ACL=#ACSACL#-IP-DACL_SECURE_FULL-696eef59
Root Cause

The WLC receives the ISE Access-Accept but cannot apply the authorization attributes, causing it to reject the client.

Table 4. Common Causes
Issue WLC Behavior Fix

dACL not downloaded

WLC can’t find the ACL specified by ISE

Verify dACL exists in ISE and WLC can download it

VLAN doesn’t exist on WLC

WLC can’t assign the VLAN

Create VLAN on WLC or fix ISE profile

AAA Override disabled

WLC ignores RADIUS attributes

Enable AAA Override on policy profile

Client exclusion

WLC auto-blocked the MAC

Check and clear exclusion list
Verify WLC Can Apply Attributes
# Check if WLC has the dACL
netapi wlc run "show ip access-lists"

# Check VLAN exists on WLC
netapi wlc run "show vlan brief"

# Check policy profile AAA settings
netapi wlc run "show wireless profile policy detailed <profile-name>"

# Check client exclusion list
netapi wlc run "show wireless exclusionlist"

# Clear client from exclusion if needed
netapi wlc run "clear wireless exclusion-list 14:f6:d8:7b:31:80"
Policy Profile Requirements for dACL

The WLC policy profile MUST have both AAA override AND NAC enabled to download and apply dACLs:

wireless profile policy POLICY-DOMUS_SECURE
  aaa-override
  nac
  accounting-list ISE-ACCT
  vlan DATA_VLAN
The nac command enables RADIUS NAC (Network Admission Control) which is required for dACL download. Without it, the WLC receives the dACL reference from ISE but cannot download the actual ACL content.
Table 5. Missing NAC Causes Auth Success But Client Disconnect
Setting Purpose

aaa-override

Apply RADIUS-returned VLAN/ACL attributes

nac

Enable RADIUS NAC for dACL download

accounting-list ISE-ACCT

Send accounting to ISE for session tracking
Fix via RESTCONF API
# Add NAC settings to policy profile
curl -sk -u "admin:PASSWORD" -X PATCH \
  "https://WLC-IP/restconf/data/Cisco-IOS-XE-wireless-wlan-cfg:wlan-cfg-data/wlan-policies/wlan-policy=POLICY-DOMUS_SECURE" \
  -H "Content-Type: application/yang-data+json" \
  -d '{
    "Cisco-IOS-XE-wireless-wlan-cfg:wlan-policy": {
      "nac": true,
      "nac-type": "nac-support-radius",
      "accounting-list": "ISE-ACCT"
    }
  }'
HTTP 204 response indicates successful configuration update.

dACL (Downloadable ACL) Issues

When ISE returns a dACL in the Access-Accept, the WLC must be able to download and apply it.

How dACL Works

  1. ISE sends ACL name in cisco-av-pair: ACS:CiscoSecure-Defined-ACL=ACSACL-IP-<name>-<hash>

  2. WLC requests the ACL content from ISE via RADIUS

  3. WLC applies the ACL to the client session

Table 6. Common dACL Failures
Problem Solution

dACL doesn’t exist in ISE

Create the dACL in ISE: Policy → Results → Downloadable ACLs

WLC can’t reach ISE for dACL download

Verify RADIUS connectivity; check WLC AAA server config

dACL syntax incompatible with WLC

Use IOS-compatible ACL syntax in ISE dACL definition

Authorization profile references wrong dACL

Verify profile uses correct dACL name
Verify dACL in ISE
# List all dACLs
netapi ise get-dacls

# Get specific dACL content
netapi ise get-dacl -n "DACL_SECURE_FULL"
Create dACL via netapi
# Create dACL with permit any
netapi ise create-dacl -n "DACL_SECURE_FULL" --acl "permit ip any any"

# Create restrictive dACL
netapi ise create-dacl -n "DACL_IOT_RESTRICTED" \
  --acl "permit udp any any eq 53,permit tcp any any eq 443,deny ip any any"
Table 7. dACLs Created for Domus Network
dACL Name Purpose

DACL_ADMIN_FULL

Full network access for administrators

DACL_SECURE_FULL

Full access for trusted devices

DACL_RESEARCH_DATA

Access to research data resources

DACL_IOT_RESTRICTED

Limited internet for IoT devices

DACL_GUEST_INTERNET

Internet-only for guests

DACL_VOICE_SIP

SIP/RTP for VoIP devices

WLC Configuration Issues

Common WLC issues that cause WiFi EAP-TLS failures:

Authentication List Case Sensitivity

The WLAN authentication list name is case-sensitive:

# Wrong - case mismatch
802.1x authentication list name: ISE-AUTH

# Correct - matches method list exactly
802.1x authentication list name: ISE-Auth
Verify WLC Configuration
# Check WLAN settings
netapi wlc run "show wlan name Domus-Secure"

# Check authentication method lists
netapi wlc run "show aaa method-lists authentication"

# Check RADIUS server status
netapi wlc run "show aaa servers"
Table 8. Expected WLAN Security Settings
Setting Expected Value

Security WPA WPA2

WPA2

Auth Key Management

802.1X (not PSK)

Authentication List

ISE-Auth (case must match)

ISE Policy Requirements (Critical)

WiFi EAP-TLS requires both authentication and authorization rules in the ISE policy set. This is the most common cause of WiFi EAP-TLS failures when wired works.

Why Wired Works But WiFi Fails

Each ISE policy set (wired vs wireless) has its own authentication and authorization rules. If the wired policy set has EAP-TLS rules but the wireless policy set doesn’t, WiFi EAP-TLS will fail.

Error 22045: Identity Policy Mismatch
Failure Reason: 22045 Identity policy result is configured for password
based authentication methods but received certificate based authentication request

Cause: The wireless policy set’s authentication rule uses a password-based identity source (like AD or Internal Users) but receives a certificate.

Fix: Add an authentication rule for EAP-TLS that uses a Certificate Authentication Profile.

Error 15039: Authorization Denied
Failure Reason: 15039 Rejected per authorization profile

Cause: Authentication passed but no authorization rule matches EAP-TLS users.

Fix: Add an authorization rule for EAP-TLS users with appropriate access profile.

Required Policy Rules

Every ISE policy set handling EAP-TLS needs BOTH:

Table 9. Authentication Rules
Rank Rule Name Identity Source

0

EAP_TLS_Certificate_Auth

Certificate Authentication Profile (e.g., AD_Cert_Profile)

1

(other rules…​)

…​

n

Default

Internal Endpoints (fallback)
Table 10. Authorization Rules
Rank Rule Name Authorization Profile

0

EAP_TLS_Trusted_Users

Access Profile (e.g., Domus_Secure_Profile)

1

(other rules…​)

…​

n

Default

DenyAccess
When adding a new SSID to an existing policy set condition, ADD to the condition - do NOT replace it. Replacing the condition removes all other SSIDs and breaks existing clients.
Bad - Replaces Existing SSIDs
# WRONG - This removes HomeRF from the condition!
Called-Station-ID ENDS_WITH Domus-Secure
Good - Adds to Existing SSIDs
# CORRECT - Preserves existing SSIDs
Called-Station-ID ENDS_WITH HomeRF OR
Called-Station-ID ENDS_WITH Domus-Secure
If you accidentally remove an SSID from the policy condition, all clients on that SSID will immediately lose authentication. Always verify the condition includes ALL required SSIDs before saving.

Verify Policy Configuration

# List authentication rules for a policy set
netapi ise get-auth-rules "Corp WIFI"

# List authorization rules for a policy set
netapi ise get-authz-rules "Corp WIFI"

# Add authentication rule if missing
netapi ise add-auth-rule "Corp WIFI" \
  --name "EAP_TLS_Certificate_Auth" \
  --condition "EapAuthentication == EAP-TLS" \
  --identity-source "AD_Cert_Profile" \
  --rank 0

# Add authorization rule if missing
netapi ise add-authz-rule "Corp WIFI" \
  --name "EAP_TLS_Trusted_Users" \
  --condition "EapAuthentication == EAP-TLS" \
  --profile "Domus_Secure_Profile" \
  --rank 0

Endpoint Rejection (Anti-RADIUS-Spray)

After repeated authentication failures, ISE may block the endpoint to prevent RADIUS spraying attacks.

Symptoms

  • Authentication attempts return immediately rejected

  • ISE shows "Endpoint in reject mode"

Resolution
# Check if endpoint is rejected
netapi ise get-rejected-endpoints

# Release endpoint from rejection
netapi ise release-rejected 14:f6:d8:7b:31:80

Or in ISE GUI: Operations → RADIUS → Live Sessions → find the MAC → "Release"

Comparison: Wired vs WiFi

Setting Wired WiFi

Config file

wpa_supplicant-wired.conf

wpa_supplicant-wifi.conf

Driver

wired

nl80211 (default)

ap_scan

0

1

key_mgmt

IEEE8021X

WPA-EAP

SSID

Not required

Required

Verification

Successful Authentication Output

When WiFi EAP-TLS authentication succeeds, wpa_cli status shows:

$ sudo wpa_cli -i wlan0 status
bssid=78:bc:1a:36:82:cc
freq=5260
ssid=Domus-Secure
id=0
mode=station
wifi_generation=5
pairwise_cipher=CCMP
group_cipher=CCMP
key_mgmt=WPA2/IEEE 802.1X/EAP
wpa_state=COMPLETED
p2p_device_address=14:f6:d8:7b:31:81
address=14:f6:d8:7b:31:80
Supplicant PAE state=AUTHENTICATED
suppPortStatus=Authorized
EAP state=SUCCESS
selectedMethod=13 (EAP-TLS)
eap_tls_version=TLSv1.2
EAP TLS cipher=ECDHE-RSA-AES256-GCM-SHA384
tls_session_reused=0
ieee80211ac=1
Table 11. Key Success Indicators
Field Expected Value

wpa_state

COMPLETED (not ASSOCIATED or AUTHENTICATING)

Supplicant PAE state

AUTHENTICATED

suppPortStatus

Authorized (not Unauthorized)

EAP state

SUCCESS

selectedMethod

13 (EAP-TLS)
The wifi_generation=5 indicates 802.11ac (Wi-Fi 5) connection to the 5GHz band. The cipher ECDHE-RSA-AES256-GCM-SHA384 shows strong TLS 1.2 encryption.

ISE Session Verification

After successful WiFi authentication, verify the session in ISE using netapi.

Check Session by MAC

# Get WiFi interface MAC
WIFI_MAC=$(ip link show wlan0 | grep ether | awk '{print $2}')
echo "WiFi MAC: $WIFI_MAC"

# Query ISE for session
netapi ise mnt -f json session "$WIFI_MAC"
Expected Output (Successful Auth)
{
  "calling_station_id": "14:F6:D8:7B:31:80",
  "framed_ip_address": "10.50.40.xxx",
  "user_name": "modestus-p50.{domain}",
  "nas_ip_address": "10.50.1.40",
  "nas_port_type": "Wireless - IEEE 802.11",
  "authentication_method": "dot1x",
  "selected_authz_profiles": "Linux_EAPTLS_Permit"
}

Compare Wired vs WiFi Sessions

# Get both MACs
WIRED_MAC=$(ip link show enp0s31f6 | grep ether | awk '{print $2}')
WIFI_MAC=$(ip link show wlan0 | grep ether | awk '{print $2}')

# Query both sessions
echo "=== Wired Session ==="
netapi ise mnt -f json session "$WIRED_MAC" | jq '{mac: .calling_station_id, ip: .framed_ip_address, nas: .nas_ip_address, method: .authentication_method}'

echo "=== WiFi Session ==="
netapi ise mnt -f json session "$WIFI_MAC" | jq '{mac: .calling_station_id, ip: .framed_ip_address, nas: .nas_ip_address, method: .authentication_method}'

Check Authentication Logs

# Recent authentications for this endpoint
netapi ise mnt -f json authentications --records 20 | \
  jq --arg mac "$WIFI_MAC" '.[] | select(.calling_station_id | test($mac; "i"))'

# Check for failures
netapi ise mnt -f json failed --records 10 | \
  jq --arg mac "$WIFI_MAC" '.[] | select(.calling_station_id | test($mac; "i"))'

Troubleshooting with netapi

Symptom netapi Command

No session found

netapi ise mnt sessions - verify any sessions exist

Wrong VLAN assigned

netapi ise get-authz-profile "Linux_EAPTLS_Permit" - check VLAN config

Auth rejected

netapi ise mnt failed --records 50 - check failure reasons

NAD not recognized

netapi ise get-nads - verify WLC is configured