topic Guest Portal with Wildcard Certificate in Network Access Control https://community.cisco.com/t5/network-access-control/guest-portal-with-wildcard-certificate/m-p/3549767#M538991 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: arial, helvetica, sans-serif;">Hello my customer would like to use their existing Wildcard Certificate <STRONG>*.theirdomain.com</STRONG> for the ISE Guest Portal.</SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif;">So, I was going to use the URL: <STRONG>guest.theirdomain.com.</STRONG></SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif;">However a</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">fter reading through the following article:</SPAN></P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2" style="font-size: 10pt; line-height: 1.5em;" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2">http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2</A></P><P></P><P>I note:</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>"</EM></SPAN><SPAN style="color: #525252; font-size: 10pt; font-family: arial, helvetica, sans-serif;"><EM>If you use wildcard certificates, we strongly recommend that you partition your domain space for greater security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do not partition your domain, it can lead to <SPAN style="text-decoration: underline;">serious security issues</SPAN>"</EM></SPAN></P><P></P><P>The customer has since looked into using the SAN field in their wildcard certificate for the use of <STRONG>guest.ise.theirdomain.com </STRONG>but it is very expensive. The other possible option is for a single domain certificate for <STRONG>guest.ise.theirdomain.com </STRONG>which is much cheaper option.</P><P></P><P>However, can someone explain their "serious security issues", else I will just use <STRONG>guest.theirdomain.com </STRONG>which is the free option.</P></BODY></HTML> Fri, 29 Apr 2016 15:26:21 GMT joshhunter 2016-04-29T15:26:21Z Guest Portal with Wildcard Certificate https://community.cisco.com/t5/network-access-control/guest-portal-with-wildcard-certificate/m-p/3549767#M538991 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-family: arial, helvetica, sans-serif;">Hello my customer would like to use their existing Wildcard Certificate <STRONG>*.theirdomain.com</STRONG> for the ISE Guest Portal.</SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif;">So, I was going to use the URL: <STRONG>guest.theirdomain.com.</STRONG></SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif;"><BR /></SPAN></P><P><SPAN style="font-family: arial, helvetica, sans-serif;">However a</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;">fter reading through the following article:</SPAN></P><P><A href="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2" style="font-size: 10pt; line-height: 1.5em;" title="http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2">http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_0111.html#concept_8ECCCAF1252E40DDB9A786C0AC7BC3B2</A></P><P></P><P>I note:</P><P><SPAN style="font-size: 10pt; line-height: 1.5em;"><EM>"</EM></SPAN><SPAN style="color: #525252; font-size: 10pt; font-family: arial, helvetica, sans-serif;"><EM>If you use wildcard certificates, we strongly recommend that you partition your domain space for greater security. For example, instead of *.example.com, you can partition it as *.amer.example.com. If you do not partition your domain, it can lead to <SPAN style="text-decoration: underline;">serious security issues</SPAN>"</EM></SPAN></P><P></P><P>The customer has since looked into using the SAN field in their wildcard certificate for the use of <STRONG>guest.ise.theirdomain.com </STRONG>but it is very expensive. The other possible option is for a single domain certificate for <STRONG>guest.ise.theirdomain.com </STRONG>which is much cheaper option.</P><P></P><P>However, can someone explain their "serious security issues", else I will just use <STRONG>guest.theirdomain.com </STRONG>which is the free option.</P></BODY></HTML> Fri, 29 Apr 2016 15:26:21 GMT https://community.cisco.com/t5/network-access-control/guest-portal-with-wildcard-certificate/m-p/3549767#M538991 joshhunter 2016-04-29T15:26:21Z Re: Guest Portal with Wildcard Certificate https://community.cisco.com/t5/network-access-control/guest-portal-with-wildcard-certificate/m-p/3549768#M538992 <HTML><HEAD></HEAD><BODY><P>please read the following and let us know if you still have questions.</P><P><A href="http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-103-Implement_Cisco_ISE_Server_Side_Certificates.pdf"><BR /></A></P><P><A href="http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-103-Implement_Cisco_ISE_Server_Side_Certificates.pdf">HowTo Implement Server Side Certificate </A></P><P></P><P>Also i talk about certs as well in the <A href="http://www.cisco.com/c/dam/en/us/td/docs/security/ise/how_to/HowTo-93-ISE_20_Wireless_Guest_Setup_Guide.pdf">simple guest guide</A></P></BODY></HTML> Fri, 29 Apr 2016 15:30:12 GMT https://community.cisco.com/t5/network-access-control/guest-portal-with-wildcard-certificate/m-p/3549768#M538992 Jason Kunst 2016-04-29T15:30:12Z