topic Re: Domain wildcard certificate works on Windows 11 but not on windows in Network Access Control

Domain wildcard certificate works on Windows 11 but not on windows 10

davennykayowo — Fri, 01 Nov 2024 11:00:00 GMT

I have a domain wildcard certificate installed on my cisco ISE cluster for client authentication.

I realized that windows 11 client were able to connect to the Wi-Fi but windows 10 client could not connect.

Please any idea what can be done to the windows 10 clients to enable them connect to the network

Re: Domain wildcard certificate works on Windows 11 but not on windows

Flavio Miranda — Fri, 01 Nov 2024 11:19:08 GMT

@davennykayowo

Were the windows 10 clients provisioned with the certificate?

Which logs do you see on the ISE when windows 10 clients try to access the wifi network? or which logs do you see on the Wireless lan controller?

How is the windows 10 clients´s supplicantes configured? Are they configured to use certificate?

Re: Domain wildcard certificate works on Windows 11 but not on windows

MHM Cisco World — Fri, 01 Nov 2024 13:10:25 GMT

I read somewhere' some win OS reject cert. If it have wildcard (*) in CN and as solution ypu need to use wildcard in SAN instead.

MHM

Re: Domain wildcard certificate works on Windows 11 but not on windows

davennykayowo — Fri, 01 Nov 2024 15:38:22 GMT

This is the response from ISE

Re: Domain wildcard certificate works on Windows 11 but not on windows

davennykayowo — Fri, 01 Nov 2024 15:44:01 GMT

I also read something like this.

My questions
1. Is there anything that can be done (aside not validating the certificate) on the windows 10 clients to accept the wildcard certs

2. How can I change the wildcard cert to a SAN instead

Thank you

Re: Domain wildcard certificate works on Windows 11 but not on windows

davennykayowo — Fri, 01 Nov 2024 15:48:17 GMT

It's a production environment, the only thing that changed was changing the certificate to wildcard instead of individual certs.

From the event viewer on one of the windows 10 machine, it indicated that the certificate was rejected because it's wildcard.

I just want to know If there's anything that can be done on the windows 10 machine to accept the wildcard cert.
I will be appreciated.

Re: Domain wildcard certificate works on Windows 11 but not on windows

Flavio Miranda — Fri, 01 Nov 2024 16:27:19 GMT

@davennykayowo

It seems the list for problem with wildcard certificate is huge. I have found an old but interesting discussion here in the forum, but they are mentioning Windows Vista and 8.

Solved: ISE and certificate wildcard support with Microsoft Windows supplicants - does it work? - Cisco Community

I did not find Microsoft explicitly saying windows 10 does not support Wildcard but what I can say by experience is that here where I work, we are getting rid of wildcard certificate due security issue.

And there is not easy way to fix it. You need to create a new certificate on the CA.

Common Wildcard Compatibility Errors

Security Certificate Errors

Wildcard Compatibility Errors

Almost all servers, devices, services, and platforms work fine with wildcard certificates. However, there are a few known incompatibilities. These issues are not specific to DigiCert® certificates—they are caused by the way wildcard characters are handled.

Microsoft Office Communication Server does not accept wildcards.
Microsoft Lync Server does not accept wildcards.
Oracle Wallet Manager does not accept wildcards.
Windows Mobile 5 devices cannot use wildcards. This is not an issue in future versions.
Microsoft Outlook cannot use RPC over HTTP with a wildcard unless you change the Outlook provider to *.yourdomain.com.
Barracuda Spam Firewalls can only create a certificate with a name that matches the server name. Technically, you can work around this issue by naming your server in the *.domain.com format.
LDAPS (Lightweight Directory Access Protocol) does not support wildcards.
Active Directory does not support wildcards.
Microsoft Exchange 2007 Service Pack 1 will not work with IMAP and POP services. This is not an issue in future versions.

Re: Domain wildcard certificate works on Windows 11 but not on windows

MHM Cisco World — Sat, 02 Nov 2024 10:27:37 GMT

you need to generate new EAP cert. with wildcard in SAN

contact the CA admin ask him about this point

MHM

Re: Domain wildcard certificate works on Windows 11 but not on windows

edward_uc — Thu, 05 Dec 2024 03:33:42 GMT

This is a windows 10 vs windows 11 behaviour issue.

EAP - What's changed in Windows 11 | Microsoft Learn

Wildcard certificates

In Windows 11, Windows will no longer immediately reject server certificates that contain a wildcard (*) in the certificate Common Name (CN). However, it's recommended that DNS name in the Subject Alternate Name (SubjectAltName/SAN) extension field is used, as Windows will ignore the CN components when checking for a DNS match if the SAN contains a DNS name choice. The SubjectAltName DNS name supports a wildcard in Windows 11, as it has on prior versions of Windows.