Solved: ISE and certificate wildcard support with Microsoft Windows supplicants - does it work?

Arne Bier · ‎07-29-2018

The ISE 2.4 Admin Guide claims that using wildcards in the Admin and EAP certificates is okay. I am not too concerned with the SSL (web) usage, but I recall reading in BRKSEC-3699 and elsewhere that Windows does not support wildcards. What does that mean ? I have a customer who wants to re-use a wildcard cert for ISE Admin & EAP role.

I have not found out yet whether the wildcard is in the Subject CN or in the SAN. Does that matter?

Here is a Microsoft Link (albeit, a bit old) that says wildcards are not supported. I have read the same comment in Aruba Airheads forums, as well as in Cisco Live presentations (BRKSEC-3699 - but the latest version doesn't make reference to this anymore). There are numerous postings on the internet that say this won't work. Here is another one that says Windows 8/8.1 chokes on wildcard certs.

Is anyone out there presenting wildcard cert on ISE for EAP server identity? If so, what supplicants are you supporting (Windows versions)? Is the wildcard in Subject CN, or in the SAN?

thanks in advance

Cory Peterson · ‎07-29-2018

That is Correct. SAN is OK, Subject CN is not.

This is how I deploy all of my ISE certs for customers.

View solution in original post

Damien Miller · ‎07-30-2018

Arne,

If you want I can shoot you an email with an example of the cert your client wants to use. Currently using it for Admin, Portal, and EAP with success.

Like Cory mentioned, I had a mixed bag of issues with Windows clients when using a wildcard in the CN. Some worked fine, others rejected it.

View solution in original post

Cory Peterson · ‎07-29-2018

When using a Wildcard cert for EAP you need to be sure you use a Wild"SAN" Certificate.

To do this you need to use a normal FQDN in the in the CN, like ise.company.com or any dummy FQDN.

Then in the SAN you put the wildcard *.company.com

When you build a Certificate in this way windows will accept it for EAP authentication.

Keep in mind Wildcard cert will only work for the level the wildcard is in. So, ise01.company.com would work but ise01.sub.company.com would not work with the wildcard.

Arne Bier · ‎07-29-2018

thanks Cory. I have asked my customer for a copy of their existing wildcard certificate so that I can analyse the Subject and SAN's.

I wonder what all those internet postings are talking about then? Perhaps Windows doesn't accept wildcards in the Subject CN, but it's okay with wildcards in SAN?

Do you have personal experience deploying this kind of setup?

Cory Peterson · ‎07-29-2018

That is Correct. SAN is OK, Subject CN is not.

This is how I deploy all of my ISE certs for customers.

Arne Bier · ‎07-30-2018

Hi Cory

One last question. I have seen customer cert and the wildcard is in Subject CN as well as in the SAN (identical wildcard).

Does the mere presence of wildcard in Subject CN break the supplicant? Or does supplicant ignore the contents of the Subject and look in the SAN instead?

much appreciated.

Cory Peterson · ‎07-30-2018

The Wildcard in the CN will break the supplicant.

hslai · ‎07-29-2018

Adding to Cory's, Jason is using such wildcard certificate in dCloud ISE demos, so you may check it out there. Either ISE 2.3 Secure Access Wizard v1 or ISE 2.3 Mobility Deep Dive v1

Damien Miller · ‎07-30-2018

Arne,

If you want I can shoot you an email with an example of the cert your client wants to use. Currently using it for Admin, Portal, and EAP with success.

Like Cory mentioned, I had a mixed bag of issues with Windows clients when using a wildcard in the CN. Some worked fine, others rejected it.

Arne Bier · ‎07-30-2018

Hi Damien

thanks - I have sent you a direct email :-)

cheers