We are beginning our deployment of Cisco ISE and not sure how to proceed on our domain for ISE. Should we use *.ise.company.com or just *.company.com? We understand the security advantages of using ise.company.com, but it is worth any issues that may arise? For example, does it cause any issues with users authenticating to the company.com domain through ISE? Can it make it more difficult to bind to the company.com domain? Does anyone have any experience with the subdomain usage and possible traps or errors that have occurred?
Hi there! If you are referring to using wildcard certificates for ISE for EAP based authentications then I would recommend against it. There are several supplicants (Windows being the biggest one here) that will reject wildcard certificate when presented for EAP based authentications. As a result, I recommend that you only use wildcard certificates for Web based functions of ISE (Guest, BYOD, Sponsor and My Devices Portals, Admin, etc). For EAP based authentications you can use SAN based certificate where the Subject can be something like "ise.company.com" while the SAN fields can include the FQDN of each ISE PSN:
SAN1 = "psn1.company.com"
SAN2 = "psn2.company.com"
To answer your original question: When you purchase a wildcard certificate you should get it for your regular domain. This will make it easier to use for other purposes and devices. But as you mentioned there are more security benefits if you issue it to the sub-domain. Wildcard certificates in general are considered poor security practice so a lot of security individuals recommend avoiding them. They make things easier but in the expense of security :)