Showing results for 
Search instead for 
Did you mean: 

Cisco ISE subdomain

Gateway Church


We are beginning our deployment of Cisco ISE and not sure how to proceed on our domain for ISE.  Should we use * or just *  We understand the security advantages of using, but it is worth any issues that may arise?  For example, does it cause any issues with users authenticating to the domain through ISE?  Can it make it more difficult to bind to the domain?  Does anyone have any experience with the subdomain usage and possible traps or errors that have occurred?

Thanks for you help!


Cisco Employee
Cisco Employee

Hi there! If you are referring to using wildcard certificates for ISE for EAP based authentications then I would recommend against it. There are several supplicants (Windows being the biggest one here) that will reject wildcard certificate when presented for EAP based authentications. As a result, I recommend that you only use wildcard certificates for Web based functions of ISE (Guest, BYOD, Sponsor and My Devices Portals, Admin, etc). For EAP based authentications you can use SAN based certificate where the Subject can be something like "" while the SAN fields can include the FQDN of each ISE PSN:

SAN1 = ""

SAN2 = ""


To answer your original question: When you purchase a wildcard certificate you should get it for your regular domain. This will make it easier to use for other purposes and devices. But as you mentioned there are more security benefits if you issue it to the sub-domain. Wildcard certificates in general are considered poor security practice so a lot of security individuals recommend avoiding them. They make things easier but in the expense of security :)

I hope this helps!

Thank you for rating helpful posts!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: