Tim, For Cisco ISE, it validates that the host name matches the CN or SAN. So you can't always do that.
But you could do something like *.radius.univ.edu as a SAN and call them radius01.radius.univ.edu which would match. Sent from my iPhone > On Feb 3, 2017, at 2:45 PM, Cappalli, Tim (Aruba) <t...@hpe.com> wrote: > > For an EAP server certficiate, you do not need SANs for every server. You can > do something generic like “network-login.domain.edu” and put that cert on > every box. > > The SANs will never be referenced and will just add significant cost. > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Hunter Fuller > Sent: Friday, February 3, 2017 16:38 > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > Subject: Re: [WIRELESS-LAN] wild card certs and PEAP > > Yes. Ours is a cert with CN eduroam.uah.edu and SANs eduroam.uah.edu, > acs01.uah.edu, acs02.uah.edu, etc... All servers present the same cert. > > On Fri, Feb 3, 2017 at 15:19 Mike Atkins <matk...@nd.edu> wrote: > Our identity management group runs our Microsoft NPS servers and I recall > them calling it a multi-domain certificate. So NPS1.nd.edu, NPS2.nd.edu, > NPS3.dn.edu…. and so on all present common name as NPS1.nd.edu. This keeps > your client from having to trust each NPS server. > > > > > > > > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Brian Helman > Sent: Friday, February 03, 2017 3:32 PM > To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU > > Subject: [WIRELESS-LAN] wild card certs and PEAP > > I’m setting up a RADIUS test server (Server 2012 R2 NAP/NPS) to get our > configurations in place to join eduroam. Yes, I can get a temporary cert (or > beg digicert for one, since I don’t think they have an option), but we tried > to use a wildcard cert that we usually use for testing of services. It > generates/imports correctly and Android doesn’t appear to have an issue with > it, but Win7 and Win10 don’t care for it when we try to authenticate to the > wireless network. It looks like Android may be ignoring the validation or > generally fine with the wildcard. > > The easier question is – will a wildcard cert work here? > The tougher question is – if yes, um .. any good references to configure it > with S2012R2? > > -Brian > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > -- > > -- > Hunter Fuller > Network Engineer > VBRH Annex B-1 > +1 256 824 5331 > > Office of Information Technology > The University of Alabama in Huntsville > Systems and Infrastructure > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at > http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.