Appendix: Windows Wildcard CN Rejection

Appendix: Windows Wildcard CN Rejection — Technical Background

The Problem

Windows native 802.1X supplicants (built into Windows 10/11) reject RADIUS server certificates where the Subject Common Name (CN) contains a wildcard (*). This is not configurable — even disabling "Validate Server Identity" in the supplicant does not prevent the TLS handshake failure.

Root Cause

The Windows TLS stack performs server name matching against the CN during the EAP-TLS/PEAP handshake. When the CN contains *, the matching logic fails because Windows does not expand wildcards in the CN field for EAP authentication (unlike HTTPS, where browsers do expand wildcards in CN).

Cisco Bug ID

CSCuh22029 — documents this behavior as expected. Cisco’s recommendation: use a specific FQDN in CN, wildcard in SAN only.

The Fix

Field Correct Wrong

Field	Correct	Wrong
Subject CN	`access2.ise.chla.org`	`*.ise.chla.org`
SAN DNS	`*.ise.chla.org`	(missing or same as CN)

Subject CN

access2.ise.chla.org

*.ise.chla.org

SAN DNS

*.ise.chla.org

(missing or same as CN)

CA Warning

Some Certificate Authorities auto-populate the CN with the wildcard value from the SAN, even if your CSR specifies a different CN. You MUST:

Verify the CSR before submission — confirm CN is specific FQDN
Explicitly tell the CA not to modify the CN
Verify the signed certificate after receiving it — confirm CN was not changed

Verify CN is not wildcard in signed cert

openssl x509 -in signed-cert.pem -noout -subject | grep '\*'
# If this returns output, the CA added a wildcard to CN — REJECT

ISE Error Log Symptoms

When Windows rejects the cert, ISE logs show:

12511 Unexpectedly received TLS alert message — supplicant sent TLS fatal alert
12514 EAP-TLS handshake failed — TLS negotiation could not complete
No further detail on the ISE side — the supplicant silently kills the handshake

Endpoint Troubleshooting

Enable CAPI2 logging on Windows to see the cert rejection:

Event Viewer > Applications and Services Logs > Microsoft > Windows > CAPI2
  > Right-click Operational > Enable Log

! Filter for Event ID 11 (Build Chain) and Event ID 30 (Verify Chain Policy)
! Look for "The certificate's CN name does not match the passed value"

References

Cisco ISE TLS/SSL Certificate Guide: www.cisco.com/c/en/us/support/docs/security/identity-services-engine/215621-tls-ssl-certificates-in-ise.html
Cisco Community — Wildcard EAP Cert: community.cisco.com/t5/network-access-control/cisco-ise-2-3p6-eap-wildcard-certificate/td-p/4029851
Microsoft EAP-TLS Certificate Requirements: learn.microsoft.com/en-us/troubleshoot/windows-server/networking/certificate-requirements-eap-tls-peap