Windows EAP-TLS with machine cert only?

Similar Messages

• EAP-TLS with machine certificate

  Hello all,
  I'm looking for a solution to authenticate both machine and wireless users. I've been finding out solutions like EAP-TLS using the machine certificate to stablished the tunnel and authenticating user credentials (LDAP store) over this tunnel. Now i want to know if is possible to use this configuration using an ACS Radius servers and what SOs are supported to do this without external supplicants (Windows XP, Windows 7, Windows 8, iOs, Android...).
  Thanks a lot.
  Best regards.

  Hi Alfonso, 
  Certificate Retrieval for EAP-TLS Authentication
  ACS 5.4 supports certificate retrieval for user or machine authentication that uses EAP-TLS protocol. The user or machine record on AD includes a certificate attribute of binary data type. This can contain one or more certificates. ACS refers to this attribute as userCertificate and does not allow you to configure any other name for this attribute. 
  ACS retrieves this certificate for verifying the identity of the user or machine. The certificate authentication profile determines the field (SAN, CN, SSN, SAN-Email, SAN-DNS, or SAN-other name) to be used for retrieving the certificates. 
  After ACS retrieves the certificate, it performs a binary comparison of this certificate with the client certificate. When multiple certificates are received, ACS compares the certificates to check if one of them match. When a match is found, ACS grants the user or machine access to the network. 
  Configuring CA Certificates
  When a client uses the EAP-TLS protocol to authenticate itself against the ACS server, it sends a client certificate that identifies itself to the server. To verify the identity and correctness of the client certificate, the server must have a preinstalled certificate from the Certificate Authority (CA) that has digitally signed the client certificate. 
  If ACS does not trust the client's CA certificate, then you must install in ACS the entire chain of successively signed CA certificates, all the way to the top-level CA certificate that ACS trusts. CA certificates are also known as trust certificates. 
  You use the CA options to install digital certificates to support EAP-TLS authentication. ACS uses the X.509 v3 digital certificate standard. ACS also supports manual certificate acquisition and provides the means for managing a certificate trust list (CTL) and certificate revocation lists (CRLs). 
  Digital certificates do not require the sharing of secrets or stored database credentials. They can be scaled and trusted over large deployments. If managed properly, they can serve as a method of authentication that is stronger and more secure than shared secret systems. 
  Mutual trust requires that ACS have an installed certificate that can be verified by end-user clients. This server certificate may be issued from a CA or, if you choose, may be a self-signed certificate
  Also check the below link,  
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/user/guide/users_id_stores.html#wp1170404

• EAP-TLS with WLC 5.2.178 Improve Performance and Roams?

  Good Morning...
  I've been working on moving our clients over to EAP-TLS with Machine Auth for sometime. I had moved the IT Department over a couple of months ago as a test with no issues reported and have tested on a few of our Medical Carts (CoWs) as well with no issues reported. However, upon deploying to a larger population of Carts (Specifically using Atheros 5006x 7.x Driver {No Client}) I've been getting some client drop complaints. If I look at the client history I do see a lot of "Client Associations" or Roams that occure anywhere from ever 2minutes, to every 10minutes to every 5 hours. These carts do move around ALOT as they are pushed from one Patient Room to another so I'm guessing the drops are occuring during a re-authentication phase as the device roams. Looking at the device you might not be able to tell it's dropping but the software we use (Meditech) is very connection sensitive in doing a simple ping you may see a couple of dropped packets until the client is fully connected again. So I'm guessing the roaming is the issue. What can we do to fight this or make it more effecient? It was mentioned to me by a colleague (who doesn't know where he saw it) that he thought it was possible to configure the WLC's to not reauthenticate on the roam? I'm guessing something must be able to be tweaked if the 7921's and 25's support EAP-TLS as this type of latency would never work. By the way I'm using an ACS 4.2 as my authentication platform mapped back to AD.

  You will always reauth with a roam. That is part of the 802.11 spec. How you reauth will depend on the type of security you have setup. If you are using WPA2/AES or CCKM the reauths can be done with a PMK instead of needing to go through the entire reauthentication process. Try running "debug client " for a client having the issue and see if it gives you an idea of where the authentication is failing.

• EAP Chaining with Machine TLS and User PEAP

  We are deploying an ISE based .1x. The design is to use eap-tls for machine and eap-peap for user. Apparently EAP-Chaining is recommended, but can anyone confirm if we can do chaining based on machine TLS and user PEAP. I have done some investigation and could not find any supporting document, but not any document saying not supporting either. Looking at Anyconnect profile editor, it does not look like this configuration is supported. Has anyone done this before?
  Thanks a lot.

  http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf
  Just change the authentication policy to allow the methods you want to use under eap-fast (eap-chaining) and use the same ones in your nam client configuration settings.

• EAP-TLS with WLC 5508, Microsoft NPS and custom EKU OID´s

  We are trying to implement EAP-TLS with client certificates that have a custom EKU OID to distinguish the WLAN clients. The Microsoft Press Book
  Windows Server 2008 PKI and Certificate Security gives an example on how to configure a policy in NPS that matches specific EKU OID´s. At the moment we have two policies that have an allowed-certificate-oid configured that matches the OID´s in our certificates, but our setup is not working as expected. Authentications will only be successful, if the client authenticates with the certificate that is matched by the first policy rule.
  For example:
  Policy 1: allowed-certificate-OID --> corporate
  Policy 2: allowed-certificate-OID --> private
  Client authenticates with EKU corporate --> success
  Client authenticates with EKU private --> reject
  My expectation was, that if Policy 1 will not match the NPS goes over to Policy 2 and tries to authenticate the client.
  Has anyone a simmilar setup or can help to figure out what is going wrong?
  We have a WLC 5508 with Software Version                 7.4.100.0 and a NPS on a Windows Server 2008 R2
  regards
  Fabian

  The policy rejects and the NPS goes to the next policy, only if the user does not belong to the configured group.
  This means I need to have one AD group per application policy, but that will not solve my problem. A user could belong to more than one group, depending on how many devices he/she has. It will work with one group only for each user, because the first policy that matches a AD group, the user belongs to, could have a OID that is not in the certificate. This would cause a recejct with reason code 73:
  The purposes that are configured in the Application Policies extensions, also called Enhanced Key Usage (EKU) extensions, section of the user or computer certificate are not valid or are missing. The user or computer certificate must be configured with the Client Authentication purpose in Application Policies extensions. The object identifier for Client Authentication is 1.3.6.1.5.5.7.3.2.
  The certificate does include this OID but not the custom EKU.

• EAP TLS for machine and EAP PEAP for user

  Hi forum
  I am doing a design to use ISE to enforece dot1x for corporate machinese on both wired and wireless.
  Due to the particular environment, we will need to use EAP-TLS for machines auth and on top of that use EAP-PEAP for user auth with windows credential and posture for full access.
  Just wondering if anyone has done this before:
  1. Will this work?
  2. Any gottas?
  3. what is the user experience like?
  All machines are win7 based.
  Thanks

  You can not use the native supplicant for this. Cisco Anyconnect NAM will allow you to use this method. It is very simple to configure and deploy.
  Tarik Admani
  *Please rate helpful posts*

• EAP-TLS with IAS

  Hi, has anyone got some good documentation on setting up EAP-TLS with windows 2003 Active Directory/CA, IAS and Cisco AP1200.
  Cisco ACS 3.3 does not support NTLMv2 so I have to use IAS.
  Any suggestions?

  Hi,
  I give you a good documentation explaining how to implement EAP-TLS with IAS (But it is not a AP1200)
  Regards,
  Davy

• 802.1x EAP-TLS with Cisco IP-Phone on MS NPS

  Hi,
  does anybody get 802.1x - EAP-TLS with IP-Phones ( e.g. 7962G ) on Microsoft NPS up and running?
  With ACS it is not a problem at all.
  thx
  Sebastian

  Hi all !
  Have you solved this problem (LSC certificate )? I am facing the same problem and I did not find the solution yet.
  This is the last e-mail that Microsoft TAC has sent to the customer:
  ====================================================================================
  As per the discussion, we need to engage Vendor on the case to find out why the CRL Distribution Point (CDP) and AIA paths are missing from the certificate. Ideally CDP contains that Revocation List of the certificates and AIA is used for building the certificate chain.
  "Please find below some more information about the same from Microsoft TechNet Article :
  CRL Distribution Points : This extension contains one or more URLs where the issuing CA’s base certificate revocation list (CRL) is published. If revocation checking is enabled, an application will use the URL to retrieve an updated version of the CRL. URLs can use HTTP, LDAP or File.
  Authority Information Access : This extension contains one or more URLs where the issuing CA’s certificate is published. An application uses the URL when building a certificate chain to retrieve the CA certificate if it does not exist in the application’s certificate cache."
  =====================================================================================
  Tks for your help !!!!!!!
  Luis

• I used to be able to copy or drag and drop links from the address window. Now with the update, only the address is copied or dragged not the link. (Says something about not giving site information). I want to be able to drag and drop or copy links.

  Question
  I used to be able to copy or drag and drop links from the address window. Now with the update, only the address is copied or dragged not the link. (Says something about not giving site information). I want to be able to drag and drop or copy links.

  To be more precise, you can setup a JComponent or JPanel on top of your JavaFX nodes that has a TransferHandler that can convert the (AWT/Swing) images dragged to the app to JavaFX image and then insert it into the underlying node.
  As for the file chooser itselft: ListView and the JavaFX composer can allow you to create one quite easily. TreeView can aslso be used to a lesser extend (still a big buggy). For both of these, there are small bugs in the Cell API that may (or may not) prevent from displaying a proper thumbnail in the cells.
  You can also use a regular JFileChooser if you do not mind the dialog box having a different LnF from the rest of your application.

• EAP-TLS with windows machine

  I had configured everything for certificate authentication EAP-TLS in Windows 2003 AD with enterprise CA. After logging a machine to domain I receive a certificate for computer, then setup XP SP3 to reauthenticate perion 120 sec (by Microsoft KB). I try two different machines with XP to use EAP-TLS authentication, but reason is not toward success.
  I use "authentication open" on switch therefore machines could communicate with whole network. Nothing appars in Failed Attempts.csv of Passed Attempts.csv (of couse).
  Just list of RDS.log appears some activity ended with
  NAS: 172.24.34.62:27910:25 Cleaning lookup entry. AND reapeted
  If I change an authentication type to PEAP, and I had not it configured on ACS, than failed attempt log issue is arrised: EAP_PEAP Type not configured.
  Is it necessary to use http://support.microsoft.com/kb/957931 on windows XP to success machine authentication?
  Please let attentions to Attachments and let me know
  what could be a problem of my unsuccessness of use EAP-TLS.
  configuration of interface which I use for testing:
  interface GigabitEthernet0/42
  description Test 802.1X klient - Filip
  switchport access vlan 34
  switchport mode access
  switchport voice vlan 31
  authentication host-mode multi-domain
  authentication open
  authentication port-control auto
  authentication periodic
  authentication violation protect
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  end

  Hi Filip,
  Just noticed your post...
  In order to use EAP-TLS you should ensure that you have the complete certs chain. I've noticed that EAP-TLS and service pack 3 has some compatibility issue so please try authenticating with a windows XP sp2 machine.
  Microsoft has done some changes in SP 3 for wired 802.1x
  Changes to the 802.1X-based wired network connection settings in Windows XP
  Service Pack 3
  http://support.microsoft.com/kb/949984/
  In Windows XP Service Pack 2 (SP2), both the wired and wireless connections are handled by the Wireless Zero Config (WZCSVC) service. Additionally, this service is always running. In Windows XP SP3, this WZCSVC functionality is divided into the following separate services as part of Network Access Protection (NAP) integration:
  * The WZCSVC service
  * The Wired AutoConfig service (DOT3SVC)
  As we are using wired authentication, I would suggest you to check whether wired autoconfig service is running or not.You can check by going to Manually start the Wired AutoConfig service
  If you are an end-user who has already installed Windows XP SP3, follow
  these steps:
  1. Click Start, and then click Run.
  2. In the Open box, type services.msc, and then press ENTER.
  3. Locate the Wired AutoConfig service, right-click it, and then click
  Start
  Since, we are not getting any hits on the ACS for EAP-TLS, it's clearly indicates that supplicant is not sending access-request...
  CERTIFICATE REQUIREMENT IN EAP-TLS:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39121
  ACS CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39247
  MICROSOFT XP CLIENT CONFIGURATION:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a008009256b.shtml#wp39392
  As far as peap is concerned where we are getting EAP_TYPE not configured. Here you need to enable peap-mschapv2 under the on the ACS >system configuration > global authentication setup and check the PEAP and EAP-TLS.
  Also make sure that your logging is set to full > Go to system configuration > services control > check the radio button for FULL > click on Restart.
  Also, let me know the full ACS version and platform.
  HTH
  JK
  Do rate helpful posts-

• Trouble with EAP-TLS with Wireless before Windows logon

  Ill start with a list of equipment;
  5508 WLC
  3502i AP's
  Cisco ACS 5.3
  Windows 7 clients
  WLAN is configure with WPA2/AES with 802.1x for key management.
  Client is configure with WPA2/AES, auth method is Microsoft: Smart Card or other certificate on computer. Auth mode is User or Computer authentication.  The client is configured to use a certificate on the computer.  "It only works if user or computer auth is seected."  If i use Computer Authenticate option......its says it cant find a certificate to use for EAP.
  ACS is configured to only allow for protocol EAP-TLS.
  We have created a standalone CA server and have distributed the CA root and client authentication certificates to all test systems.
  This whole process with EAP-TLS works great if you are already logged in to the machine, with cache credentials.  Once I log off the Windows 7 client, I lose connection to the WLAN.  We would like to stay logged on to the WLAN.  PEAP w/ MSCHAPV2 works great with staying connected to the WLAN but we want to use EAP-TLS.
  Any ideas??
  Thanks in advanced,
  Ryan

  Hi Ryan,
  You actually answer your own question :) The reason for the fault is because the Machine Account doesn't have a Certificate, so when your User logs off the Machine Account can't login to keep the session going, and thus you get disconnected. Provide the Machine Account with a Certificate and your problem will be resolved.
  Richard

• IPhone and EAP-TLS with ACS & 5508

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I have a large customer that is moving into a new building and adding some
  new wireless.
  They are using a 5508 with 1142's and an ACS server.
  They will have the following SSID's
  SSID01 -> WPA-EAP-TLS
  SSID02 -> WPA2-EAP-TLS (future use)
  SSID03 -> Guest Access (internet access only)
  They currently use this design across the enterprise which has worked well.
  The problem is to get certificates pushed down to the client for the EAP-TLS
  they always connect the machine once by wire and log on to the domain so a
  GPO pushes the cert to the machine.
  This creates a problem that I don't know how to solve as they want to use
  iPhones on the new deployment.
  Does anyone have any ideas on how to get a cert down to the iPhones for use
  with the SSID's?
  Thanks in advance for any assistance.

  I don't think we can push certs from windows server to iphones . Probably set up a webpage say a accessible from a different ssid  from which clients can download and install cert. ?

• EAP-TLS - ACS - Machine Certificates

  Hi,
  I've enabled EAP-TLS machine authentication on my ACS 4.2 server as per the following document: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/UsrDb.html#wp354195.  I currently have user authentication working using a user certificate on my laptop. I want to enable machine authentication for my windows domain.
  Which is the best ACS option to choose for machine certificate comparison:
  - Certificate Subject AlternativeName
  - Certificate Common Name
  - Certificate Binary
  Is there a guide to use for setting up machine certificate templates for Windows Clients?
  Thanks,

  CN (or Name)Comparison—Compares the CN in the           certificate with the username in the database. More information on  this           comparison type is included in the description of the Subject field of  the           certificate.
  SAN Comparison—Compares the SAN in the certificate           with the username in the database. This is only supported as of ACS  3.2. More           information on this comparison type is included in the description of  the           Subject Alternative Name field of the certificate.
  Binary Comparison—Compares the certificate with a           binary copy of the certificate stored in the database (only AD and  LDAP can do           this). If you use certificate binary comparison, you must store the  user           certificate in a binary format. Also, for generic LDAP and Active  Directory,           the attribute that stores the certificate must be the standard LDAP  attribute           named "usercertificate".
  Whatever comparison method is used, the information in the  appropriate       field (CN or SAN) must match the name that your database uses for       authentication.

• ACS 4.2 and EAP-TLS with AD and prefix problem

  Hi there
  we have the following situation:
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain A
  - 2 x ACS (1 x ACS SE 4.2 and 1 x ACS 4.2) for domain B
  First of all, is it a problem to have an ACS SE and an ACS working together for one domain, I don't think so? When we had only one domain and both ACS SE were responsible for domain A, it worked.
  Now after the changes, machine authentication with EAP-TLS doesn't work anymore. In the logs it always says that the "External DB user is unknown" for a (machine) username like host/abc.domain.ch
  This is the normal output of the Remote Agent, it finds the host but then nothing happens:
  CSWinAgent 11/30/2009 16:32:13 A 0140 3672 0x0 Client connecting from x.x.x.x:2443
  CSWinAgent 11/30/2009 16:32:14 A 0507 3512 0x0 RPC: NT_DSAuthoriseUser received
  CSWinAgent 11/30/2009 16:32:14 A 0474 3512 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 16:32:14 A 0549 3512 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 16:32:14 A 0646 3512 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 16:32:14 A 0735 3512 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 16:32:14 A 2355 3512 0x0 NTLIB: User 'host/abc.domain.ch' was found [DOMAIN]
  CSWinAgent 11/30/2009 16:32:14 A 0584 3512 0x0 RPC: NT_DSAuthoriseUser reply sent
  So I made a test from an ASA to see if the host/ is a problem (before any changes were made it wasn't a problem):
  test aaa authentication RADIUS host 10.3.1.9 username host/abc.domain.ch (the ASA transforms the host/ input to the correct Windows schema with the $):
  CSWinAgent 11/30/2009 15:39:23 A 0140 3672 0x0 Client connecting from x.x.x.x:1509
  CSWinAgent 11/30/2009 15:39:23 A 0390 3728 0x0 RPC: NT_MSCHAPAuthenticateUser received
  CSWinAgent 11/30/2009 15:39:23 A 0474 3728 0x0 NTLIB:       Creating Domain cache
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 0646 3728 0x0 NTLIB: No Trusted Domains Found
  CSWinAgent 11/30/2009 15:39:23 A 0735 3728 0x0 NTLIB: Domain cache loaded
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0373 3728 0x0 NTLIB: Reattempting authentication at domain DOMAIN
  CSWinAgent 11/30/2009 15:39:23 A 0549 3728 0x0 NTLIB: Loading Domain Cache
  CSWinAgent 11/30/2009 15:39:23 A 1762 3728 0x0 NTLIB: Got WorkStation CISCO
  CSWinAgent 11/30/2009 15:39:23 A 1763 3728 0x0 NTLIB: Attempting Windows authentication for user ABC$
  CSWinAgent 11/30/2009 15:39:23 A 1815 3728 0x0 NTLIB: Windows authentication FAILED (error 1326L)
  CSWinAgent 11/30/2009 15:39:23 A 0456 3728 0x0 RPC: NT_MSCHAPAuthenticateUser reply sent
  It's clear that the test was not successful because of the wrong "machine password" but it's a different output as before. I saw that in ACS 4.1 you could change the prefix of /host to nothing, but in 4.2 this is not possible anymore.
  Could this be the problem or does someone see any other problem?
  Best Regards
  Dominic

  Hi Colin
  thanks for your answer, we had the this setting correct. I was able to solve the problem yesterday, we had some faults in the AD mapping.
  I didn't know that when I select more AD groups for one ACS group in one step, that the user / host has to be in every of these AD groups (AND conjunction).
  Now I only added one AD group for my ACS group and it works. The error message "AD user restriction" was not very helpful for finding this fault ;-)
  Regards
  Dominic

• EAP-TLS Vista Machine Authentication to ACS integrated to non AD LDAP

  Hello all,
  I've been working on a scenario with ACS 4.2 (trial) for Proof of Concept to a customer of ACS's abilities.
  His intended network plan is to use Vista Laptops doing Machine authentication only towards a ACS server integrated with a non-microsoft LDAP server. The mechanism of choice is EAP-TLS.
  We've set up the PKI on the right places and it is all up. We do manage to get a user certificate on the PC, authenticate via ACS to the LDAP repository, and everything is good.
  The problem that we are facing is when we want to move to do machine authentication, the behaviour is inconsistent. I'll explain:
  When the first authentication is done, the EAP-Identity requests are always prepended with a "host/". What we see is that the CN of a certificate is TEST, and the Identity request appears as host/TEST. This is no problem to LDAP, as we can get rid of the "host/" part to do the user matching and in fact it does match. After TLS handshake (certificates are ok), ACS tries to check CSDB (the internal ACS db) and afterwards it will follow the unknown user policy and query LDAP.
  All of this appears to be successful the first time.
  If we disassociate the machine, the problems start. The accounting STOP message is never sent.
  Any new authentication will fail with a message that CS user is invalid. The AUTH log shows that ACS will never try again to check LDAP, and invalidates the user right after CSDB check. In fact if we do see the reports for RADIUS, the authenticated user is host/TEST, but if we check the dynamic users, only TEST appears. Even disabling caching for dynamic users the problem remains.
  Does anyone have an idea on how to proceed? If it was possible to handle the machine authentication without the "host/" part, that would be great, as it works.
  My guess is that ACS is getting confused with the host/, as I'm seeing its AUTH logs and I do see some messages like UDB_HOST_DB_FAILURE, after UDB_USER_INVALID.
  IF someone can give me a pointer on how to make this work, or if I'm hitting a bug in ACS.
  Thanks
  Gustavo

  Assuming you're using the stock XP wifi client.
  When running XPSP3, you need to set two things:
  1) force one registry setting.
  According to
  http://technet.microsoft.com/en-us/library/cc755892%28WS.10%29.aspx#w2k3tr_wir_tools_uzps
  You need to force usage of machine cert-store certificate:
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global]
  "AuthMode"=dword:00000002
  2) add the ACS certificate signing CA to the specific SSID profile "trusted CA".
  - show available wireless networks
  - change advanced settings
  - wireless networks tab
  - select your SSID, and then hit the "properties" button
  - select authentication tab, and then hit "properties" button
  - search for your signing CA, and check the box.
  I did with a not-so-simple autoIT script, using the "native wifi functions" addon.
  Unfortunately I'm not allowed to share the script outside the company, but I'll be more than happy to review yours.
  please cross reference to
  https://supportforums.cisco.com/message/3280232
  for a better description of the whole setup.
  Ivan