09-14-2015 07:02 AM - edited 03-10-2019 11:03 PM
According to some discussion groups and Apple's notes, "OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group." This applies to 802.1x supplicants as well. Consequently, we want to check what the minimum DH key allowed by our ACS installation is and make sure that it's more than 512, but I am having a lot of trouble finding this documented anywhere. Any advice how we check the minimum DH key size ACS allows? Our certs are 1024 and 2048 bit so that part and the default (if I understand correctly) DH key length is fine, but I don't know 802.1x sufficiently well to know whether there's a way the negotiate down the DH key size and this could be an issue.
09-16-2015 05:45 AM
Toivo,
I'm unable to find this info either, though I'm not optimistic since I'm probably on a much older version of ACS.
I just wanted to add a reply so that if anyone can answer this that there are multiple people looking for answers.
If you have TAC for your ACS please open a case and see if they can give you a procedure for testing/setting/proving the DH key size and share it with the rest of us.
Thanks.
09-16-2015 06:00 AM
Instead of a TAC case we went ahead and tested against ACS (5.5.0.46.9) and both iOS 9 and El Capitan beta image successfully used 802.1x authentication. That would imply that the allowable DH keys are larger than 512 bit.
09-16-2015 07:03 AM
That should be good news to folks with 5.5.0.46.9 and up!
I'll need to find someone in our org with dev accounts and test.
01-11-2017 01:06 AM
removed
11-18-2015 10:01 AM
My problem is a little different but maybe the same. To start I am running version 5.4
I am using certificates and El Capitan will not authenticate EAP-TLS; Yosemite will and all of my windows 7 boxes do. I have version 5.6 in my lab and I plan on swinging one of my controllers toward it and I will post the results. I am starting to think this might be a code version problem.
I am opening a TAC case too
01-11-2017 01:06 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
Hello
here i am running ACS 5.8 latest, and same issue :
EAP-TLS is working on osx yosemite 10.10.x but not on osx 10.11 el capitan
we have opened a tac case, but the answer for now is : "you are using avaya switches for wired 802.1x => the issue should be on avaya switches ...
but i dont see any reason why switch would interfere in 802.1x traffic, i am pretty sure it is not looking inside EAP frames ...
Did you get any succes or tips from csico tac "Lettersize" ?
Thanks