Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1587
Views
0
Helpful
6
Replies

How do I Check Diffie-Hellman Allowable Key Sizes in ACS?

Toivo Voll
Level 1
Level 1

‎09-14-2015 07:02 AM - edited ‎03-10-2019 11:03 PM

According to some discussion groups and Apple's notes, "OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group." This applies to 802.1x supplicants as well. Consequently, we want to check what the minimum DH key allowed by our ACS installation is and make sure that it's more than 512, but I am having a lot of trouble finding this documented anywhere. Any advice how we check the minimum DH key size ACS allows? Our certs are 1024 and 2048 bit so that part and the default (if I understand correctly) DH key length is fine, but I don't know 802.1x sufficiently well to know whether there's a way the negotiate down the DH key size and this could be an issue.

Labels:
0 Helpful
6 Replies 6

Jason Watts
Level 1
Level 1

‎09-16-2015 05:45 AM

Toivo,

 

I'm unable to find this info either, though I'm not optimistic since I'm probably on a much older version of ACS.

I just wanted to add a reply so that if anyone can answer this that there are multiple people looking for answers.

If you have TAC for your ACS please open a case and see if they can give you a procedure for testing/setting/proving the DH key size and share it with the rest of us.

Thanks.

0 Helpful

Toivo Voll
Level 1
Level 1
In response to Jason Watts

‎09-16-2015 06:00 AM

Instead of a TAC case we went ahead and tested against ACS (5.5.0.46.9) and both iOS 9 and El Capitan beta image successfully used 802.1x authentication. That would imply that the allowable DH keys are larger than 512 bit.

0 Helpful

Jason Watts
Level 1
Level 1
In response to Toivo Voll

‎09-16-2015 07:03 AM

That should be good news to folks with 5.5.0.46.9 and up!

I'll need to find someone in our org with dev accounts and test.

0 Helpful

Guillaume BARBEROT
Level 1
Level 1
In response to Jason Watts

‎01-11-2017 01:06 AM

removed

0 Helpful

Lettersize
Level 1
Level 1
In response to Toivo Voll

‎11-18-2015 10:01 AM

My problem is a little different but maybe the same. To start I am running version 5.4 

I am using certificates and El Capitan will not authenticate EAP-TLS; Yosemite will and all of my windows 7 boxes do. I have version 5.6 in my lab and I plan on swinging one of my controllers toward it and I will post the results. I am starting to think this might be a code version problem.

I am opening a TAC case too

0 Helpful

Guillaume BARBEROT
Level 1
Level 1
In response to Lettersize

‎01-11-2017 01:06 AM

Hello

here i am running ACS 5.8 latest, and same issue :

EAP-TLS is working on osx yosemite 10.10.x but not on osx 10.11 el capitan

we have opened a tac case, but the answer for now is : "you are using avaya switches for wired 802.1x => the issue should be on avaya switches ...

but i dont see any reason why switch would interfere in 802.1x traffic, i am pretty sure it is not looking inside EAP frames ...

Did you get any succes or tips from csico tac "Lettersize" ?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents