Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


Certificate Key Length for PEAP - ACS

Could someone please clear up the topic regarding ACS and certificate key lengths for PEAP?  I have not been able to confrim through research. 

In the ACS documentation, it states that using a key length of >1024 will not work - it will appear to pass in the log, but the client will hang.  CAs are not issuing 1024 key length certs that expire after 2013 so this is a cause for concern if what's stated in the ACS documentation is true.  Various external CA's instructions for generating a cert from ACS, even for v3.x, states you can use a 2048 key length.

Question 1 - Is there signficance of whether the cert is self-signed or purchased from an external CA?  Do only self-signed certs have this problem?

Question 2 - Is this specific to ACS versions?  ACS v3, v4, v5 (I know v3 is no longer supported, but would like clarification)

Question 3 - Is this specific to Client OS/Service Pack versions or client supplicant vendor/versions?

So far I've tested a new 2048 cert from an external CA (expiring 2014) on ACS v4.2 and PEAP-GTC from Windows XP and worked fine. 

I would like to have some confirmation on this topic please.



Certificate Key Length for PEAP - ACS

My ACS 5.2 is working very well with certificates with a key size of 2048 for EAP-PEAPv0 (MS-CHAPv2) authentication.

Cisco Employee

Certificate Key Length for PEAP - ACS

Both code of ACS (4.x and 5.x)  works fine with Peap and key length 2048

Jatin Katyal

**Do rate helpful posts**

~Jatin Katyal

Certificate Key Length for PEAP - ACS


The certificate key lenght for PEAP - ACS is 2048.This works fine for me