According to some discussion groups and Apple's notes, "OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group." This applies to 802.1x supplicants as well. Consequently, we want to check what the minimum DH key allowed by our ACS installation is and make sure that it's more than 512, but I am having a lot of trouble finding this documented anywhere. Any advice how we check the minimum DH key size ACS allows? Our certs are 1024 and 2048 bit so that part and the default (if I understand correctly) DH key length is fine, but I don't know 802.1x sufficiently well to know whether there's a way the negotiate down the DH key size and this could be an issue.
I'm unable to find this info either, though I'm not optimistic since I'm probably on a much older version of ACS.
I just wanted to add a reply so that if anyone can answer this that there are multiple people looking for answers.
If you have TAC for your ACS please open a case and see if they can give you a procedure for testing/setting/proving the DH key size and share it with the rest of us.
Instead of a TAC case we went ahead and tested against ACS (18.104.22.168.9) and both iOS 9 and El Capitan beta image successfully used 802.1x authentication. That would imply that the allowable DH keys are larger than 512 bit.
My problem is a little different but maybe the same. To start I am running version 5.4
I am using certificates and El Capitan will not authenticate EAP-TLS; Yosemite will and all of my windows 7 boxes do. I have version 5.6 in my lab and I plan on swinging one of my controllers toward it and I will post the results. I am starting to think this might be a code version problem.
I am opening a TAC case too