cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
705
Views
0
Helpful
6
Replies
Beginner

How do I Check Diffie-Hellman Allowable Key Sizes in ACS?

According to some discussion groups and Apple's notes, "OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group." This applies to 802.1x supplicants as well. Consequently, we want to check what the minimum DH key allowed by our ACS installation is and make sure that it's more than 512, but I am having a lot of trouble finding this documented anywhere. Any advice how we check the minimum DH key size ACS allows? Our certs are 1024 and 2048 bit so that part and the default (if I understand correctly) DH key length is fine, but I don't know 802.1x sufficiently well to know whether there's a way the negotiate down the DH key size and this could be an issue.

6 REPLIES 6
Highlighted
Beginner

Toivo, I'm unable to find

Toivo,

 

I'm unable to find this info either, though I'm not optimistic since I'm probably on a much older version of ACS.

I just wanted to add a reply so that if anyone can answer this that there are multiple people looking for answers.

If you have TAC for your ACS please open a case and see if they can give you a procedure for testing/setting/proving the DH key size and share it with the rest of us.

Thanks.

Beginner

Instead of a TAC case we went

Instead of a TAC case we went ahead and tested against ACS (5.5.0.46.9) and both iOS 9 and El Capitan beta image successfully used 802.1x authentication. That would imply that the allowable DH keys are larger than 512 bit.

Beginner

That should be good news to

That should be good news to folks with 5.5.0.46.9 and up!

I'll need to find someone in our org with dev accounts and test.

Hello

removed

Beginner

My problem is a little

My problem is a little different but maybe the same. To start I am running version 5.4 

I am using certificates and El Capitan will not authenticate EAP-TLS; Yosemite will and all of my windows 7 boxes do. I have version 5.6 in my lab and I plan on swinging one of my controllers toward it and I will post the results. I am starting to think this might be a code version problem.

I am opening a TAC case too

Hello

Hello

here i am running ACS 5.8 latest, and same issue :

EAP-TLS is working on osx yosemite 10.10.x but not on osx 10.11 el capitan

we have opened a tac case, but the answer for now is : "you are using avaya switches for wired 802.1x => the issue should be on avaya switches ...

but i dont see any reason why switch would interfere in 802.1x traffic, i am pretty sure it is not looking inside EAP frames ...

Did you get any succes or tips from csico tac "Lettersize" ?

Thanks