Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


How do I Check Diffie-Hellman Allowable Key Sizes in ACS?

According to some discussion groups and Apple's notes, "OS X El Capitan will not connect to a server that allows negotiation with a 512-bit or smaller group." This applies to 802.1x supplicants as well. Consequently, we want to check what the minimum DH key allowed by our ACS installation is and make sure that it's more than 512, but I am having a lot of trouble finding this documented anywhere. Any advice how we check the minimum DH key size ACS allows? Our certs are 1024 and 2048 bit so that part and the default (if I understand correctly) DH key length is fine, but I don't know 802.1x sufficiently well to know whether there's a way the negotiate down the DH key size and this could be an issue.


Toivo, I'm unable to find



I'm unable to find this info either, though I'm not optimistic since I'm probably on a much older version of ACS.

I just wanted to add a reply so that if anyone can answer this that there are multiple people looking for answers.

If you have TAC for your ACS please open a case and see if they can give you a procedure for testing/setting/proving the DH key size and share it with the rest of us.



Instead of a TAC case we went

Instead of a TAC case we went ahead and tested against ACS ( and both iOS 9 and El Capitan beta image successfully used 802.1x authentication. That would imply that the allowable DH keys are larger than 512 bit.


That should be good news to

That should be good news to folks with and up!

I'll need to find someone in our org with dev accounts and test.




My problem is a little

My problem is a little different but maybe the same. To start I am running version 5.4 

I am using certificates and El Capitan will not authenticate EAP-TLS; Yosemite will and all of my windows 7 boxes do. I have version 5.6 in my lab and I plan on swinging one of my controllers toward it and I will post the results. I am starting to think this might be a code version problem.

I am opening a TAC case too



here i am running ACS 5.8 latest, and same issue :

EAP-TLS is working on osx yosemite 10.10.x but not on osx 10.11 el capitan

we have opened a tac case, but the answer for now is : "you are using avaya switches for wired 802.1x => the issue should be on avaya switches ...

but i dont see any reason why switch would interfere in 802.1x traffic, i am pretty sure it is not looking inside EAP frames ...

Did you get any succes or tips from csico tac "Lettersize" ?