Hello Airheads!
Today has been a busy day for many of our customers as a new iOS version (Apple’s OS not the other guys) hit millions of mobile devices and their Wi-Fi networks. iOS 9 as well as the upcoming OS X 10.11 release (El Capitan) incorporate new security features that have made several of our ClearPass customers a little nervous, but you'll be glad to know we've been paying close attention.
Back in August, the following advisory was posted indicating the changes that Apple was making to their minimum Diffie-Hellman key exchange group size as well as the addition of TLS 1.2 support in iOS 9 and OS X 10.11.
Advisory: Prepare for enterprise security requirements in iOS 9 and OS X El Capitan
One of the great aspects of the advisory is that our very own ClearPass is mentioned in the section on what ClearPass OS version would be needed to support TLS 1.2. However it seems that receiving that mention created some confusion so I want to set the record straight.
ClearPass 6.3 through 6.5 use a group size of 1024 bits which is Apple’s new minimum. ClearPass 6.2 (released back in 2013) offered a lower group size so in June of this year (when IOS 8.4 and OS X 10.10.4 were released), we provided a hot-fix to avoid any connection issues for customers still running our 6.2 release. Should Apple or any other vendor make a higher group size mandatory in a future OS release, we will again make sure ClearPass is ready.
ClearPass 6.5.2 added support for TLS 1.2 to compliment the existing TLS 1.0 and 1.1 versions we support. Even though iOS 9 added support for TLS 1.2, as will OS X 10.11, our internal testing has validated that Apple didn’t make it mandatory. So devices running iOS 9 and OS X 10.11 will fall back to the earlier TLS versions. What this means is that if your RADIUS server, which I hope is ClearPass if you’re reading this, doesn’t yet have support for TLS 1.2, it does not necessarly mean you’re dead in the water.
In future we’ll make sure to communicate more regarding these types of issues prior to any new device OS release. Sorry for the panic!
Best regards,
Madani Adjali
ClearPass Product Manager