}
METHOD(imv_manager_t, enforce_recommendation, bool,
- private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec)
+ private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval)
{
char *group;
identification_t *id;
ike_sa_t *ike_sa;
auth_cfg_t *auth;
+ bool no_access = FALSE;
+
+ DBG1(DBG_TNC, "final recommendation is '%N' and evaluation is '%N'",
+ TNC_IMV_Action_Recommendation_names, rec,
+ TNC_IMV_Evaluation_Result_names, eval);
switch (rec)
{
case TNC_IMV_ACTION_RECOMMENDATION_ALLOW:
- DBG1(DBG_TNC, "TNC recommendation is allow");
group = "allow";
break;
case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE:
- DBG1(DBG_TNC, "TNC recommendation is isolate");
group = "isolate";
break;
case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS:
case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION:
default:
- DBG1(DBG_TNC, "TNC recommendation is none");
- return FALSE;
+ group = "no access";
+ no_access = TRUE;
+ break;
}
+
ike_sa = charon->bus->get_sa(charon->bus);
- if (ike_sa)
+ if (!ike_sa)
+ {
+ DBG1(DBG_TNC, "policy enforcement point did not find IKE_SA");
+ return FALSE;
+ }
+
+ id = ike_sa->get_other_id(ike_sa);
+ DBG0(DBG_TNC, "policy enforced on peer '%Y' is '%s'", id, group);
+
+ if (no_access)
{
+ return FALSE;
+ }
+ else
+ {
auth = ike_sa->get_auth_cfg(ike_sa, FALSE);
id = identification_create_from_string(group);
auth->add(auth, AUTH_RULE_GROUP, id);
- DBG1(DBG_TNC, "TNC added group membership '%s'", group);
+ DBG1(DBG_TNC, "policy enforcement point added group membership '%s'",
+ group);
}
return TRUE;
}
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'",
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- return charon->imvs->enforce_recommendation(charon->imvs, rec);
+ return charon->imvs->enforce_recommendation(charon->imvs, rec, eval);
}
else
{
if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval))
{
- DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'",
- TNC_IMV_Action_Recommendation_names, rec,
- TNC_IMV_Evaluation_Result_names, eval);
-
- return charon->imvs->enforce_recommendation(charon->imvs, rec);
+ return charon->imvs->enforce_recommendation(charon->imvs, rec, eval);
}
else
{
* Enforce the TNC recommendation on the IKE_SA by either inserting an
* allow|isolate group membership rule (TRUE) or by blocking access (FALSE)
*
- * @param void TNC action recommendation
+ * @param rec TNC action recommendation
+ * @param eval TNC evaluation result
* @return TRUE for allow|isolate, FALSE for none
*/
bool (*enforce_recommendation)(imv_manager_t *this,
- TNC_IMV_Action_Recommendation rec);
+ TNC_IMV_Action_Recommendation rec,
+ TNC_IMV_Evaluation_Result eval);
/**
* Notify all IMV instances