using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements
<b>carol</b> is authenticated successfully and is granted access to the subnet behind
-<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected.
+<b>moon</b> whereas <b>dave</b> fails the layered EAP authentication and is rejected.
+</p>
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES
dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO
moon::cat /var/log/daemon.log::added group membership 'allow'::YES
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
multiple_authentication=no
+ plugins {
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ tnc-imc {
+ preferred_language = de, en
+ }
+ }
}
--- /dev/null
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
+ multiple_authentication=no
+ plugins {
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ tnc-imc {
+ preferred_language = ru, fr, en
+ }
+ }
+}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
multiple_authentication=no
plugins {
eap-ttls {
phase2_piggyback = yes
phase2_tnc = yes
}
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ tnc-imv {
+ recommendation_policy = all
+ }
}
}
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>,
-bothe ends doing certificate-based EAP-TLS authentication only.
+both ends doing certificate-based EAP-TLS authentication only.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
respectively.
+</p>
-carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
multiple_authentication=no
+ plugins {
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ }
}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
multiple_authentication=no
+ plugins {
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
+ }
}
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown
+ load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
multiple_authentication=no
plugins {
eap-ttls {
phase2_piggyback = yes
phase2_tnc = yes
}
+ eap-tnc {
+ protocol = tnccs-2.0
+ }
}
}
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 PB-TNC (RFC 5793)</b> client-server interface.
+health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
+compliant with <b>RFC 5793 PB-TNC</b>.
+<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
respectively.
-
+</p>
plugins {
eap-tnc {
protocol = tnccs-2.0
- max_message_count = 4
}
}
}
plugins {
eap-tnc {
protocol = tnccs-2.0
- max_message_count = 4
}
}
}
}
eap-tnc {
protocol = tnccs-2.0
- max_message_count = 4
- recommendation_policy = any
}
}
}
+++ /dev/null
-# /etc/strongswan.conf - strongSwan configuration file
-
-charon {
- load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown
- multiple_authentication=no
-}
projects / thirdparty / strongswan.git / commitdiff
