« Previous -
Version 21/31
(diff) -
Next » -
Current version
Andreas Steffen, 12.08.2011 13:54
set Axis2 home directory to /usr/lib/axis2
strongSwan MAP Client HOWTO¶
Configuration¶
./configure --prefix=/usr --sysconfdir=/etc --disable-pluto --enable-tnc-ifmap
The tnc-ifmap plugin requires the Apache Axis2/C library. If it doesn't exist yet define the AXIS2C_HOME environment variable.
export AXIS2C_HOME=/usr/lib/axis2
In the $AXIS2C_HOME directory create a logs subdirectory
mkdir $AXIS2C_HOME/logs
The /etc/axis2.xml file is just an empty rump
<axisconfig name="Axis2/C"> </axisconfig>
since all configuration is done by the tnc-ifmap plugin using attributes defined in strongswan.conf.
/etc/strongswan.conf - strongSwan configuration file
charon {
plugins {
tnc-ifmap {
server = https://localhost:8443/
server_cert = /etc/axis2c/server.pem
auth_type = Basic
username = strongswan
password = strongswan
}
}
}
Metadata¶
Currently a strongSwan VPN gateway acting as a Police Enforcement Point (PEP) and additionally as a Policy Decision Point (PDP) provides the following metadata to a MAP server:
- device-ip: All IPv4 and IPv6 network interfaces the IPsec PEP listens on.
- access-request-ip: The IPv4 or IPv6 address of the remote access peer.
- authenticated-as: Identity of the remote access peer.
- authenticated-by: Device name of the PDP authenticating the remote access peer.
- capability: Group memberships of the remote access peer (assigned by RADIUS or TNCS).
Visualization¶
The strongSwan MAP Client sends its metadata via the SOAP 1.2 based TNC IF-MAP 2.0 interface to an irond MAP Server. The irongui MAP Client is attached to the irond MAP server and visualizes the collected metadata. The Java based irond and irongui software is available from Trust@FHH.
