Android BYOD Security based on Trusted Network Connect » History » Version 31
Version 30 (Andreas Steffen, 22.04.2013 07:50) → Version 31/32 (Andreas Steffen, 22.04.2013 07:57)
h1. Android BYOD Security based on Trusted Network Connect
An experimental "BYOD version":http://www.strongswan.org/byod/strongswan-byod-1.2.0.apk of the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.
{{>toc}}
h2. VPN Client Configuration
!strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png
The Android VPN client profile *BYOD* has the following properties:
* The hostname of the VPN gateway is *byod.strongswan.org*.
* The user authentication is based on *IKEv2 EAP-MD5*.
* Possible user names are *john* or *jane* and the user password is *byod-test*.
* The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority.
Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted.
h2. Unrestricted Access (TNC recommendation is allow)
!connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png
If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.
<pre>
01[TNC] received TNCCS batch (132 bytes) for Connection ID 1
01[TNC] PB-TNC state transition from 'Init' to 'Server Working'
01[TNC] processing PB-TNC CDATA batch
01[TNC] processing PB-Language-Preference message (31 bytes)
01[TNC] processing PB-PA message (93 bytes)
01[TNC] setting language preference to 'en'
01[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
01[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
01[TNC] processing PA-TNC message with ID 0xec41ce1d
01[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
01[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
01[IMV] operating system name is 'Android' from vendor Google
01[IMV] operating system version is '4.2.1'
</pre>
The BYOD IMC first reports the Android OS version via the IETF Product Information and String Version PA-TNC attributes.
<pre>
01[TNC] creating PA-TNC message with ID 0xeb4b3b9d
01[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
01[TNC] creating PA-TNC attribute type 'ITA-HSR/Get Settings' 0x00902a/0x00000003
</pre>
The OS IMV then requests a list of Installed Packages and some Android OS Settings via an IETF Attribute Request and an ITA-HSR Get Settings PA-TNC attribute, respectively.
<pre>
05[TNC] processing PB-TNC CDATA batch
05[TNC] processing PB-PA message (771 bytes)
05[TNC] processing PB-PA message (64 bytes)
05[TNC] processing PB-PA message (44 bytes)
05[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
05[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1
05[TNC] processing PA-TNC message with ID 0x89c5af6a
05[TNC] processing PA-TNC attribute type 'IETF/Installed Packages' 0x000000/0x00000007
05[TNC] processing PA-TNC attribute type 'ITA-HSR/Settings' 0x00902a/0x00000004
05[IMV] processing installed 'Android' packages
05[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
05[IMV] package 'ch.scythe.hsr' (0.8.4) not found
05[IMV] package 'com.amazon.kindle' (3.8.2.4) is ok
05[IMV] package 'com.cisco.webex.meetings' (2.5.3) not found
05[IMV] package 'com.endomondo.android' (8.7.0) not found
05[IMV] package 'com.facebook.katana' (2.3) not found
05[IMV] package 'com.farproc.wifi.analyzer' (3.4) not found
05[IMV] package 'com.linkedin.android' (2.5.7) not found
05[IMV] package 'com.linkomnia.ipv6detect' (1.1.0) not found
05[IMV] package 'com.rhmsoft.fm' (1.15.9) not found
05[IMV] package 'com.skype.raider' (3.2.0.6673) not found
05[IMV] package 'com.socialnmobile.dictapps.notepad.color.note' (3.9.17) not found
05[IMV] package 'com.viseca.myaccount' (1.1.0) not found
05[IMV] package 'com.whatsapp' (2.9.5196) not found
05[IMV] package 'com.xing.android' (3.8.1i) not found
05[IMV] package 'de.amazon.mShop.android' (2.3.0) not found
05[IMV] package 'jackpal.androidterm' (1.0.52) not found
05[IMV] package 'la.droid.qr' (5.3.2) is ok
05[IMV] package 'la.droid.wifi' (1.0) not found
05[IMV] package 'me.guillaumin.android.osmtracker' (0.6.4) not found
05[IMV] package 'org.connectbot' (1.7.1) not found
05[IMV] package 'org.strongswan.android' (1.2.0-byod) is ok
05[IMV] package 'tv.funtopia.weatheraustralia' (1.1R3.6) not found
05[IMV] processed 23 packages: 0 not updated, 0 blacklisted, 4 ok, 19 not found
05[IMV] setting 'android_id'
05[IMV] cf5e4cbcc6e6a2db
05[IMV] setting 'install_non_market_apps'
05[IMV] 0
</pre>
The Installed Packages are compared against a reference list stored in the database.
<pre>
04[TNC] received TNCCS batch (8 bytes) for Connection ID 1
04[TNC] PB-TNC state transition from 'Decided' to 'End'
04[TNC] processing PB-TNC CLOSE batch
04[TNC] final recommendation is 'allow' and evaluation is 'compliant'
04[TNC] policy enforced on peer 'john' is 'allow'
04[TNC] policy enforcement point added group membership 'allow'
04[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful
</pre>
The TNC measurements showed compliance and user *john* is allowed into the corporate network.
h2. Restricted Access (TNC recommendation is isolate)
User *John* now makes the following changes on his Android phone:
!non-market-apps-setting_small.png!:http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png !unknown-sources-warning_small.png!:http://www.strongswan.org/byod/screenshot-11-unknown-sources-warning.png !kws-webserver_small.png!:http://www.strongswan.org/byod/screenshot-10-kws-webserver.png
* If the *Unknown sources* flag is activated in the *Settings/Security* configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
* The user also decides to download and install an Android Web Server from the official Google play store.
The next time *John* tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.
!restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png
<pre>
16[IMV] processing installed 'Android' packages
16[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
...
16[IMV] package 'org.xeustechnologies.android.kws' (1.7) is blacklisted
16[IMV] processed 24 packages: 0 not updated, 1 blacklisted, 4 ok, 19 not found
16[IMV] setting 'android_id'
16[IMV] cf5e4cbcc6e6a2db
16[IMV] setting 'install_non_market_apps'
16[IMV] 1
</pre>
A blacklisted package is detected and Unknown Sources are enabled in the Android Security Settings
<pre>
16[TNC] creating PA-TNC message with ID 0xcf753973
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] IMV 1 is setting reason string to 'Vulnerable or blacklisted software packages were found
16[TNC] Improper OS settings were detected'
16[TNC] IMV 1 is setting reason language to 'en'
16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant minor'
</pre>
This causes an IETF Assessment Result and two IETF Remediation Instructions PA-TNC attributes to be sent to the BYOD IMC and a PB-TNC Reason String to the TNC Client.
<pre>
03[TNC] received TNCCS batch (8 bytes) for Connection ID 2
03[TNC] PB-TNC state transition from 'Decided' to 'End'
03[TNC] processing PB-TNC CLOSE batch
03[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant minor'
03[TNC] policy enforced on peer 'john' is 'isolate'
03[TNC] policy enforcement point added group membership 'isolate'
03[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful
</pre>
The TNC measurements shows minor issues with compliance and user *john* is relegated into an isolation network.
h2. Blocked Access (TNC recommendation is block)
User *John* now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:
!webserver-active_small.png!:http://www.strongswan.org/byod/screenshot-08-webserver-active.png
Since this poses a severe security breach, user *John* is blocked from accessing the network and the VPN connection setup fails.
!failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png
<pre>
01[TNC] handling PB-PA message type 'IETF/VPN' 0x000000/0x00000007
01[IMV] IMV 2 "Scanner" received message for Connection ID 3 from IMC 1 to IMV 2
01[TNC] processing PA-TNC message with ID 0xe1422d55
01[TNC] processing PA-TNC attribute type 'IETF/Port Filter' 0x000000/0x00000006
01[IMV] tcp port 8080 open: fatal
</pre>
The BYOD IMC detected a server listening on Scanner IMV detects that TCP port 8080 and sends this information via an IETF Port Filter PA-TNC attribute to the Scanner IMV. is open.
<pre>
01[TNC] creating PA-TNC message with ID 0x3411eaf5
01[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
01[TNC] creating PB-PA message type 'IETF/VPN' 0x000000/0x00000007
01[TNC] IMV 2 is setting reason string to 'Open server ports were detected'
01[TNC] IMV 2 is setting reason language to 'en'
01[TNC] IMV 2 provides recommendation 'no access' and evaluation 'non-compliant major'
01[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
01[TNC] creating PB-TNC RESULT batch
01[TNC] adding PB-PA message
01[TNC] adding PB-PA message
01[TNC] adding PB-PA message
01[TNC] adding PB-Assessment-Result message
01[TNC] adding PB-Access-Recommendation message
01[TNC] adding PB-Reason-String message
01[TNC] adding PB-Reason-String message
01[TNC] sending PB-TNC RESULT batch (1469 bytes) for Connection ID 3
</pre>
Remediation Instructions are sent to the BYOD IMC.
<pre>
16[TNC] received TNCCS batch (8 bytes) for Connection ID 3
16[TNC] PB-TNC state transition from 'Decided' to 'End'
16[TNC] processing PB-TNC CLOSE batch
16[TNC] final recommendation is 'no access' and evaluation is 'non-compliant major'
16[TNC] policy enforced on peer 'john' is 'no access'
16[IKE] EAP_TNC method failed
16[TLS] sending TLS close notify
</pre>
The TNC measurement shows major issues with compliance due to the open server port and user *john* is denied network access.
An experimental "BYOD version":http://www.strongswan.org/byod/strongswan-byod-1.2.0.apk of the popular "strongSwan Android VPN Client":https://play.google.com/store/apps/details?id=org.strongswan.android allows the collection of integrity measurements on Android 4.x devices. A special Android BYOD IMC written in Java communicates via the TNC IF-M 1.0 Measurement protocol with an Operating System IMV and a Port Scanner IMV. The strongSwan Android VPN Client transports the IF-M messages (RFC 5792 PA-TNC) in IF-TNCCS 2.0 Client/Server protocol batches (RFC 5793 PB-TNC) via the IF-T for Tunneled EAP Methods 1.1 Transport protocol protected by IKEv2 EAP-TTLS.
{{>toc}}
h2. VPN Client Configuration
!strongswan-config_small.png!:http://www.strongswan.org/byod/strongswan-config.png
The Android VPN client profile *BYOD* has the following properties:
* The hostname of the VPN gateway is *byod.strongswan.org*.
* The user authentication is based on *IKEv2 EAP-MD5*.
* Possible user names are *john* or *jane* and the user password is *byod-test*.
* The *byod.strongswan.org* server certificate is issued by the *strongSwan 2009* certification authority.
Therefore the "strongSwan 2009 CA certificate":http://www.strongswan.org/byod/strongswan-cert.crt must be imported into the Android certificate trust store before the first connection can be attempted.
h2. Unrestricted Access (TNC recommendation is allow)
!connected_small.png!:http://www.strongswan.org/byod/screenshot-01-connected.png
If the BYOD IMC (Integrity Measurement Collector) does not detect and report any security issues to the OS, Scanner and Attestation IMVs (Integrity Measurement Verifiers) via the IF-M message protocol then the TNC Server located in the combinded strongSwan PDP/PEP decides to give the VPN client full access to the corporate network.
<pre>
01[TNC] received TNCCS batch (132 bytes) for Connection ID 1
01[TNC] PB-TNC state transition from 'Init' to 'Server Working'
01[TNC] processing PB-TNC CDATA batch
01[TNC] processing PB-Language-Preference message (31 bytes)
01[TNC] processing PB-PA message (93 bytes)
01[TNC] setting language preference to 'en'
01[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
01[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1
01[TNC] processing PA-TNC message with ID 0xec41ce1d
01[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
01[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
01[IMV] operating system name is 'Android' from vendor Google
01[IMV] operating system version is '4.2.1'
</pre>
The BYOD IMC first reports the Android OS version via the IETF Product Information and String Version PA-TNC attributes.
<pre>
01[TNC] creating PA-TNC message with ID 0xeb4b3b9d
01[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
01[TNC] creating PA-TNC attribute type 'ITA-HSR/Get Settings' 0x00902a/0x00000003
</pre>
The OS IMV then requests a list of Installed Packages and some Android OS Settings via an IETF Attribute Request and an ITA-HSR Get Settings PA-TNC attribute, respectively.
<pre>
05[TNC] processing PB-TNC CDATA batch
05[TNC] processing PB-PA message (771 bytes)
05[TNC] processing PB-PA message (64 bytes)
05[TNC] processing PB-PA message (44 bytes)
05[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
05[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1
05[TNC] processing PA-TNC message with ID 0x89c5af6a
05[TNC] processing PA-TNC attribute type 'IETF/Installed Packages' 0x000000/0x00000007
05[TNC] processing PA-TNC attribute type 'ITA-HSR/Settings' 0x00902a/0x00000004
05[IMV] processing installed 'Android' packages
05[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
05[IMV] package 'ch.scythe.hsr' (0.8.4) not found
05[IMV] package 'com.amazon.kindle' (3.8.2.4) is ok
05[IMV] package 'com.cisco.webex.meetings' (2.5.3) not found
05[IMV] package 'com.endomondo.android' (8.7.0) not found
05[IMV] package 'com.facebook.katana' (2.3) not found
05[IMV] package 'com.farproc.wifi.analyzer' (3.4) not found
05[IMV] package 'com.linkedin.android' (2.5.7) not found
05[IMV] package 'com.linkomnia.ipv6detect' (1.1.0) not found
05[IMV] package 'com.rhmsoft.fm' (1.15.9) not found
05[IMV] package 'com.skype.raider' (3.2.0.6673) not found
05[IMV] package 'com.socialnmobile.dictapps.notepad.color.note' (3.9.17) not found
05[IMV] package 'com.viseca.myaccount' (1.1.0) not found
05[IMV] package 'com.whatsapp' (2.9.5196) not found
05[IMV] package 'com.xing.android' (3.8.1i) not found
05[IMV] package 'de.amazon.mShop.android' (2.3.0) not found
05[IMV] package 'jackpal.androidterm' (1.0.52) not found
05[IMV] package 'la.droid.qr' (5.3.2) is ok
05[IMV] package 'la.droid.wifi' (1.0) not found
05[IMV] package 'me.guillaumin.android.osmtracker' (0.6.4) not found
05[IMV] package 'org.connectbot' (1.7.1) not found
05[IMV] package 'org.strongswan.android' (1.2.0-byod) is ok
05[IMV] package 'tv.funtopia.weatheraustralia' (1.1R3.6) not found
05[IMV] processed 23 packages: 0 not updated, 0 blacklisted, 4 ok, 19 not found
05[IMV] setting 'android_id'
05[IMV] cf5e4cbcc6e6a2db
05[IMV] setting 'install_non_market_apps'
05[IMV] 0
</pre>
The Installed Packages are compared against a reference list stored in the database.
<pre>
04[TNC] received TNCCS batch (8 bytes) for Connection ID 1
04[TNC] PB-TNC state transition from 'Decided' to 'End'
04[TNC] processing PB-TNC CLOSE batch
04[TNC] final recommendation is 'allow' and evaluation is 'compliant'
04[TNC] policy enforced on peer 'john' is 'allow'
04[TNC] policy enforcement point added group membership 'allow'
04[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful
</pre>
The TNC measurements showed compliance and user *john* is allowed into the corporate network.
h2. Restricted Access (TNC recommendation is isolate)
User *John* now makes the following changes on his Android phone:
!non-market-apps-setting_small.png!:http://www.strongswan.org/byod/screenshot-09-non-market-apps-setting.png !unknown-sources-warning_small.png!:http://www.strongswan.org/byod/screenshot-11-unknown-sources-warning.png !kws-webserver_small.png!:http://www.strongswan.org/byod/screenshot-10-kws-webserver.png
* If the *Unknown sources* flag is activated in the *Settings/Security* configuration menu of the Android device then a user might be lured into downloading malicious Apps via manipulated links. Setting this flag therefore poses a grave security risk.
* The user also decides to download and install an Android Web Server from the official Google play store.
The next time *John* tries to access his home network, he is granted only restricted access and his VPN Client is directed to a remediation network.
!restricted_small.png!:http://www.strongswan.org/byod/screenshot-02-restricted.png !restricted-remediation_small.png!:http://www.strongswan.org/byod/screenshot-03-restricted-remediation.png !restricted-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-04-restricted-remediation-details.png
<pre>
16[IMV] processing installed 'Android' packages
16[IMV] package 'ch.sbb.mobile.android.b2c' (2.1.2) is ok
...
16[IMV] package 'org.xeustechnologies.android.kws' (1.7) is blacklisted
16[IMV] processed 24 packages: 0 not updated, 1 blacklisted, 4 ok, 19 not found
16[IMV] setting 'android_id'
16[IMV] cf5e4cbcc6e6a2db
16[IMV] setting 'install_non_market_apps'
16[IMV] 1
</pre>
A blacklisted package is detected and Unknown Sources are enabled in the Android Security Settings
<pre>
16[TNC] creating PA-TNC message with ID 0xcf753973
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] IMV 1 is setting reason string to 'Vulnerable or blacklisted software packages were found
16[TNC] Improper OS settings were detected'
16[TNC] IMV 1 is setting reason language to 'en'
16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant minor'
</pre>
This causes an IETF Assessment Result and two IETF Remediation Instructions PA-TNC attributes to be sent to the BYOD IMC and a PB-TNC Reason String to the TNC Client.
<pre>
03[TNC] received TNCCS batch (8 bytes) for Connection ID 2
03[TNC] PB-TNC state transition from 'Decided' to 'End'
03[TNC] processing PB-TNC CLOSE batch
03[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant minor'
03[TNC] policy enforced on peer 'john' is 'isolate'
03[TNC] policy enforcement point added group membership 'isolate'
03[IKE] EAP_TTLS phase2 authentication of 'john' with EAP_TNC successful
</pre>
The TNC measurements shows minor issues with compliance and user *john* is relegated into an isolation network.
h2. Blocked Access (TNC recommendation is block)
User *John* now starts the installed Android Web Server because he wants to manage his phone remotely in a much more comfortable way from his laptop computer. The Web Server is listening on TCP port 8080, potentially allowing a hacker to access the phone and take full control of it:
!webserver-active_small.png!:http://www.strongswan.org/byod/screenshot-08-webserver-active.png
Since this poses a severe security breach, user *John* is blocked from accessing the network and the VPN connection setup fails.
!failed_small.png!:http://www.strongswan.org/byod/screenshot-05-failure.png !failed-remediation_small.png!:http://www.strongswan.org/byod/screenshot-06-failure-remediation.png !failed-remediation-details_small.png!:http://www.strongswan.org/byod/screenshot-07-failure-remediation-details.png
<pre>
01[TNC] handling PB-PA message type 'IETF/VPN' 0x000000/0x00000007
01[IMV] IMV 2 "Scanner" received message for Connection ID 3 from IMC 1 to IMV 2
01[TNC] processing PA-TNC message with ID 0xe1422d55
01[TNC] processing PA-TNC attribute type 'IETF/Port Filter' 0x000000/0x00000006
01[IMV] tcp port 8080 open: fatal
</pre>
The BYOD IMC detected a server listening on Scanner IMV detects that TCP port 8080 and sends this information via an IETF Port Filter PA-TNC attribute to the Scanner IMV. is open.
<pre>
01[TNC] creating PA-TNC message with ID 0x3411eaf5
01[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
01[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
01[TNC] creating PB-PA message type 'IETF/VPN' 0x000000/0x00000007
01[TNC] IMV 2 is setting reason string to 'Open server ports were detected'
01[TNC] IMV 2 is setting reason language to 'en'
01[TNC] IMV 2 provides recommendation 'no access' and evaluation 'non-compliant major'
01[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
01[TNC] creating PB-TNC RESULT batch
01[TNC] adding PB-PA message
01[TNC] adding PB-PA message
01[TNC] adding PB-PA message
01[TNC] adding PB-Assessment-Result message
01[TNC] adding PB-Access-Recommendation message
01[TNC] adding PB-Reason-String message
01[TNC] adding PB-Reason-String message
01[TNC] sending PB-TNC RESULT batch (1469 bytes) for Connection ID 3
</pre>
Remediation Instructions are sent to the BYOD IMC.
<pre>
16[TNC] received TNCCS batch (8 bytes) for Connection ID 3
16[TNC] PB-TNC state transition from 'Decided' to 'End'
16[TNC] processing PB-TNC CLOSE batch
16[TNC] final recommendation is 'no access' and evaluation is 'non-compliant major'
16[TNC] policy enforced on peer 'john' is 'no access'
16[IKE] EAP_TNC method failed
16[TLS] sending TLS close notify
</pre>
The TNC measurement shows major issues with compliance due to the open server port and user *john* is denied network access.