Project

General

Profile

strongSwan as a Policy Enforcement Point

Configuration as a TNCCS 1.1 VPN Policy Enforcement Point with EAP-RADIUS Interface

./configure --prefix=/usr --sysconfdir =/etc --disable-pluto --enable-curl
            --enable-eap-radius

/etc/strongswan.conf - strongSwan configuration file

charon {
  plugins {
    eap-radius {
      secret = gv6URkSs 
      server = 10.1.0.10
      filter_id = yes
    }
  }
}

/etc/ipsec.secrets - strongSwan IPsec secrets file

: RSA moonKey.pem

/etc/ipsec.conf - strongSwan IPsec configuration file

conn rw-allow
     rightgroups=allow
     leftsubnet=10.1.0.0/28
     also=rw-eap
     auto=add

conn rw-isolate
     rightgroups=isolate
     leftsubnet=10.1.0.16/28
     also=rw-eap
     auto=add

conn rw-eap
     leftcert=moonCert.pem
     leftid=@moon.strongswan.org
     leftauth=pubkey
     rightauth=eap-radius
     rightid=*@strongswan.org
     rightsendcert=never
     right=%any

PEP logfile

Configuration of a FreeRADIUS Server with TNC@FHH plugin

First build a TNC@FHH Server based on FreeRADIUS with two inner authentication methods according to the following HOWTO.

In order to interoperate with a strongSwan VPN Policy Enforcement Point the following FreeRADIUS configuration files are needed:

/etc/raddb/clients.conf

client 10.1.0.1 {
  secret    = gv6URkSs 
  shortname = moon
}

/etc/raddb/eap.conf

eap {
  md5 {
  }
  default_eap_type = ttls
  tls {
    private_key_file = /etc/raddb/certs/aaaKey.pem
    certificate_file = /etc/raddb/certs/aaaCert.pem
    CA_file = /etc/raddb/certs/strongswanCert.pem
    cipher_list = "DEFAULT" 
    dh_file = /etc/raddb/certs/dh
    random_file = /etc/raddb/certs/random
  }
  ttls {
    default_eap_type = md5
    use_tunneled_reply = yes
    virtual_server = "inner-tunnel" 
    tnc_virtual_server = "inner-tunnel-second" 
  }
}

eap eap_tnc {
      default_eap_type = tnc
      tnc {
      }
}

/etc/raddb/proxy.conf

realm strongswan.org {
  type     = radius
  authhost = LOCAL
  accthost = LOCAL
}

/etc/raddb/users

carol   Cleartext-Password := "Ar3etTnp" 
dave    Cleartext-Password := "W7R0g3do" 

/etc/raddb/sites-available/default

authorize {
  suffix
  eap {
    ok = return
  }
  files
}

authenticate {
  eap
}

preacct {
  preprocess
  acct_unique
  suffix
  files
}

accounting {
  detail
  unix
  radutmp
  attr_filter.accounting_response
}

session {
  radutmp
}

post-auth {
  exec
  Post-Auth-Type REJECT {
    attr_filter.access_reject
  }
}

pre-proxy {
}

post-proxy {
  eap
}

/etc/raddb/sites-available/inner-tunnel

server inner-tunnel {

authorize {
    suffix
    eap {
        ok = return
    }
    files
}

authenticate {
    eap
}

session {
    radutmp
}

post-auth {
    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }
}

pre-proxy {
}

post-proxy {
    eap
}

} # inner-tunnel server block

/etc/raddb/sites-available/inner-tunnel-second

server inner-tunnel-second {

authorize {
    eap_tnc {
        ok = return
    }
}

authenticate {
    eap_tnc
}

session {
    radutmp
}

post-auth {
    if (control:TNC-Status == "Access") {
        update reply {
            Tunnel-Type := ESP 
            Filter-Id := "allow" 
        }
    }
    elsif (control:TNC-Status == "Isolate") {
        update reply {
            Tunnel-Type := ESP 
            Filter-Id := "isolate"    
        }
    }

    Post-Auth-Type REJECT {
        attr_filter.access_reject
    }
}

} # inner-tunnel-second block

/etc/raddb/dictionary

$INCLUDE    /usr/share/freeradius/dictionary
$INCLUDE    /etc/raddb/dictionary.tnc

/etc/raddb/dictionary.tnc

ATTRIBUTE    TNC-Status    3001    integer

VALUE    TNC-Status    Access    0 
VALUE    TNC-Status    Isolate    1
VALUE    TNC-Status    None    2