Project

General

Profile

Edit History

strongSwan User Documentation » Trusted Network Connect (TNC) HOWTO »

Endpoint Compliance via PT-EAP Protocol » History » Version 1

Andreas Steffen, 07.10.2014 07:35

1 1 Andreas Steffen 
h1. Endpoint Compliance via PT-EAP Protocol
2 1 Andreas Steffen 





    3
    1
    Andreas Steffen
    
{{>toc}}





    4
    1
    Andreas Steffen
    





    5
    1
    Andreas Steffen
    
h2. Starting the strongSwan Policy Decision Point (PDP)





    6
    1
    Andreas Steffen
    





    7
    1
    Andreas Steffen
    
The strongSwan PDP starts and loads its server certificate and the client credentials





    8
    1
    Andreas Steffen
    
<pre>





    9
    1
    Andreas Steffen
    
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)





    10
    1
    Andreas Steffen
    
00[LIB] openssl FIPS mode(0) - disabled 





    11
    1
    Andreas Steffen
    
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'





    12
    1
    Andreas Steffen
    
00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'





    13
    1
    Andreas Steffen
    
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'





    14
    1
    Andreas Steffen
    
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'





    15
    1
    Andreas Steffen
    
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'





    16
    1
    Andreas Steffen
    
00[CFG] loading crls from '/etc/ipsec.d/crls'





    17
    1
    Andreas Steffen
    
00[CFG] loading secrets from '/etc/ipsec.secrets'





    18
    1
    Andreas Steffen
    
00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'





    19
    1
    Andreas Steffen
    
00[CFG]   loaded EAP secret for carol





    20
    1
    Andreas Steffen
    
00[CFG]   loaded EAP secret for dave 





    21
    1
    Andreas Steffen
    
</pre>





    22
    1
    Andreas Steffen
    





    23
    1
    Andreas Steffen
    
Next the OS and SWID IMVs are loaded





    24
    1
    Andreas Steffen
    
<pre>





    25
    1
    Andreas Steffen
    
00[TNC] TNC recommendation policy is 'default'





    26
    1
    Andreas Steffen
    
00[TNC] loading IMVs from '/etc/tnc_config'





    27
    1
    Andreas Steffen
    
00[TNC] added IETF attributes





    28
    1
    Andreas Steffen
    
00[TNC] added ITA-HSR attributes





    29
    1
    Andreas Steffen
    
00[TNC] added TCG attributes





    30
    1
    Andreas Steffen
    
00[LIB] libimcv initialized





    31
    1
    Andreas Steffen
    
00[IMV] IMV 1 "OS" initialized





    32
    1
    Andreas Steffen
    
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001





    33
    1
    Andreas Steffen
    
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'





    34
    1
    Andreas Steffen
    
00[IMV] IMV 2 "SWID" initialized





    35
    1
    Andreas Steffen
    
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003





    36
    1
    Andreas Steffen
    
O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'





    37
    1
    Andreas Steffen
    
</pre>





    38
    1
    Andreas Steffen
    





    39
    1
    Andreas Steffen
    
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads





    40
    1
    Andreas Steffen
    
<pre>





    41
    1
    Andreas Steffen
    
00[IKE] eap method EAP_TTLS selected





    42
    1
    Andreas Steffen
    
00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite





    43
    1
    Andreas Steffen
    
00[JOB] spawning 16 worker threads





    44
    1
    Andreas Steffen
    
09[CFG] received stroke: add connection 'aaa'





    45
    1
    Andreas Steffen
    
09[CFG] left nor right host is our side, assuming left=local





    46
    1
    Andreas Steffen
    
09[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'





    47
    1
    Andreas Steffen
    
09[CFG] added configuration 'aaa'





    48
    1
    Andreas Steffen
    
</pre>





    49
    1
    Andreas Steffen
    





    50
    1
    Andreas Steffen
    
h2. PT-EAP Connection by Access Requestor "dave" transported over RADIUS





    51
    1
    Andreas Steffen
    





    52
    1
    Andreas Steffen
    
<pre>





    53
    1
    Andreas Steffen
    
04[CFG] received RADIUS Access-Request from client '10.1.0.1'





    54
    1
    Andreas Steffen
    
04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'





    55
    1
    Andreas Steffen
    
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'





    56
    1
    Andreas Steffen
    
11[CFG] received RADIUS Access-Request from client '10.1.0.1'





    57
    1
    Andreas Steffen
    
11[CFG] found RADIUS connection for user 'daOct  6 20:49:27 alice charon: ve' NAS 'strongSwan'





    58
    1
    Andreas Steffen
    
</pre>





    59
    1
    Andreas Steffen
    





    60
    1
    Andreas Steffen
    
<pre>





    61
    1
    Andreas Steffen
    
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA





    62
    1
    Andreas Steffen
    
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'





    63
    1
    Andreas Steffen
    
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'