Endpoint Compliance via PT-EAP Protocol » History » Version 2
« Previous -
Version 2/40
(diff) -
Next » -
Current version
Andreas Steffen, 07.10.2014 07:42
Endpoint Compliance via PT-EAP Protocol¶
- Table of contents
- Endpoint Compliance via PT-EAP Protocol
Starting the strongSwan Policy Decision Point (PDP)¶
The strongSwan PDP starts and loads its server certificate and the client credentials
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64) 00[LIB] openssl FIPS mode(0) - disabled 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem' 00[CFG] loaded EAP secret for carol 00[CFG] loaded EAP secret for dave
Next the OS and SWID IMVs are loaded
00[TNC] TNC recommendation policy is 'default' 00[TNC] loading IMVs from '/etc/tnc_config' 00[TNC] added IETF attributes 00[TNC] added ITA-HSR attributes 00[TNC] added TCG attributes 00[LIB] libimcv initialized 00[IMV] IMV 1 "OS" initialized 00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001 00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so' 00[IMV] IMV 2 "SWID" initialized 00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003 O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
00[IKE] eap method EAP_TTLS selected 00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite 00[JOB] spawning 16 worker threads 09[CFG] received stroke: add connection 'aaa' 09[CFG] left nor right host is our side, assuming left=local 09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem' 09[CFG] added configuration 'aaa'
PT-EAP Connection by Access Requestor "dave" transported over EAP-RADIUS¶
04[CFG] received RADIUS Access-Request from client '10.1.0.1' 04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan' 04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 11[CFG] received RADIUS Access-Request from client '10.1.0.1' 11[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
Set up an EAP-TTLS connection between Access Requestor and PDP¶
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA 11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org' 11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' <pre> 11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 12[CFG] received RADIUS Access-Request from client '10.1.0.1' 12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' 12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 13[CFG] received RADIUS Access-Request from client '10.1.0.1' 13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' 13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID] 13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 14[CFG] received RADIUS Access-Request from client '10.1.0.1' 14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' </pre> <pre> 14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID] 14[IKE] received EAP identity 'dave' 14[IKE] phase2 method EAP_MD5 selected 14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5] </pre> <pre> 14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 03[CFG] received RADIUS Access-Request from client '10.1.0.1' 03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' </pre> <pre> 03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] 03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful 03[IKE] phase2 method EAP_PT_EAP selected 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT] </pre> <pre> 03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 15[CFG] received RADIUS Access-Request from client '10.1.0.1' 15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' </pre> Oct 6 20:49:27 alice charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]