Endpoint Compliance via PT-EAP Protocol » History » Version 2
Version 1 (Andreas Steffen, 07.10.2014 07:35) → Version 2/40 (Andreas Steffen, 07.10.2014 07:42)
h1. Endpoint Compliance via PT-EAP Protocol
{{>toc}}
h2. Starting the strongSwan Policy Decision Point (PDP)
The strongSwan PDP starts and loads its server certificate and the client credentials
<pre>
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG] loaded EAP secret for carol
00[CFG] loaded EAP secret for dave
</pre>
Next the OS and SWID IMVs are loaded
<pre>
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[TNC] added TCG attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
</pre>
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
<pre>
00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'
</pre>
h2. PT-EAP Connection by Access Requestor "dave" transported over EAP-RADIUS RADIUS
<pre>
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] found RADIUS connection for user 'dave' 'daOct 6 20:49:27 alice charon: ve' NAS 'strongSwan'
</pre>
h3. Set up an EAP-TTLS connection between Access Requestor and PDP
<pre>
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
<pre>
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
14[CFG] received RADIUS Access-Request from client '10.1.0.1'
14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
14[IKE] received EAP identity 'dave'
14[IKE] phase2 method EAP_MD5 selected
14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
</pre>
<pre>
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful
03[IKE] phase2 method EAP_PT_EAP selected
03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
15[CFG] received RADIUS Access-Request from client '10.1.0.1'
15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
Oct 6 20:49:27 alice charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
{{>toc}}
h2. Starting the strongSwan Policy Decision Point (PDP)
The strongSwan PDP starts and loads its server certificate and the client credentials
<pre>
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG] loaded EAP secret for carol
00[CFG] loaded EAP secret for dave
</pre>
Next the OS and SWID IMVs are loaded
<pre>
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[TNC] added TCG attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
</pre>
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
<pre>
00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'
</pre>
h2. PT-EAP Connection by Access Requestor "dave" transported over EAP-RADIUS RADIUS
<pre>
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] found RADIUS connection for user 'dave' 'daOct 6 20:49:27 alice charon: ve' NAS 'strongSwan'
</pre>
h3. Set up an EAP-TTLS connection between Access Requestor and PDP
<pre>
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
<pre>
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
14[CFG] received RADIUS Access-Request from client '10.1.0.1'
14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
14[IKE] received EAP identity 'dave'
14[IKE] phase2 method EAP_MD5 selected
14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
</pre>
<pre>
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful
03[IKE] phase2 method EAP_PT_EAP selected
03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
15[CFG] received RADIUS Access-Request from client '10.1.0.1'
15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
Oct 6 20:49:27 alice charon: 15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]