strongSwan

h1. Endpoint Compliance via PT-EAP Protocol

{{>toc}}

h2. Starting the strongSwan Policy Decision Point (PDP)

The strongSwan PDP starts and loads its server certificate and the client credentials

<pre>

00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)

00[LIB] openssl FIPS mode(0) - disabled 

00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'

00[CFG]   loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'

00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'

00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'

00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'

00[CFG] loading crls from '/etc/ipsec.d/crls'

00[CFG] loading secrets from '/etc/ipsec.secrets'

00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'

00[CFG]   loaded EAP secret for carol

00[CFG]   loaded EAP secret for dave 

</pre>

Next the OS and SWID IMVs are loaded

<pre>

00[TNC] TNC recommendation policy is 'default'

00[TNC] loading IMVs from '/etc/tnc_config'

00[TNC] added IETF attributes

00[TNC] added ITA-HSR attributes

00[TNC] added TCG attributes

00[LIB] libimcv initialized

00[IMV] IMV 1 "OS" initialized

00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001

00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'

00[IMV] IMV 2 "SWID" initialized

00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003

O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'

</pre>

The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads

<pre>

00[IKE] eap method EAP_TTLS selected

00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite

00[JOB] spawning 16 worker threads

09[CFG] received stroke: add connection 'aaa'

09[CFG] left nor right host is our side, assuming left=local

09[CFG]   loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'

09[CFG] added configuration 'aaa'

</pre>

h2. PT-EAP Connection by Access Requestor "dave" via EAP-RADIUS

<pre>

04[CFG] received RADIUS Access-Request from client '10.1.0.1'

04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'

04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

11[CFG] received RADIUS Access-Request from client '10.1.0.1'

11[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

Set up an EAP-TTLS connection between AR and PDP

<pre>

11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA

11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'

11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'

</pre>

<pre>

11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

12[CFG] received RADIUS Access-Request from client '10.1.0.1'

12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

13[CFG] received RADIUS Access-Request from client '10.1.0.1'

13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]

13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

14[CFG] received RADIUS Access-Request from client '10.1.0.1'

14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

Received EAP-Identity of AR "dave"

<pre>

14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]

14[IKE] received EAP identity 'dave'

14[IKE] phase2 method EAP_MD5 selected

14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]

</pre>

<pre>

14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

03[CFG] received RADIUS Access-Request from client '10.1.0.1'

03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

EAP-MD5 based authentication of AR "dave"

<pre>

03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]

03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful

03[IKE] phase2 method EAP_PT_EAP selected

03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

15[CFG] received RADIUS Access-Request from client '10.1.0.1'

15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

h3. Creating IF-TNCCS 2.0 connection with ID 1

Upon reception of the first PB-TNC client batch, open an IF-TNCCS 2.0 connection

<pre>

15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

15[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh

15[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

15[IMV]   user AR identity 'dave' authenticated by password

15[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh

15[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

15[IMV]   user AR identity 'dave' authenticated by password

15[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'

15[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'

</pre>

<pre>

15[TNC] received TNCCS batch (91 bytes) for Connection ID 1

15[TNC] PB-TNC state transition from 'Init' to 'Server Working'

15[TNC] processing PB-TNC CDATA batch

15[TNC] processing IETF/PB-PA message (52 bytes)

15[TNC] setting language preference to 'en'

</pre>

h3. Received Max Attribute Size Request for IF-M Message Type 'TCG/SWID' 

<pre>

15[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

15[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2

15[IMV] => 28 bytes @ 0x7a5490

15[IMV]    0: 01 00 00 00 26 4B C3 0A 00 00 55 97 00 00 00 21  ....&K....U....!

15[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 7F A6              ............

15[TNC] processing PA-TNC message with ID 0x264bc30a

15[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

15[IMV] received a segmentation contract from IMC 2 for PA message type 'TCG/SWID' 0x005597/0x00000003

15[IMV]   maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes

</pre>

h3. Sending Max Attribute Size Response for IF-M Message Type 'TCG/SWID'

<pre>

15[TNC] creating PA-TNC message with ID 0x45425ec5

15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022

15[IMV] created PA-TNC message: => 28 bytes @ 0x7a5b00

15[IMV]    0: 01 00 00 00 45 42 5E C5 00 00 55 97 00 00 00 22  ....EB^...U...."

15[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 7F A6              ............

15[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

</pre>

h3. Sending Max Attribute Size Request for IF-M Message Type 'IETF Operating Systen'

<pre>

15[IMV] IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001

15[IMV]   maximum attribute size of 100'000'000 bytes with maximum segment size of 65446 bytes

15[TNC] creating PA-TNC message with ID 0x2ae6641f

15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

15[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001

15[IMV] created PA-TNC message: => 96 bytes @ 0x7a7ff0

15[IMV]    0: 01 00 00 00 2A E6 64 1F 00 00 55 97 00 00 00 21  ....*.d...U....!

15[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 00 00  ................

15[IMV]   32: 00 00 00 01 00 00 00 44 00 00 00 00 00 00 00 02  .......D........

15[IMV]   48: 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03  ................

15[IMV]   64: 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 0B  ................

15[IMV]   80: 00 00 00 00 00 00 00 0C 00 00 90 2A 00 00 00 08  ...........*....

15[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

</pre>

After appending an Attribute Request for various standard IETF attributes to this PA-TNC message, a first PB-TNC server batch is sent to the TNC client running on the AR

<pre>

15[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

15[TNC] creating PB-TNC SDATA batch

15[TNC] adding TCG/PB-PDP-Referral message

15[TNC] adding IETF/PB-PA message

15[TNC] adding IETF/PB-PA message

15[TNC] sending PB-TNC SDATA batch (222 bytes) for Connection ID 1

15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

16[CFG] received RADIUS Access-Request from client '10.1.0.1'

16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

<pre>

16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

16[TNC] received TNCCS batch (248 bytes) for Connection ID 1

16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

16[TNC] processing PB-TNC CDATA batch

16[TNC] processing IETF/PB-PA message (240 bytes)

</pre>

<pre>

16[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

16[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1

16[IMV] => 216 bytes @ 0x7a45b0

16[IMV]    0: 01 00 00 00 FD DE 12 F4 00 00 55 97 00 00 00 22  ..........U...."

16[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 00 00  ................

16[IMV]   32: 00 00 00 02 00 00 00 17 00 25 72 00 00 44 65 62  .........%r..Deb

16[IMV]   48: 69 61 6E 00 00 00 00 00 00 00 04 00 00 00 19 0A  ian.............

16[IMV]   64: 37 2E 35 20 78 38 36 5F 36 34 00 00 00 00 00 00  7.5 x86_64......

16[IMV]   80: 00 00 00 03 00 00 00 1C 00 00 00 07 00 00 00 05  ................

16[IMV]   96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05  ................

16[IMV]  112: 00 00 00 24 03 01 00 00 32 30 31 34 2D 31 30 2D  ...$....2014-10-

16[IMV]  128: 30 36 54 31 39 3A 33 31 3A 30 30 5A 00 00 00 00  06T19:31:00Z....

16[IMV]  144: 00 00 00 0B 00 00 00 10 00 00 00 01 00 00 00 00  ................

16[IMV]  160: 00 00 00 0C 00 00 00 10 00 00 00 00 00 00 90 2A  ...............*

16[IMV]  176: 00 00 00 08 00 00 00 2C 61 61 62 62 63 63 64 64  .......,aabbccdd

16[IMV]  192: 65 65 66 66 31 31 32 32 33 33 34 34 35 35 36 36  eeff112233445566

16[IMV]  208: 37 37 38 38 39 39 30 30                          77889900

16[TNC] processing PA-TNC message with ID 0xfdde12f4

16[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022

16[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002

16[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004

16[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003

16[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005

16[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b

16[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c

16[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008

</pre>

h3. Received Max Attribute Size Response for IF-M Message Type 'IETF/Operating System' 

<pre>

16[IMV] received a segmentation contract response for PA message type 'IETF/Operating System' 0x000000/0x00000001

16[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 32678 bytes

</pre>

h3. Received Standard IETF Operating System Attributes

<pre>

16[IMV] operating system name is 'Debian' from vendor Debian Project

16[IMV] operating system version is '7.5 x86_64'

16[IMV] operating system numeric version is 7.5

16[IMV] operational status: operational, result: successful

16[IMV] last boot: Oct 06 19:31:00 UTC 2014

16[IMV] IPv4 forwarding is enabled

16[IMV] factory default password is disabled

16[IMV] device ID is aabbccddeeff11223344556677889900

</pre>

<pre>

16[IMV] assigned session ID 2 to Connection ID 1

16[IMV] running policy script: 2>&1 ipsec imv_policy_manager start 2

16[IMV] policy: imv_policy_manager start successful

16[IMV] DREFM workitem 1

16[IMV] FWDEN workitem 2

16[IMV] SWIDT workitem 3

</pre>

<pre>

16[IMV] IMV 1 handles FWDEN workitem 2

16[IMV] IMV 1 handled FWDEN workitem 2: isolate - forwarding enabled

16[TNC] creating PA-TNC message with ID 0x3fb2eb38

16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009

16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a

16[IMV] created PA-TNC message: => 117 bytes @ 0x7ab630

16[IMV]    0: 01 00 00 00 3F B2 EB 38 00 00 00 00 00 00 00 09  ....?..8........

16[IMV]   16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A  ................

16[IMV]   32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42  ...]...........B

16[IMV]   48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72  IP Packet Forwar

16[IMV]   64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69  ding.  Please di

16[IMV]   80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72  sable the forwar

16[IMV]   96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65  ding of IP packe

16[IMV]  112: 74 73 02 65 6E                                   ts.en

16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

16[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected'

16[TNC] IMV 1 is setting reason language to 'en'

16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'

</pre>

h3. Sending Max Attribute Size Request for IF-M message type 'TCG/SWID'

<pre>

16[IMV] IMV 2 requests a segmentation contract for PA message type 'TCG/SWID' 0x005597/0x00000003

16[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes

</pre>

<pre>

16[IMV] IMV 2 handles SWIDT workitem 3

16[IMV] IMV 2 issues SWID request 3

</pre>

<pre>

16[TNC] creating PA-TNC message with ID 0x8fc76ae4

16[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

16[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011

16[IMV] created PA-TNC message: => 52 bytes @ 0x7eaaa0

16[IMV]    0: 01 00 00 00 8F C7 6A E4 00 00 55 97 00 00 00 21  ......j...U....!

16[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 55 97  ..............U.

16[IMV]   32: 00 00 00 11 00 00 00 18 00 00 00 00 00 00 00 03  ................

16[IMV]   48: 00 00 00 00                                      ....

16[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

</pre>

<pre>

16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

16[TNC] creating PB-TNC SDATA batch

16[TNC] adding IETF/PB-PA message

16[TNC] adding IETF/PB-PA message

16[TNC] sending PB-TNC SDATA batch (225 bytes) for Connection ID 1

16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

16[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

02[CFG] received RADIUS Access-Request from client '10.1.0.1'

02[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

02[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

01[CFG] received RADIUS Access-Request from client '10.1.0.1'

01[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

01[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

        ... 30 more RADIUS exchanges

14[CFG] received RADIUS Access-Request from client '10.1.0.1'

14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

<pre>

14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

14[TNC] received TNCCS batch (32754 bytes) for Connection ID 1

14[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

14[TNC] processing PB-TNC CDATA batch

14[TNC] processing IETF/PB-PA message (32746 bytes)

</pre>

<pre>

14[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

14[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2

14[IMV] => 32722 bytes @ 0x81f620

14[IMV]    0: 01 00 00 00 C6 E7 09 AA 00 00 55 97 00 00 00 22  ..........U...."

14[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 55 97  ..............U.

14[IMV]   32: 00 00 00 23 00 00 7F B6 C0 00 00 01 00 00 55 97  ...#..........U.

14[IMV]   48: 00 00 00 14 00 01 C4 84 00 00 01 74 00 00 00 03  ...........t....

14[IMV]   64: F1 07 0C 90 00 00 00 01 00 00 00 00 01 35 3C 53  .............5<S

14[IMV]   80: 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 20  oftwareIdentity 

14[IMV]   96: 6E 61 6D 65 3D 22 61 63 70 69 2D 73 75 70 70 6F  name="acpi-suppo

14[IMV]  112: 72 74 2D 62 61 73 65 22 20 75 6E 69 71 75 65 49  rt-base" uniqueI

14[IMV]  128: 64 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38  d="debian_7.5-x8

14[IMV]  144: 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70 6F 72  6_64-acpi-suppor

14[IMV]  160: 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 22 20  t-base-0.140-5" 

14[IMV]  176: 76 65 72 73 69 6F 6E 3D 22 30 2E 31 34 30 2D 35  version="0.140-5

14[IMV]  192: 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D  " versionScheme=

14[IMV]  208: 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78  "alphanumeric" x

14[IMV]  224: 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61  mlns="http://sta

14[IMV]  240: 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69  ndards.iso.org/i

14[IMV]  256: 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34  so/19770/-2/2014

14[IMV]  272: 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E  /schema.xsd"><En

14[IMV]  288: 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E  tity name="stron

14[IMV]  304: 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65  gSwan" regid="re

14[IMV]  320: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E  gid.2004-03.org.

14[IMV]  336: 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65  strongswan" role

14[IMV]  352: 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E  ="tagcreator" />

14[IMV]  368: 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69  </SoftwareIdenti

14[IMV]  384: 74 79 3E 00 00 00 00 01 31 3C 53 6F 66 74 77 61  ty>.....1<Softwa

14[IMV]  400: 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D 65 3D  reIdentity name=

14[IMV]  416: 22 61 63 70 69 64 22 20 75 6E 69 71 75 65 49 64  "acpid" uniqueId

         ...

14[IMV] 32624: 20 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65   /></SoftwareIde

14[IMV] 32640: 6E 74 69 74 79 3E 00 00 00 00 01 2F 3C 53 6F 66  ntity>...../<Sof

14[IMV] 32656: 74 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61  twareIdentity na

14[IMV] 32672: 6D 65 3D 22 6C 69 62 61 70 72 31 22 20 75 6E 69  me="libapr1" uni

14[IMV] 32688: 71 75 65 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E  queId="debian_7.

14[IMV] 32704: 35 2D 78 38 36 5F 36 34 2D 6C 69 62 61 70 72 31  5-x86_64-libapr1

14[IMV] 32720: 2D 31                                            -1

14[TNC] processing PA-TNC message with ID 0xc6e709aa

14[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022

14[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023

</pre>

h3. Received Max Attribute Size Response for IF-M Message Type 'TCG/SWID ' 

<pre>

14[IMV] received a segmentation contract response for PA message type 'TCG/SWID' 0x005597/0x00000003

14[IMV]   maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes

</pre>

h3. Received First Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1

<pre>

14[TNC] received first segment for base attribute ID 1 (32678 bytes)

14[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Inventory' 0x005597/0x00000014

14[LIB] 70 bytes insufficient to parse 303 bytes of data

14[IMV] received SWID tag inventory with 106 items for request 3 at eid 1 of epoch 0xf1070c90, 266 items to follow

14[IMV] <SoftwareIdentity name="acpi-support-base" uniqueId="debian_7.5-x86_64-acpi-support-base-0.140-5" version="0.140-5" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

14[IMV] <SoftwareIdentity name="acpid" uniqueId="debian_7.5-x86_64-acpid-1:2.0.16-1+deb7u1" version="1:2.0.16-1+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

        ... 103 more SWID tags

14[IMV] <SoftwareIdentity name="libapache2-mod-wsgi" uniqueId="debian_7.5-x86_64-libapache2-mod-wsgi-3.3-4" version="3.3-4" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

</pre>

h3. Sending Next Segment Request for Base Attribute with ID 1

<pre>

14[TNC] creating PA-TNC message with ID 0x636ebdaa

14[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024

14[IMV] created PA-TNC message: => 24 bytes @ 0x7b2e10

14[IMV]    0: 01 00 00 00 63 6E BD AA 00 00 55 97 00 00 00 24  ....cn....U....$

14[IMV]   16: 00 00 00 10 00 00 00 01                          ........

14[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

</pre>

<pre>

14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

14[TNC] creating PB-TNC SDATA batch

14[TNC] adding IETF/PB-PA message

14[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1

14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

03[CFG] received RADIUS Access-Request from client '10.1.0.1'

03[CFG] ignoring RADIUS Access-Request 0x3f, already processing

15[CFG] received RADIUS Access-Request from client '10.1.0.1'

15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

         ... 31 more RADIUS exchanges

12[CFG] received RADIUS Access-Request from client '10.1.0.1'

12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

<pre>

12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

12[TNC] received TNCCS batch (32734 bytes) for Connection ID 1

12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

12[TNC] processing PB-TNC CDATA batch

12[TNC] processing IETF/PB-PA message (32726 bytes)

</pre>

<pre>

12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2

12[IMV] => 32702 bytes @ 0x80b530

12[IMV]    0: 01 00 00 00 A7 75 C2 64 00 00 55 97 00 00 00 23  .....u.d..U....#

12[IMV]   16: 00 00 7F B6 80 00 00 01 2E 34 2E 36 2D 33 2B 64  .........4.6-3+d

12[IMV]   32: 65 62 37 75 31 22 20 76 65 72 73 69 6F 6E 3D 22  eb7u1" version="

12[IMV]   48: 31 2E 34 2E 36 2D 33 2B 64 65 62 37 75 31 22 20  1.4.6-3+deb7u1" 

12[IMV]   64: 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D 22 61  versionScheme="a

12[IMV]   80: 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 6D 6C  lphanumeric" xml

12[IMV]   96: 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E 64  ns="http://stand

12[IMV]  112: 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 6F  ards.iso.org/iso

12[IMV]  128: 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 2F 73  /19770/-2/2014/s

12[IMV]  144: 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 69  chema.xsd"><Enti

12[IMV]  160: 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53  ty name="strongS

12[IMV]  176: 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 67 69  wan" regid="regi

12[IMV]  192: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74  d.2004-03.org.st

12[IMV]  208: 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 3D 22  rongswan" role="

12[IMV]  224: 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E 3C 2F  tagcreator" /></

12[IMV]  240: 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79  SoftwareIdentity

12[IMV]  256: 3E 00 00 00 00 01 37 3C 53 6F 66 74 77 61 72 65  >.....7<Software

12[IMV]  272: 49 64 65 6E 74 69 74 79 20 6E 61 6D 65 3D 22 6C  Identity name="l

12[IMV]  288: 69 62 61 70 72 31 2D 64 65 76 22 20 75 6E 69 71  ibapr1-dev" uniq

         ...

12[IMV] 32416: 01 31 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74  .1<SoftwareIdent

12[IMV] 32432: 69 74 79 20 6E 61 6D 65 3D 22 6C 69 62 6C 6F 67  ity name="liblog

12[IMV] 32448: 34 63 78 78 31 30 22 20 75 6E 69 71 75 65 49 64  4cxx10" uniqueId

12[IMV] 32464: 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36  ="debian_7.5-x86

12[IMV] 32480: 5F 36 34 2D 6C 69 62 6C 6F 67 34 63 78 78 31 30  _64-liblog4cxx10

12[IMV] 32496: 2D 30 2E 31 30 2E 30 2D 31 2E 32 22 20 76 65 72  -0.10.0-1.2" ver

12[IMV] 32512: 73 69 6F 6E 3D 22 30 2E 31 30 2E 30 2D 31 2E 32  sion="0.10.0-1.2

12[IMV] 32528: 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D  " versionScheme=

12[IMV] 32544: 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78  "alphanumeric" x

12[IMV] 32560: 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61  mlns="http://sta

12[IMV] 32576: 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69  ndards.iso.org/i

12[IMV] 32592: 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34  so/19770/-2/2014

12[IMV] 32608: 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E  /schema.xsd"><En

12[IMV] 32624: 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E  tity name="stron

12[IMV] 32640: 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65  gSwan" regid="re

12[IMV] 32656: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E  gid.2004-03.org.

12[IMV] 32672: 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65  strongswan" role

12[IMV] 32688: 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20        ="tagcreator" 

12[TNC] processing PA-TNC message with ID 0xa775c264

12[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023

</pre>

h3. Received Next Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1

<pre>

12[TNC] received next segment for base attribute ID 1 (32678 bytes)

12[LIB] 284 bytes insufficient to parse 305 bytes of data

12[IMV] received SWID tag inventory with 102 items for request 3 at eid 1 of epoch 0xf1070c90, 164 items to follow

12[IMV] <SoftwareIdentity name="libapr1" uniqueId="debian_7.5-x86_64-libapr1-1.4.6-3+deb7u1" version="1.4.6-3+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

12[IMV] <SoftwareIdentity name="libapr1-dev" uniqueId="debian_7.5-x86_64-libapr1-dev-1.4.6-3+deb7u1" version="1.4.6-3+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

        ... 99 more SWID tags

12[IMV] <SoftwareIdentity name="liblocale-gettext-perl" uniqueId="debian_7.5-x86_64-liblocale-gettext-perl-1.05-7+b1" version="1.05-7+b1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

</pre>

h3. Sending Next Segment Request for Base Attribute with ID 1

<pre>

12[TNC] creating PA-TNC message with ID 0x5382f1b3

12[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024

12[IMV] created PA-TNC message: => 24 bytes @ 0x7c6f20

12[IMV]    0: 01 00 00 00 53 82 F1 B3 00 00 55 97 00 00 00 24  ....S.....U....$

12[IMV]   16: 00 00 00 10 00 00 00 01                          ........

12[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

</pre>

<pre>

12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

12[TNC] creating PB-TNC SDATA batch

12[TNC] adding IETF/PB-PA message

12[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1

12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

13[CFG] received RADIUS Access-Request from client '10.1.0.1'

13[CFG] ignoring RADIUS Access-Request 0x60, already processing

03[CFG] received RADIUS Access-Request from client '10.1.0.1'

03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

        ... 31 more RADIUS exchanges

04[CFG] received RADIUS Access-Request from client '10.1.0.1'

04[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

<pre>

04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

04[TNC] received TNCCS batch (32734 bytes) for Connection ID 1

04[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

04[TNC] processing PB-TNC CDATA batch

04[TNC] processing IETF/PB-PA message (32726 bytes)

</pre>

<pre>

04[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

04[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2

04[IMV] => 32702 bytes @ 0x82b510

04[IMV]    0: 01 00 00 00 08 CC 13 66 00 00 55 97 00 00 00 23  .......f..U....#

04[IMV]   16: 00 00 7F B6 80 00 00 01 2F 3E 3C 2F 53 6F 66 74  ......../></Soft

04[IMV]   32: 77 61 72 65 49 64 65 6E 74 69 74 79 3E 00 00 00  wareIdentity>...

04[IMV]   48: 00 01 39 3C 53 6F 66 74 77 61 72 65 49 64 65 6E  ..9<SoftwareIden

04[IMV]   64: 74 69 74 79 20 6E 61 6D 65 3D 22 6C 69 62 6C 6F  tity name="liblo

04[IMV]   80: 67 34 63 78 78 31 30 2D 64 65 76 22 20 75 6E 69  g4cxx10-dev" uni

         ...

04[IMV] 32288: 74 69 74 79 3E 00 00 00 00 01 43 3C 53 6F 66 74  tity>.....C<Soft

04[IMV] 32304: 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D  wareIdentity nam

04[IMV] 32320: 65 3D 22 6D 75 6C 74 69 61 72 63 68 2D 73 75 70  e="multiarch-sup

04[IMV] 32336: 70 6F 72 74 22 20 75 6E 69 71 75 65 49 64 3D 22  port" uniqueId="

04[IMV] 32352: 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 5F 36  debian_7.5-x86_6

04[IMV] 32368: 34 2D 6D 75 6C 74 69 61 72 63 68 2D 73 75 70 70  4-multiarch-supp

04[IMV] 32384: 6F 72 74 2D 32 2E 31 33 2D 33 38 2B 64 65 62 37  ort-2.13-38+deb7

04[IMV] 32400: 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 32 2E 31  u1" version="2.1

04[IMV] 32416: 33 2D 33 38 2B 64 65 62 37 75 31 22 20 76 65 72  3-38+deb7u1" ver

04[IMV] 32432: 73 69 6F 6E 53 63 68 65 6D 65 3D 22 61 6C 70 68  sionScheme="alph

04[IMV] 32448: 61 6E 75 6D 65 72 69 63 22 20 78 6D 6C 6E 73 3D  anumeric" xmlns=

04[IMV] 32464: 22 68 74 74 70 3A 2F 2F 73 74 61 6E 64 61 72 64  "http://standard

04[IMV] 32480: 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 6F 2F 31 39  s.iso.org/iso/19

04[IMV] 32496: 37 37 30 2F 2D 32 2F 32 30 31 34 2F 73 63 68 65  770/-2/2014/sche

04[IMV] 32512: 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 69 74 79 20  ma.xsd"><Entity 

04[IMV] 32528: 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53 77 61 6E  name="strongSwan

04[IMV] 32544: 22 20 72 65 67 69 64 3D 22 72 65 67 69 64 2E 32  " regid="regid.2

04[IMV] 32560: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E  004-03.org.stron

04[IMV] 32576: 67 73 77 61 6E 22 20 72 6F 6C 65 3D 22 74 61 67  gswan" role="tag

04[IMV] 32592: 63 72 65 61 74 6F 72 22 20 2F 3E 3C 2F 53 6F 66  creator" /></Sof

04[IMV] 32608: 74 77 61 72 65 49 64 65 6E 74 69 74 79 3E 00 00  twareIdentity>..

04[IMV] 32624: 00 00 01 47 3C 53 6F 66 74 77 61 72 65 49 64 65  ...G<SoftwareIde

04[IMV] 32640: 6E 74 69 74 79 20 6E 61 6D 65 3D 22 6D 79 73 71  ntity name="mysq

04[IMV] 32656: 6C 2D 63 6F 6D 6D 6F 6E 22 20 75 6E 69 71 75 65  l-common" unique

04[IMV] 32672: 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78  Id="debian_7.5-x

04[IMV] 32688: 38 36 5F 36 34 2D 6D 79 73 71 6C 2D 63 6F        86_64-mysql-co

04[TNC] processing PA-TNC message with ID 0x08cc1366

04[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023

</pre>

h3. Received Next Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1

<pre>

04[TNC] received next segment for base attribute ID 1 (32678 bytes)

04[LIB] 74 bytes insufficient to parse 327 bytes of data

04[IMV] received SWID tag inventory with 106 items for request 3 at eid 1 of epoch 0xf1070c90, 58 items to follow

04[IMV] <SoftwareIdentity name="liblog4cxx10" uniqueId="debian_7.5-x86_64-liblog4cxx10-0.10.0-1.2" version="0.10.0-1.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

04[IMV] <SoftwareIdentity name="liblog4cxx10-dev" uniqueId="debian_7.5-x86_64-liblog4cxx10-dev-0.10.0-1.2" version="0.10.0-1.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

      ... 103 more SWID tags

04[IMV] <SoftwareIdentity name="multiarch-support" uniqueId="debian_7.5-x86_64-multiarch-support-2.13-38+deb7u1" version="2.13-38+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

</pre>

h3. Sending Next Segment Request for Base Attribute with ID 1

<pre>

04[TNC] creating PA-TNC message with ID 0x76280e6a

04[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024

04[IMV] created PA-TNC message: => 24 bytes @ 0x7a7860

04[IMV]    0: 01 00 00 00 76 28 0E 6A 00 00 55 97 00 00 00 24  ....v(.j..U....$

04[IMV]   16: 00 00 00 10 00 00 00 01                          ........

04[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

</pre>

<pre>

04[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'

04[TNC] creating PB-TNC SDATA batch

04[TNC] adding IETF/PB-PA message

04[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1

04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

11[CFG] received RADIUS Access-Request from client '10.1.0.1'

11[CFG] ignoring RADIUS Access-Request 0x81, already processing

13[CFG] received RADIUS Access-Request from client '10.1.0.1'

13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

        ... 15 more RADIUS exchanges

16[CFG] received RADIUS Access-Request from client '10.1.0.1'

16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

<pre>

16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

16[TNC] received TNCCS batch (17866 bytes) for Connection ID 1

16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'

16[TNC] processing PB-TNC CDATA batch

16[TNC] processing IETF/PB-PA message (17858 bytes)

</pre>

<pre>

16[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

16[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2

16[IMV]    0: 01 00 00 00 15 7F 65 95 00 00 55 97 00 00 00 23  ......e...U....#

16[IMV]   16: 00 00 45 A2 00 00 00 01 6D 6D 6F 6E 2D 35 2E 35  ..E.....mmon-5.5

16[IMV]   32: 2E 33 35 2B 64 66 73 67 2D 30 2B 77 68 65 65 7A  .35+dfsg-0+wheez

16[IMV]   48: 79 31 22 20 76 65 72 73 69 6F 6E 3D 22 35 2E 35  y1" version="5.5

16[IMV]   64: 2E 33 35 2B 64 66 73 67 2D 30 2B 77 68 65 65 7A  .35+dfsg-0+wheez

16[IMV]   80: 79 31 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D  y1" versionSchem

16[IMV]   96: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22  e="alphanumeric"

16[IMV]  112: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73   xmlns="http://s

16[IMV]  128: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67  tandards.iso.org

16[IMV]  144: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30  /iso/19770/-2/20

16[IMV]  160: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C  14/schema.xsd"><

16[IMV]  176: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72  Entity name="str

16[IMV]  192: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22  ongSwan" regid="

16[IMV]  208: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72  regid.2004-03.or

16[IMV]  224: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F  g.strongswan" ro

16[IMV]  240: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20  le="tagcreator" 

16[IMV]  256: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E  /></SoftwareIden

16[IMV]  272: 74 69 74 79 3E 00 00 00 00 01 21 3C 53 6F 66 74  tity>.....!<Soft

16[IMV]  288: 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D  wareIdentity nam

16[IMV]  304: 65 3D 22 6E 61 6E 6F 22 20 75 6E 69 71 75 65 49  e="nano" uniqueI

   ...

16[IMV] 17520: 00 01 37 3C 53 6F 66 74 77 61 72 65 49 64 65 6E  ..7<SoftwareIden

16[IMV] 17536: 74 69 74 79 20 6E 61 6D 65 3D 22 7A 6C 69 62 31  tity name="zlib1

16[IMV] 17552: 67 2D 64 65 76 22 20 75 6E 69 71 75 65 49 64 3D  g-dev" uniqueId=

16[IMV] 17568: 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 5F  "debian_7.5-x86_

16[IMV] 17584: 36 34 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A  64-zlib1g-dev-1:

16[IMV] 17600: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 22 20 76  1.2.7.dfsg-13" v

16[IMV] 17616: 65 72 73 69 6F 6E 3D 22 31 3A 31 2E 32 2E 37 2E  ersion="1:1.2.7.

16[IMV] 17632: 64 66 73 67 2D 31 33 22 20 76 65 72 73 69 6F 6E  dfsg-13" version

16[IMV] 17648: 53 63 68 65 6D 65 3D 22 61 6C 70 68 61 6E 75 6D  Scheme="alphanum

16[IMV] 17664: 65 72 69 63 22 20 78 6D 6C 6E 73 3D 22 68 74 74  eric" xmlns="htt

16[IMV] 17680: 70 3A 2F 2F 73 74 61 6E 64 61 72 64 73 2E 69 73  p://standards.is

16[IMV] 17696: 6F 2E 6F 72 67 2F 69 73 6F 2F 31 39 37 37 30 2F  o.org/iso/19770/

16[IMV] 17712: 2D 32 2F 32 30 31 34 2F 73 63 68 65 6D 61 2E 78  -2/2014/schema.x

16[IMV] 17728: 73 64 22 3E 3C 45 6E 74 69 74 79 20 6E 61 6D 65  sd"><Entity name

16[IMV] 17744: 3D 22 73 74 72 6F 6E 67 53 77 61 6E 22 20 72 65  ="strongSwan" re

16[IMV] 17760: 67 69 64 3D 22 72 65 67 69 64 2E 32 30 30 34 2D  gid="regid.2004-

16[IMV] 17776: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61  03.org.strongswa

16[IMV] 17792: 6E 22 20 72 6F 6C 65 3D 22 74 61 67 63 72 65 61  n" role="tagcrea

16[IMV] 17808: 74 6F 72 22 20 2F 3E 3C 2F 53 6F 66 74 77 61 72  tor" /></Softwar

16[IMV] 17824: 65 49 64 65 6E 74 69 74 79 3E                    eIdentity>

16[TNC] processing PA-TNC message with ID 0x157f6595

16[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023

</pre>

h3. Received Last Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1

<pre>

16[TNC] received last segment for base attribute ID 1 (17810 bytes)

16[IMV] received SWID tag inventory with 58 items for request 3 at eid 1 of epoch 0xf1070c90, 0 items to follow

16[IMV] <SoftwareIdentity name="mysql-common" uniqueId="debian_7.5-x86_64-mysql-common-5.5.35+dfsg-0+wheezy1" version="5.5.35+dfsg-0+wheezy1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

16[IMV] <SoftwareIdentity name="nano" uniqueId="debian_7.5-x86_64-nano-2.2.6-1+b1" version="2.2.6-1+b1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

        ...

16[IMV] <SoftwareIdentity name="zlib1g-dev" uniqueId="debian_7.5-x86_64-zlib1g-dev-1:1.2.7.dfsg-13" version="1:1.2.7.dfsg-13" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>

</pre>

<pre>

16[IMV] IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags

16[TNC] creating PA-TNC message with ID 0x39b02ad7

16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009

16[IMV] created PA-TNC message: => 24 bytes @ 0x7a7600

16[IMV]    0: 01 00 00 00 39 B0 2A D7 00 00 00 00 00 00 00 09  ....9.*.........

16[IMV]   16: 00 00 00 10 00 00 00 00                          ........

16[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003

16[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'

16[IMV] running policy script: 2>&1 ipsec imv_policy_manager stop 2

16[IMV] policy: imv_policy_manager stop successful

16[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Isolated'

16[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Isolated'

</pre>

<pre>

16[TNC] PB-TNC state transition from 'Server Working' to 'Decided'

16[TNC] creating PB-TNC RESULT batch

16[TNC] adding IETF/PB-PA message

16[TNC] adding IETF/PB-Assessment-Result message

16[TNC] adding IETF/PB-Access-Recommendation message

16[TNC] adding IETF/PB-Reason-String message

16[TNC] sending PB-TNC RESULT batch (141 bytes) for Connection ID 1

16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

16[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

02[CFG] received RADIUS Access-Request from client '10.1.0.1'

02[CFG] ignoring RADIUS Access-Request 0x93, already processing

01[CFG] received RADIUS Access-Request from client '10.1.0.1'

01[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

<pre>

01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

01[TNC] received TNCCS batch (8 bytes) for Connection ID 1

01[TNC] PB-TNC state transition from 'Decided' to 'End'

01[TNC] processing PB-TNC CLOSE batch

01[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant major'

01[TNC] policy enforced on peer 'dave' is 'isolate'

01[TNC] policy enforcement point added group membership 'isolate'

01[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_PT_EAP successful

01[IMV] IMV 1 "OS" deleted the state of Connection ID 1

01[IMV] IMV 2 "SWID" deleted the state of Connection ID 1

01[TNC] removed TNCCS Connection ID 1

01[TLS] sending TLS close notify

</pre>

h2. PT-EAP Connection by Access Requestor "carol" via EAP-RADIUS

<pre>

01[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

10[CFG] received RADIUS Access-Request from client '10.1.0.1'

10[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'

10[CFG] sending RADIUS Access-Accept to client '10.1.0.1'

10[CFG] removed RADIUS connection for user 'dave' NAS 'strongSwan'

</pre>

Set up an EAP-TTLS connection between AR and PDP

<pre>

09[CFG] received RADIUS Access-Request from client '10.1.0.1'

09[CFG] created RADIUS connection for user 'carol' NAS 'strongSwan'

09[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

11[CFG] received RADIUS Access-Request from client '10.1.0.1'

11[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'

11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA

11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'

11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'

</pre>

<pre>

11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

04[CFG] received RADIUS Access-Request from client '10.1.0.1'

04[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'

04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

13[CFG] received RADIUS Access-Request from client '10.1.0.1'

13[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'

13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]

13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

12[CFG] received RADIUS Access-Request from client '10.1.0.1'

12[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'

</pre>

Received EAP-Identity of AR "carol"

<pre>

12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]

12[IKE] received EAP identity 'carol'

12[IKE] phase2 method EAP_MD5 selected

12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]

</pre>

<pre>

12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

03[CFG] received RADIUS Access-Request from client '10.1.0.1'

03[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'

</pre>

EAP-MD5 based authentication of AR "carol"

<pre>

03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]

03[IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful

03[IKE] phase2 method EAP_PT_EAP selected

03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]

</pre>

<pre>

03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'

Oct  6 20:49:46 alice charon: 14[CFG] received RADIUS Access-Request from client '10.1.0.1'

Oct  6 20:49:46 alice charon: 14[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'

</pre>

h3. Creating IF-TNCCS 2.0 connection with ID 2

Upon reception of the first PB-TNC client batch, open an IF-TNCCS 2.0 connection

<pre>

14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]

14[TNC] assigned TNCCS Connection ID 2

14[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh

14[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

14[IMV]   user AR identity 'carol' authenticated by password

14[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 2: +long +excl -soh

14[IMV]   over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes

14[IMV]   user AR identity 'carol' authenticated by password

14[IMV] IMV 1 "OS" changed state of Connection ID 2 to 'Handshake'

14[IMV] IMV 2 "SWID" changed state of Connection ID 2 to 'Handshake'

</pre>

<pre>

14[TNC] received TNCCS batch (311 bytes) for Connection ID 2

14[TNC] PB-TNC state transition from 'Init' to 'Server Working'

14[TNC] processing PB-TNC CDATA batch

14[TNC] processing IETF/PB-Language-Preference message (31 bytes)

14[TNC] processing IETF/PB-PA message (220 bytes)

14[TNC] processing IETF/PB-PA message (52 bytes)

14[TNC] setting language preference to 'en'

</pre>

<pre>

14[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001

14[IMV] IMV 1 "OS" received message for Connection ID 2 from IMC 1

14[IMV] => 196 bytes @ 0x7b0410

14[IMV]    0: 01 00 00 00 7C 05 FC 15 00 00 00 00 00 00 00 02  ....|...........

14[IMV]   16: 00 00 00 17 00 25 72 00 00 44 65 62 69 61 6E 00  .....%r..Debian.

14[IMV]   32: 00 00 00 00 00 00 04 00 00 00 19 0A 37 2E 35 20  ............7.5 

14[IMV]   48: 78 38 36 5F 36 34 00 00 00 00 00 00 00 00 00 03  x86_64..........

14[IMV]   64: 00 00 00 1C 00 00 00 07 00 00 00 05 00 00 00 00  ................

14[IMV]   80: 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 24  ...............$

14[IMV]   96: 03 01 00 00 32 30 31 34 2D 31 30 2D 30 36 54 31  ....2014-10-06T1

14[IMV]  112: 39 3A 33 31 3A 30 30 5A 00 00 00 00 00 00 00 0B  9:31:00Z........

14[IMV]  128: 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 0C  ................

14[IMV]  144: 00 00 00 10 00 00 00 00 00 00 90 2A 00 00 00 08  ...........*....

14[IMV]  160: 00 00 00 2C 30 36 30 64 63 61 36 66 61 35 36 61  ...,060dca6fa56a

14[IMV]  176: 34 33 66 34 61 62 32 32 63 61 34 30 35 33 38 37  43f4ab22ca405387

14[IMV]  192: 32 33 39 65                                      239e

14[TNC] processing PA-TNC message with ID 0x7c05fc15

14[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002

14[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004

14[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003

14[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005

14[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b

14[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c

14[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008

</pre>

h3. Received Standard IETF Operating System Attributes

<pre>

14[IMV] operating system name is 'Debian' from vendor Debian Project

14[IMV] operating system version is '7.5 x86_64'

14[IMV] operating system numeric version is 7.5

14[IMV] operational status: operational, result: successful

14[IMV] last boot: Oct 06 19:31:00 UTC 2014

14[IMV] IPv4 forwarding is disabled

14[IMV] factory default password is disabled

14[IMV] device ID is 060dca6fa56a43f4ab22ca405387239e

</pre>

h3. Received Max Attribute Size Request for IF-M Message Type 'TCG/SWID' 

<pre>

14[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003

14[IMV] IMV 2 "SWID" received message for Connection ID 2 from IMC 2

14[IMV] => 28 bytes @ 0x799eb0

14[IMV]    0: 01 00 00 00 2C FB F1 DF 00 00 55 97 00 00 00 21  ....,.....U....!

14[IMV]   16: 00 00 00 14 05 F5 E1 00 00 00 3F A6              ..........?.

14[TNC] processing PA-TNC message with ID 0x2cfbf1df

14[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021

14[IMV] received a segmentation contract from IMC 2 for PA message type 'TCG/SWID' 0x005597/0x00000003

14[IMV]   maximum attribute size of 100000000 bytes with maximum segment size of 16294 bytes

</pre>