Endpoint Compliance via PT-EAP Protocol » History » Version 37
Version 36 (Andreas Steffen, 08.10.2014 14:57) → Version 37/40 (Andreas Steffen, 08.10.2014 15:05)
h1. Endpoint Compliance via PT-EAP Protocol
{{>toc}}
h2. Starting the strongSwan Policy Decision Point (PDP)
The strongSwan PDP starts and loads its server certificate and the client credentials
<pre>
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG] loaded EAP secret for carol
00[CFG] loaded EAP secret for dave
</pre>
Next the OS and SWID IMVs are loaded
<pre>
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[TNC] added TCG attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
</pre>
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
<pre>
00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'
</pre>
h2. PT-EAP Connection by Access Requestor "dave" via EAP-RADIUS
<pre>
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
Set up an EAP-TTLS connection between AR and PDP
<pre>
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
</pre>
<pre>
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
14[CFG] received RADIUS Access-Request from client '10.1.0.1'
14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
Received EAP-Identity of AR "dave"
<pre>
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
14[IKE] received EAP identity 'dave'
14[IKE] phase2 method EAP_MD5 selected
14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
</pre>
<pre>
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
EAP-MD5 based authentication of AR "dave"
<pre>
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful
03[IKE] phase2 method EAP_PT_EAP selected
03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
15[CFG] received RADIUS Access-Request from client '10.1.0.1'
15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
h3. Creating IF-TNCCS 2.0 connection with ID 1
Upon reception of the first PB-TNC client batch, open an IF-TNCCS 2.0 connection
<pre>
15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
15[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
15[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
15[IMV] user AR identity 'dave' authenticated by password
15[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
15[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
15[IMV] user AR identity 'dave' authenticated by password
15[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'
15[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'
</pre>
<pre>
15[TNC] received TNCCS batch (91 bytes) for Connection ID 1
15[TNC] PB-TNC state transition from 'Init' to 'Server Working'
15[TNC] processing PB-TNC CDATA batch
15[TNC] processing IETF/PB-PA message (52 bytes)
15[TNC] setting language preference to 'en'
</pre>
h3. Received Max Attribute Size Request for IF-M Message Type 'TCG/SWID'
<pre>
15[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
15[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2
15[IMV] => 28 bytes @ 0x7a5490
15[IMV] 0: 01 00 00 00 26 4B C3 0A 00 00 55 97 00 00 00 21 ....&K....U....!
15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 ............
15[TNC] processing PA-TNC message with ID 0x264bc30a
15[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
15[IMV] received a segmentation contract from IMC 2 for PA message type 'TCG/SWID' 0x005597/0x00000003
15[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes
</pre>
h3. Sending Max Attribute Size Response for IF-M Message Type 'TCG/SWID'
<pre>
15[TNC] creating PA-TNC message with ID 0x45425ec5
15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
15[IMV] created PA-TNC message: => 28 bytes @ 0x7a5b00
15[IMV] 0: 01 00 00 00 45 42 5E C5 00 00 55 97 00 00 00 22 ....EB^...U...."
15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 ............
15[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
h3. Sending Max Attribute Size Request for IF-M Message Type 'IETF Operating Systen'
<pre>
15[IMV] IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001
15[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 65446 bytes
15[TNC] creating PA-TNC message with ID 0x2ae6641f
15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
15[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
15[IMV] created PA-TNC message: => 96 bytes @ 0x7a7ff0
15[IMV] 0: 01 00 00 00 2A E6 64 1F 00 00 55 97 00 00 00 21 ....*.d...U....!
15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 00 00 ................
15[IMV] 32: 00 00 00 01 00 00 00 44 00 00 00 00 00 00 00 02 .......D........
15[IMV] 48: 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 ................
15[IMV] 64: 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 0B ................
15[IMV] 80: 00 00 00 00 00 00 00 0C 00 00 90 2A 00 00 00 08 ...........*....
15[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
</pre>
After appending an Attribute Request for various standard IETF attributes to this PA-TNC message, a first PB-TNC server batch is sent to the TNC client running on the AR
<pre>
15[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
15[TNC] creating PB-TNC SDATA batch
15[TNC] adding TCG/PB-PDP-Referral message
15[TNC] adding IETF/PB-PA message
15[TNC] adding IETF/PB-PA message
15[TNC] sending PB-TNC SDATA batch (222 bytes) for Connection ID 1
15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
16[CFG] received RADIUS Access-Request from client '10.1.0.1'
16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
16[TNC] received TNCCS batch (248 bytes) for Connection ID 1
16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing IETF/PB-PA message (240 bytes)
</pre>
<pre>
16[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1
16[IMV] => 216 bytes @ 0x7a45b0
16[IMV] 0: 01 00 00 00 FD DE 12 F4 00 00 55 97 00 00 00 22 ..........U...."
16[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 00 00 ................
16[IMV] 32: 00 00 00 02 00 00 00 17 00 25 72 00 00 44 65 62 .........%r..Deb
16[IMV] 48: 69 61 6E 00 00 00 00 00 00 00 04 00 00 00 19 0A ian.............
16[IMV] 64: 37 2E 35 20 78 38 36 5F 36 34 00 00 00 00 00 00 7.5 x86_64......
16[IMV] 80: 00 00 00 03 00 00 00 1C 00 00 00 07 00 00 00 05 ................
16[IMV] 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 ................
16[IMV] 112: 00 00 00 24 03 01 00 00 32 30 31 34 2D 31 30 2D ...$....2014-10-
16[IMV] 128: 30 36 54 31 39 3A 33 31 3A 30 30 5A 00 00 00 00 06T19:31:00Z....
16[IMV] 144: 00 00 00 0B 00 00 00 10 00 00 00 01 00 00 00 00 ................
16[IMV] 160: 00 00 00 0C 00 00 00 10 00 00 00 00 00 00 90 2A ...............*
16[IMV] 176: 00 00 00 08 00 00 00 2C 61 61 62 62 63 63 64 64 .......,aabbccdd
16[IMV] 192: 65 65 66 66 31 31 32 32 33 33 34 34 35 35 36 36 eeff112233445566
16[IMV] 208: 37 37 38 38 39 39 30 30 77889900
16[TNC] processing PA-TNC message with ID 0xfdde12f4
16[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
16[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
16[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
16[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
16[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
16[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
16[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
16[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
</pre>
h3. Received Max Attribute Size Response for IF-M Message Type 'IETF/Operating System'
<pre>
16[IMV] received a segmentation contract response for PA message type 'IETF/Operating System' 0x000000/0x00000001
16[IMV] maximum attribute size of 100000000 bytes with maximum segment size of 32678 bytes
</pre>
h3. Received Standard 'IETF/Operating System' Attributes
<pre>
16[IMV] operating system name is 'Debian' from vendor Debian Project
16[IMV] operating system version is '7.5 x86_64'
16[IMV] operating system numeric version is 7.5
16[IMV] operational status: operational, result: successful
16[IMV] last boot: Oct 06 19:31:00 UTC 2014
16[IMV] IPv4 forwarding is enabled
16[IMV] factory default password is disabled
16[IMV] device ID is aabbccddeeff11223344556677889900
</pre>
h3. Assign Session ID 2 to Connection with ID 1 and apply TNC Policy
<pre>
16[IMV] assigned session ID 2 to Connection ID 1
16[IMV] running policy script: 2>&1 ipsec imv_policy_manager start 2
16[IMV] policy: imv_policy_manager start successful
16[IMV] DREFM workitem 1
16[IMV] FWDEN workitem 2
16[IMV] SWIDT workitem 3
</pre>
<pre>
16[IMV] IMV 1 handles FWDEN workitem 2
16[IMV] IMV 1 handled FWDEN workitem 2: isolate - forwarding enabled
16[TNC] creating PA-TNC message with ID 0x3fb2eb38
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[IMV] created PA-TNC message: => 117 bytes @ 0x7ab630
16[IMV] 0: 01 00 00 00 3F B2 EB 38 00 00 00 00 00 00 00 09 ....?..8........
16[IMV] 16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................
16[IMV] 32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B
16[IMV] 48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar
16[IMV] 64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di
16[IMV] 80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar
16[IMV] 96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe
16[IMV] 112: 74 73 02 65 6E ts.en
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected'
16[TNC] IMV 1 is setting reason language to 'en'
16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'
</pre>
h3. Sending Max Attribute Size Request for IF-M message type 'TCG/SWID'
<pre>
16[IMV] IMV 2 requests a segmentation contract for PA message type 'TCG/SWID' 0x005597/0x00000003
16[IMV] maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes
</pre>
h3. Sending SWID Request for a Complete Tag Inventory
<pre>
16[IMV] IMV 2 handles SWIDT workitem 3
16[IMV] IMV 2 issues SWID request 3
</pre>
<pre>
16[TNC] creating PA-TNC message with ID 0x8fc76ae4
16[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
16[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
16[IMV] created PA-TNC message: => 52 bytes @ 0x7eaaa0
16[IMV] 0: 01 00 00 00 8F C7 6A E4 00 00 55 97 00 00 00 21 ......j...U....!
16[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 55 97 ..............U.
16[IMV] 32: 00 00 00 11 00 00 00 18 00 00 00 00 00 00 00 03 ................
16[IMV] 48: 00 00 00 00 ....
16[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
16[TNC] creating PB-TNC SDATA batch
16[TNC] adding IETF/PB-PA message
16[TNC] adding IETF/PB-PA message
16[TNC] sending PB-TNC SDATA batch (225 bytes) for Connection ID 1
16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
16[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
02[CFG] received RADIUS Access-Request from client '10.1.0.1'
02[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
02[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
01[CFG] received RADIUS Access-Request from client '10.1.0.1'
01[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
01[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 30 more RADIUS exchanges
14[CFG] received RADIUS Access-Request from client '10.1.0.1'
14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
14[TNC] received TNCCS batch (32754 bytes) for Connection ID 1
14[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
14[TNC] processing PB-TNC CDATA batch
14[TNC] processing IETF/PB-PA message (32746 bytes)
</pre>
<pre>
14[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
14[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
14[IMV] => 32722 bytes @ 0x81f620
14[IMV] 0: 01 00 00 00 C6 E7 09 AA 00 00 55 97 00 00 00 22 ..........U...."
14[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 55 97 ..............U.
14[IMV] 32: 00 00 00 23 00 00 7F B6 C0 00 00 01 00 00 55 97 ...#..........U.
14[IMV] 48: 00 00 00 14 00 01 C4 84 00 00 01 74 00 00 00 03 ...........t....
14[IMV] 64: F1 07 0C 90 00 00 00 01 00 00 00 00 01 35 3C 53 .............5<S
14[IMV] 80: 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 20 oftwareIdentity
14[IMV] 96: 6E 61 6D 65 3D 22 61 63 70 69 2D 73 75 70 70 6F name="acpi-suppo
14[IMV] 112: 72 74 2D 62 61 73 65 22 20 75 6E 69 71 75 65 49 rt-base" uniqueI
14[IMV] 128: 64 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 d="debian_7.5-x8
14[IMV] 144: 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70 6F 72 6_64-acpi-suppor
14[IMV] 160: 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 22 20 t-base-0.140-5"
14[IMV] 176: 76 65 72 73 69 6F 6E 3D 22 30 2E 31 34 30 2D 35 version="0.140-5
14[IMV] 192: 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D " versionScheme=
14[IMV] 208: 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 "alphanumeric" x
14[IMV] 224: 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 mlns="http://sta
14[IMV] 240: 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 ndards.iso.org/i
14[IMV] 256: 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 so/19770/-2/2014
14[IMV] 272: 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E /schema.xsd"><En
14[IMV] 288: 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E tity name="stron
14[IMV] 304: 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 gSwan" regid="re
14[IMV] 320: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E gid.2004-03.org.
14[IMV] 336: 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 strongswan" role
14[IMV] 352: 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E ="tagcreator" />
14[IMV] 368: 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 </SoftwareIdenti
14[IMV] 384: 74 79 3E 00 00 00 00 01 31 3C 53 6F 66 74 77 61 ty>.....1<Softwa
14[IMV] 400: 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D 65 3D reIdentity name=
14[IMV] 416: 22 61 63 70 69 64 22 20 75 6E 69 71 75 65 49 64 "acpid" uniqueId
...
14[IMV] 32624: 20 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 /></SoftwareIde
14[IMV] 32640: 6E 74 69 74 79 3E 00 00 00 00 01 2F 3C 53 6F 66 ntity>...../<Sof
14[IMV] 32656: 74 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 twareIdentity na
14[IMV] 32672: 6D 65 3D 22 6C 69 62 61 70 72 31 22 20 75 6E 69 me="libapr1" uni
14[IMV] 32688: 71 75 65 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E queId="debian_7.
14[IMV] 32704: 35 2D 78 38 36 5F 36 34 2D 6C 69 62 61 70 72 31 5-x86_64-libapr1
14[IMV] 32720: 2D 31 -1
14[TNC] processing PA-TNC message with ID 0xc6e709aa
14[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
14[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Max Attribute Size Response for IF-M Message Type 'TCG/SWID '
<pre>
14[IMV] received a segmentation contract response for PA message type 'TCG/SWID' 0x005597/0x00000003
14[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes
</pre>
h3. Received First Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
14[TNC] received first segment for base attribute ID 1 (32678 bytes)
14[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Inventory' 0x005597/0x00000014
14[LIB] 70 bytes insufficient to parse 303 bytes of data
14[IMV] received SWID tag inventory with 106 items for request 3 at eid 1 of epoch 0xf1070c90, 266 items to follow
14[IMV] <SoftwareIdentity name="acpi-support-base" uniqueId="debian_7.5-x86_64-acpi-support-base-0.140-5" version="0.140-5" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
14[IMV] <SoftwareIdentity name="acpid" uniqueId="debian_7.5-x86_64-acpid-1:2.0.16-1+deb7u1" version="1:2.0.16-1+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 103 more SWID Tags
14[IMV] <SoftwareIdentity name="libapache2-mod-wsgi" uniqueId="debian_7.5-x86_64-libapache2-mod-wsgi-3.3-4" version="3.3-4" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
h3. Sending Next Segment Request for Base Attribute with ID 1
<pre>
14[TNC] creating PA-TNC message with ID 0x636ebdaa
14[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024
14[IMV] created PA-TNC message: => 24 bytes @ 0x7b2e10
14[IMV] 0: 01 00 00 00 63 6E BD AA 00 00 55 97 00 00 00 24 ....cn....U....$
14[IMV] 16: 00 00 00 10 00 00 00 01 ........
14[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
14[TNC] creating PB-TNC SDATA batch
14[TNC] adding IETF/PB-PA message
14[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] ignoring RADIUS Access-Request 0x3f, already processing
15[CFG] received RADIUS Access-Request from client '10.1.0.1'
15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 31 more RADIUS exchanges
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
12[TNC] received TNCCS batch (32734 bytes) for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing PB-TNC CDATA batch
12[TNC] processing IETF/PB-PA message (32726 bytes)
</pre>
<pre>
12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
12[IMV] => 32702 bytes @ 0x80b530
12[IMV] 0: 01 00 00 00 A7 75 C2 64 00 00 55 97 00 00 00 23 .....u.d..U....#
12[IMV] 16: 00 00 7F B6 80 00 00 01 2E 34 2E 36 2D 33 2B 64 .........4.6-3+d
12[IMV] 32: 65 62 37 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 eb7u1" version="
12[IMV] 48: 31 2E 34 2E 36 2D 33 2B 64 65 62 37 75 31 22 20 1.4.6-3+deb7u1"
12[IMV] 64: 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D 22 61 versionScheme="a
12[IMV] 80: 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 6D 6C lphanumeric" xml
12[IMV] 96: 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E 64 ns="http://stand
12[IMV] 112: 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 6F ards.iso.org/iso
12[IMV] 128: 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 2F 73 /19770/-2/2014/s
12[IMV] 144: 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 69 chema.xsd"><Enti
12[IMV] 160: 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53 ty name="strongS
12[IMV] 176: 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 67 69 wan" regid="regi
12[IMV] 192: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 d.2004-03.org.st
12[IMV] 208: 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 3D 22 rongswan" role="
12[IMV] 224: 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E 3C 2F tagcreator" /></
12[IMV] 240: 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 SoftwareIdentity
12[IMV] 256: 3E 00 00 00 00 01 37 3C 53 6F 66 74 77 61 72 65 >.....7<Software
12[IMV] 272: 49 64 65 6E 74 69 74 79 20 6E 61 6D 65 3D 22 6C Identity name="l
12[IMV] 288: 69 62 61 70 72 31 2D 64 65 76 22 20 75 6E 69 71 ibapr1-dev" uniq
...
12[IMV] 32416: 01 31 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74 .1<SoftwareIdent
12[IMV] 32432: 69 74 79 20 6E 61 6D 65 3D 22 6C 69 62 6C 6F 67 ity name="liblog
12[IMV] 32448: 34 63 78 78 31 30 22 20 75 6E 69 71 75 65 49 64 4cxx10" uniqueId
12[IMV] 32464: 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 ="debian_7.5-x86
12[IMV] 32480: 5F 36 34 2D 6C 69 62 6C 6F 67 34 63 78 78 31 30 _64-liblog4cxx10
12[IMV] 32496: 2D 30 2E 31 30 2E 30 2D 31 2E 32 22 20 76 65 72 -0.10.0-1.2" ver
12[IMV] 32512: 73 69 6F 6E 3D 22 30 2E 31 30 2E 30 2D 31 2E 32 sion="0.10.0-1.2
12[IMV] 32528: 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D " versionScheme=
12[IMV] 32544: 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 "alphanumeric" x
12[IMV] 32560: 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 mlns="http://sta
12[IMV] 32576: 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 ndards.iso.org/i
12[IMV] 32592: 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 so/19770/-2/2014
12[IMV] 32608: 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E /schema.xsd"><En
12[IMV] 32624: 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E tity name="stron
12[IMV] 32640: 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 gSwan" regid="re
12[IMV] 32656: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E gid.2004-03.org.
12[IMV] 32672: 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 strongswan" role
12[IMV] 32688: 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 ="tagcreator"
12[TNC] processing PA-TNC message with ID 0xa775c264
12[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Next Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
12[TNC] received next segment for base attribute ID 1 (32678 bytes)
12[LIB] 284 bytes insufficient to parse 305 bytes of data
12[IMV] received SWID tag inventory with 102 items for request 3 at eid 1 of epoch 0xf1070c90, 164 items to follow
12[IMV] <SoftwareIdentity name="libapr1" uniqueId="debian_7.5-x86_64-libapr1-1.4.6-3+deb7u1" version="1.4.6-3+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
12[IMV] <SoftwareIdentity name="libapr1-dev" uniqueId="debian_7.5-x86_64-libapr1-dev-1.4.6-3+deb7u1" version="1.4.6-3+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 99 more SWID Tags
12[IMV] <SoftwareIdentity name="liblocale-gettext-perl" uniqueId="debian_7.5-x86_64-liblocale-gettext-perl-1.05-7+b1" version="1.05-7+b1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
h3. Sending Next Segment Request for Base Attribute with ID 1
<pre>
12[TNC] creating PA-TNC message with ID 0x5382f1b3
12[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024
12[IMV] created PA-TNC message: => 24 bytes @ 0x7c6f20
12[IMV] 0: 01 00 00 00 53 82 F1 B3 00 00 55 97 00 00 00 24 ....S.....U....$
12[IMV] 16: 00 00 00 10 00 00 00 01 ........
12[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
12[TNC] creating PB-TNC SDATA batch
12[TNC] adding IETF/PB-PA message
12[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] ignoring RADIUS Access-Request 0x60, already processing
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 31 more RADIUS exchanges
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
04[TNC] received TNCCS batch (32734 bytes) for Connection ID 1
04[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
04[TNC] processing PB-TNC CDATA batch
04[TNC] processing IETF/PB-PA message (32726 bytes)
</pre>
<pre>
04[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
04[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
04[IMV] => 32702 bytes @ 0x82b510
04[IMV] 0: 01 00 00 00 08 CC 13 66 00 00 55 97 00 00 00 23 .......f..U....#
04[IMV] 16: 00 00 7F B6 80 00 00 01 2F 3E 3C 2F 53 6F 66 74 ......../></Soft
04[IMV] 32: 77 61 72 65 49 64 65 6E 74 69 74 79 3E 00 00 00 wareIdentity>...
04[IMV] 48: 00 01 39 3C 53 6F 66 74 77 61 72 65 49 64 65 6E ..9<SoftwareIden
04[IMV] 64: 74 69 74 79 20 6E 61 6D 65 3D 22 6C 69 62 6C 6F tity name="liblo
04[IMV] 80: 67 34 63 78 78 31 30 2D 64 65 76 22 20 75 6E 69 g4cxx10-dev" uni
...
04[IMV] 32288: 74 69 74 79 3E 00 00 00 00 01 43 3C 53 6F 66 74 tity>.....C<Soft
04[IMV] 32304: 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D wareIdentity nam
04[IMV] 32320: 65 3D 22 6D 75 6C 74 69 61 72 63 68 2D 73 75 70 e="multiarch-sup
04[IMV] 32336: 70 6F 72 74 22 20 75 6E 69 71 75 65 49 64 3D 22 port" uniqueId="
04[IMV] 32352: 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 5F 36 debian_7.5-x86_6
04[IMV] 32368: 34 2D 6D 75 6C 74 69 61 72 63 68 2D 73 75 70 70 4-multiarch-supp
04[IMV] 32384: 6F 72 74 2D 32 2E 31 33 2D 33 38 2B 64 65 62 37 ort-2.13-38+deb7
04[IMV] 32400: 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 32 2E 31 u1" version="2.1
04[IMV] 32416: 33 2D 33 38 2B 64 65 62 37 75 31 22 20 76 65 72 3-38+deb7u1" ver
04[IMV] 32432: 73 69 6F 6E 53 63 68 65 6D 65 3D 22 61 6C 70 68 sionScheme="alph
04[IMV] 32448: 61 6E 75 6D 65 72 69 63 22 20 78 6D 6C 6E 73 3D anumeric" xmlns=
04[IMV] 32464: 22 68 74 74 70 3A 2F 2F 73 74 61 6E 64 61 72 64 "http://standard
04[IMV] 32480: 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 6F 2F 31 39 s.iso.org/iso/19
04[IMV] 32496: 37 37 30 2F 2D 32 2F 32 30 31 34 2F 73 63 68 65 770/-2/2014/sche
04[IMV] 32512: 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 69 74 79 20 ma.xsd"><Entity
04[IMV] 32528: 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53 77 61 6E name="strongSwan
04[IMV] 32544: 22 20 72 65 67 69 64 3D 22 72 65 67 69 64 2E 32 " regid="regid.2
04[IMV] 32560: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 004-03.org.stron
04[IMV] 32576: 67 73 77 61 6E 22 20 72 6F 6C 65 3D 22 74 61 67 gswan" role="tag
04[IMV] 32592: 63 72 65 61 74 6F 72 22 20 2F 3E 3C 2F 53 6F 66 creator" /></Sof
04[IMV] 32608: 74 77 61 72 65 49 64 65 6E 74 69 74 79 3E 00 00 twareIdentity>..
04[IMV] 32624: 00 00 01 47 3C 53 6F 66 74 77 61 72 65 49 64 65 ...G<SoftwareIde
04[IMV] 32640: 6E 74 69 74 79 20 6E 61 6D 65 3D 22 6D 79 73 71 ntity name="mysq
04[IMV] 32656: 6C 2D 63 6F 6D 6D 6F 6E 22 20 75 6E 69 71 75 65 l-common" unique
04[IMV] 32672: 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 Id="debian_7.5-x
04[IMV] 32688: 38 36 5F 36 34 2D 6D 79 73 71 6C 2D 63 6F 86_64-mysql-co
04[TNC] processing PA-TNC message with ID 0x08cc1366
04[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Next Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
04[TNC] received next segment for base attribute ID 1 (32678 bytes)
04[LIB] 74 bytes insufficient to parse 327 bytes of data
04[IMV] received SWID tag inventory with 106 items for request 3 at eid 1 of epoch 0xf1070c90, 58 items to follow
04[IMV] <SoftwareIdentity name="liblog4cxx10" uniqueId="debian_7.5-x86_64-liblog4cxx10-0.10.0-1.2" version="0.10.0-1.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
04[IMV] <SoftwareIdentity name="liblog4cxx10-dev" uniqueId="debian_7.5-x86_64-liblog4cxx10-dev-0.10.0-1.2" version="0.10.0-1.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 103 more SWID Tags
04[IMV] <SoftwareIdentity name="multiarch-support" uniqueId="debian_7.5-x86_64-multiarch-support-2.13-38+deb7u1" version="2.13-38+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
h3. Sending Next Segment Request for Base Attribute with ID 1
<pre>
04[TNC] creating PA-TNC message with ID 0x76280e6a
04[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024
04[IMV] created PA-TNC message: => 24 bytes @ 0x7a7860
04[IMV] 0: 01 00 00 00 76 28 0E 6A 00 00 55 97 00 00 00 24 ....v(.j..U....$
04[IMV] 16: 00 00 00 10 00 00 00 01 ........
04[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
04[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
04[TNC] creating PB-TNC SDATA batch
04[TNC] adding IETF/PB-PA message
04[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] ignoring RADIUS Access-Request 0x81, already processing
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 15 more RADIUS exchanges
16[CFG] received RADIUS Access-Request from client '10.1.0.1'
16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
16[TNC] received TNCCS batch (17866 bytes) for Connection ID 1
16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing IETF/PB-PA message (17858 bytes)
</pre>
<pre>
16[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
16[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
16[IMV] 0: 01 00 00 00 15 7F 65 95 00 00 55 97 00 00 00 23 ......e...U....#
16[IMV] 16: 00 00 45 A2 00 00 00 01 6D 6D 6F 6E 2D 35 2E 35 ..E.....mmon-5.5
16[IMV] 32: 2E 33 35 2B 64 66 73 67 2D 30 2B 77 68 65 65 7A .35+dfsg-0+wheez
16[IMV] 48: 79 31 22 20 76 65 72 73 69 6F 6E 3D 22 35 2E 35 y1" version="5.5
16[IMV] 64: 2E 33 35 2B 64 66 73 67 2D 30 2B 77 68 65 65 7A .35+dfsg-0+wheez
16[IMV] 80: 79 31 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D y1" versionSchem
16[IMV] 96: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 e="alphanumeric"
16[IMV] 112: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 xmlns="http://s
16[IMV] 128: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 tandards.iso.org
16[IMV] 144: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 /iso/19770/-2/20
16[IMV] 160: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 14/schema.xsd"><
16[IMV] 176: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 Entity name="str
16[IMV] 192: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 ongSwan" regid="
16[IMV] 208: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or
16[IMV] 224: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F g.strongswan" ro
16[IMV] 240: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 le="tagcreator"
16[IMV] 256: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E /></SoftwareIden
16[IMV] 272: 74 69 74 79 3E 00 00 00 00 01 21 3C 53 6F 66 74 tity>.....!<Soft
16[IMV] 288: 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D wareIdentity nam
16[IMV] 304: 65 3D 22 6E 61 6E 6F 22 20 75 6E 69 71 75 65 49 e="nano" uniqueI
...
16[IMV] 17520: 00 01 37 3C 53 6F 66 74 77 61 72 65 49 64 65 6E ..7<SoftwareIden
16[IMV] 17536: 74 69 74 79 20 6E 61 6D 65 3D 22 7A 6C 69 62 31 tity name="zlib1
16[IMV] 17552: 67 2D 64 65 76 22 20 75 6E 69 71 75 65 49 64 3D g-dev" uniqueId=
16[IMV] 17568: 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 5F "debian_7.5-x86_
16[IMV] 17584: 36 34 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A 64-zlib1g-dev-1:
16[IMV] 17600: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 22 20 76 1.2.7.dfsg-13" v
16[IMV] 17616: 65 72 73 69 6F 6E 3D 22 31 3A 31 2E 32 2E 37 2E ersion="1:1.2.7.
16[IMV] 17632: 64 66 73 67 2D 31 33 22 20 76 65 72 73 69 6F 6E dfsg-13" version
16[IMV] 17648: 53 63 68 65 6D 65 3D 22 61 6C 70 68 61 6E 75 6D Scheme="alphanum
16[IMV] 17664: 65 72 69 63 22 20 78 6D 6C 6E 73 3D 22 68 74 74 eric" xmlns="htt
16[IMV] 17680: 70 3A 2F 2F 73 74 61 6E 64 61 72 64 73 2E 69 73 p://standards.is
16[IMV] 17696: 6F 2E 6F 72 67 2F 69 73 6F 2F 31 39 37 37 30 2F o.org/iso/19770/
16[IMV] 17712: 2D 32 2F 32 30 31 34 2F 73 63 68 65 6D 61 2E 78 -2/2014/schema.x
16[IMV] 17728: 73 64 22 3E 3C 45 6E 74 69 74 79 20 6E 61 6D 65 sd"><Entity name
16[IMV] 17744: 3D 22 73 74 72 6F 6E 67 53 77 61 6E 22 20 72 65 ="strongSwan" re
16[IMV] 17760: 67 69 64 3D 22 72 65 67 69 64 2E 32 30 30 34 2D gid="regid.2004-
16[IMV] 17776: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa
16[IMV] 17792: 6E 22 20 72 6F 6C 65 3D 22 74 61 67 63 72 65 61 n" role="tagcrea
16[IMV] 17808: 74 6F 72 22 20 2F 3E 3C 2F 53 6F 66 74 77 61 72 tor" /></Softwar
16[IMV] 17824: 65 49 64 65 6E 74 69 74 79 3E eIdentity>
16[TNC] processing PA-TNC message with ID 0x157f6595
16[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Last Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
16[TNC] received last segment for base attribute ID 1 (17810 bytes)
16[IMV] received SWID tag inventory with 58 items for request 3 at eid 1 of epoch 0xf1070c90, 0 items to follow
16[IMV] <SoftwareIdentity name="mysql-common" uniqueId="debian_7.5-x86_64-mysql-common-5.5.35+dfsg-0+wheezy1" version="5.5.35+dfsg-0+wheezy1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
16[IMV] <SoftwareIdentity name="nano" uniqueId="debian_7.5-x86_64-nano-2.2.6-1+b1" version="2.2.6-1+b1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 55 more SWID Tags
16[IMV] <SoftwareIdentity name="zlib1g-dev" uniqueId="debian_7.5-x86_64-zlib1g-dev-1:1.2.7.dfsg-13" version="1:1.2.7.dfsg-13" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
<pre>
16[IMV] IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags
16[TNC] creating PA-TNC message with ID 0x39b02ad7
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[IMV] created PA-TNC message: => 24 bytes @ 0x7a7600
16[IMV] 0: 01 00 00 00 39 B0 2A D7 00 00 00 00 00 00 00 09 ....9.*.........
16[IMV] 16: 00 00 00 10 00 00 00 00 ........
16[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
16[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'
16[IMV] running policy script: 2>&1 ipsec imv_policy_manager stop 2
16[IMV] policy: imv_policy_manager stop successful
16[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Isolated'
16[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Isolated'
</pre>
<pre>
16[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
16[TNC] creating PB-TNC RESULT batch
16[TNC] adding IETF/PB-PA message
16[TNC] adding IETF/PB-Assessment-Result message
16[TNC] adding IETF/PB-Access-Recommendation message
16[TNC] adding IETF/PB-Reason-String message
16[TNC] sending PB-TNC RESULT batch (141 bytes) for Connection ID 1
16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
16[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
02[CFG] received RADIUS Access-Request from client '10.1.0.1'
02[CFG] ignoring RADIUS Access-Request 0x93, already processing
01[CFG] received RADIUS Access-Request from client '10.1.0.1'
01[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
01[TNC] received TNCCS batch (8 bytes) for Connection ID 1
01[TNC] PB-TNC state transition from 'Decided' to 'End'
01[TNC] processing PB-TNC CLOSE batch
01[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant major'
01[TNC] policy enforced on peer 'dave' is 'isolate'
01[TNC] policy enforcement point added group membership 'isolate'
01[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_PT_EAP successful
01[IMV] IMV 1 "OS" deleted the state of Connection ID 1
01[IMV] IMV 2 "SWID" deleted the state of Connection ID 1
01[TNC] removed TNCCS Connection ID 1
01[TLS] sending TLS close notify
</pre>
h2. PT-EAP Connection by Access Requestor "carol" via EAP-RADIUS
<pre>
01[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
10[CFG] received RADIUS Access-Request from client '10.1.0.1'
10[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
10[CFG] sending RADIUS Access-Accept to client '10.1.0.1'
10[CFG] removed RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
h2. PT-EAP Connection by Access Requestor "carol" via EAP-RADIUS
Set up an EAP-TTLS connection between AR and PDP
<pre>
09[CFG] received RADIUS Access-Request from client '10.1.0.1'
09[CFG] created RADIUS connection for user 'carol' NAS 'strongSwan'
09[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
</pre>
<pre>
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
</pre>
Received EAP-Identity of AR "carol"
<pre>
12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
12[IKE] received EAP identity 'carol'
12[IKE] phase2 method EAP_MD5 selected
12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
</pre>
<pre>
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
</pre>
EAP-MD5 based authentication of AR "carol"
<pre>
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
03[IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful
03[IKE] phase2 [ Incomplete diff, document too large... ]
{{>toc}}
h2. Starting the strongSwan Policy Decision Point (PDP)
The strongSwan PDP starts and loads its server certificate and the client credentials
<pre>
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64)
00[LIB] openssl FIPS mode(0) - disabled
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem'
00[CFG] loaded EAP secret for carol
00[CFG] loaded EAP secret for dave
</pre>
Next the OS and SWID IMVs are loaded
<pre>
00[TNC] TNC recommendation policy is 'default'
00[TNC] loading IMVs from '/etc/tnc_config'
00[TNC] added IETF attributes
00[TNC] added ITA-HSR attributes
00[TNC] added TCG attributes
00[LIB] libimcv initialized
00[IMV] IMV 1 "OS" initialized
00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001
00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so'
00[IMV] IMV 2 "SWID" initialized
00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003
O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
</pre>
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
<pre>
00[IKE] eap method EAP_TTLS selected
00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
00[JOB] spawning 16 worker threads
09[CFG] received stroke: add connection 'aaa'
09[CFG] left nor right host is our side, assuming left=local
09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem'
09[CFG] added configuration 'aaa'
</pre>
h2. PT-EAP Connection by Access Requestor "dave" via EAP-RADIUS
<pre>
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan'
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
Set up an EAP-TTLS connection between AR and PDP
<pre>
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
</pre>
<pre>
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
14[CFG] received RADIUS Access-Request from client '10.1.0.1'
14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
Received EAP-Identity of AR "dave"
<pre>
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
14[IKE] received EAP identity 'dave'
14[IKE] phase2 method EAP_MD5 selected
14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
</pre>
<pre>
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
EAP-MD5 based authentication of AR "dave"
<pre>
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful
03[IKE] phase2 method EAP_PT_EAP selected
03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
15[CFG] received RADIUS Access-Request from client '10.1.0.1'
15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
h3. Creating IF-TNCCS 2.0 connection with ID 1
Upon reception of the first PB-TNC client batch, open an IF-TNCCS 2.0 connection
<pre>
15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
15[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
15[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
15[IMV] user AR identity 'dave' authenticated by password
15[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh
15[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes
15[IMV] user AR identity 'dave' authenticated by password
15[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake'
15[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'
</pre>
<pre>
15[TNC] received TNCCS batch (91 bytes) for Connection ID 1
15[TNC] PB-TNC state transition from 'Init' to 'Server Working'
15[TNC] processing PB-TNC CDATA batch
15[TNC] processing IETF/PB-PA message (52 bytes)
15[TNC] setting language preference to 'en'
</pre>
h3. Received Max Attribute Size Request for IF-M Message Type 'TCG/SWID'
<pre>
15[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
15[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2
15[IMV] => 28 bytes @ 0x7a5490
15[IMV] 0: 01 00 00 00 26 4B C3 0A 00 00 55 97 00 00 00 21 ....&K....U....!
15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 ............
15[TNC] processing PA-TNC message with ID 0x264bc30a
15[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
15[IMV] received a segmentation contract from IMC 2 for PA message type 'TCG/SWID' 0x005597/0x00000003
15[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes
</pre>
h3. Sending Max Attribute Size Response for IF-M Message Type 'TCG/SWID'
<pre>
15[TNC] creating PA-TNC message with ID 0x45425ec5
15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
15[IMV] created PA-TNC message: => 28 bytes @ 0x7a5b00
15[IMV] 0: 01 00 00 00 45 42 5E C5 00 00 55 97 00 00 00 22 ....EB^...U...."
15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 ............
15[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
h3. Sending Max Attribute Size Request for IF-M Message Type 'IETF Operating Systen'
<pre>
15[IMV] IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001
15[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 65446 bytes
15[TNC] creating PA-TNC message with ID 0x2ae6641f
15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
15[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001
15[IMV] created PA-TNC message: => 96 bytes @ 0x7a7ff0
15[IMV] 0: 01 00 00 00 2A E6 64 1F 00 00 55 97 00 00 00 21 ....*.d...U....!
15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 00 00 ................
15[IMV] 32: 00 00 00 01 00 00 00 44 00 00 00 00 00 00 00 02 .......D........
15[IMV] 48: 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 ................
15[IMV] 64: 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 0B ................
15[IMV] 80: 00 00 00 00 00 00 00 0C 00 00 90 2A 00 00 00 08 ...........*....
15[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
</pre>
After appending an Attribute Request for various standard IETF attributes to this PA-TNC message, a first PB-TNC server batch is sent to the TNC client running on the AR
<pre>
15[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
15[TNC] creating PB-TNC SDATA batch
15[TNC] adding TCG/PB-PDP-Referral message
15[TNC] adding IETF/PB-PA message
15[TNC] adding IETF/PB-PA message
15[TNC] sending PB-TNC SDATA batch (222 bytes) for Connection ID 1
15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
16[CFG] received RADIUS Access-Request from client '10.1.0.1'
16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
16[TNC] received TNCCS batch (248 bytes) for Connection ID 1
16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing IETF/PB-PA message (240 bytes)
</pre>
<pre>
16[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1
16[IMV] => 216 bytes @ 0x7a45b0
16[IMV] 0: 01 00 00 00 FD DE 12 F4 00 00 55 97 00 00 00 22 ..........U...."
16[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 00 00 ................
16[IMV] 32: 00 00 00 02 00 00 00 17 00 25 72 00 00 44 65 62 .........%r..Deb
16[IMV] 48: 69 61 6E 00 00 00 00 00 00 00 04 00 00 00 19 0A ian.............
16[IMV] 64: 37 2E 35 20 78 38 36 5F 36 34 00 00 00 00 00 00 7.5 x86_64......
16[IMV] 80: 00 00 00 03 00 00 00 1C 00 00 00 07 00 00 00 05 ................
16[IMV] 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 ................
16[IMV] 112: 00 00 00 24 03 01 00 00 32 30 31 34 2D 31 30 2D ...$....2014-10-
16[IMV] 128: 30 36 54 31 39 3A 33 31 3A 30 30 5A 00 00 00 00 06T19:31:00Z....
16[IMV] 144: 00 00 00 0B 00 00 00 10 00 00 00 01 00 00 00 00 ................
16[IMV] 160: 00 00 00 0C 00 00 00 10 00 00 00 00 00 00 90 2A ...............*
16[IMV] 176: 00 00 00 08 00 00 00 2C 61 61 62 62 63 63 64 64 .......,aabbccdd
16[IMV] 192: 65 65 66 66 31 31 32 32 33 33 34 34 35 35 36 36 eeff112233445566
16[IMV] 208: 37 37 38 38 39 39 30 30 77889900
16[TNC] processing PA-TNC message with ID 0xfdde12f4
16[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
16[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002
16[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004
16[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003
16[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005
16[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b
16[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c
16[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
</pre>
h3. Received Max Attribute Size Response for IF-M Message Type 'IETF/Operating System'
<pre>
16[IMV] received a segmentation contract response for PA message type 'IETF/Operating System' 0x000000/0x00000001
16[IMV] maximum attribute size of 100000000 bytes with maximum segment size of 32678 bytes
</pre>
h3. Received Standard 'IETF/Operating System' Attributes
<pre>
16[IMV] operating system name is 'Debian' from vendor Debian Project
16[IMV] operating system version is '7.5 x86_64'
16[IMV] operating system numeric version is 7.5
16[IMV] operational status: operational, result: successful
16[IMV] last boot: Oct 06 19:31:00 UTC 2014
16[IMV] IPv4 forwarding is enabled
16[IMV] factory default password is disabled
16[IMV] device ID is aabbccddeeff11223344556677889900
</pre>
h3. Assign Session ID 2 to Connection with ID 1 and apply TNC Policy
<pre>
16[IMV] assigned session ID 2 to Connection ID 1
16[IMV] running policy script: 2>&1 ipsec imv_policy_manager start 2
16[IMV] policy: imv_policy_manager start successful
16[IMV] DREFM workitem 1
16[IMV] FWDEN workitem 2
16[IMV] SWIDT workitem 3
</pre>
<pre>
16[IMV] IMV 1 handles FWDEN workitem 2
16[IMV] IMV 1 handled FWDEN workitem 2: isolate - forwarding enabled
16[TNC] creating PA-TNC message with ID 0x3fb2eb38
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[TNC] creating PA-TNC attribute type 'IETF/Remediation Instructions' 0x000000/0x0000000a
16[IMV] created PA-TNC message: => 117 bytes @ 0x7ab630
16[IMV] 0: 01 00 00 00 3F B2 EB 38 00 00 00 00 00 00 00 09 ....?..8........
16[IMV] 16: 00 00 00 10 00 00 00 02 00 00 00 00 00 00 00 0A ................
16[IMV] 32: 00 00 00 5D 00 00 00 00 00 00 00 02 00 00 00 42 ...]...........B
16[IMV] 48: 49 50 20 50 61 63 6B 65 74 20 46 6F 72 77 61 72 IP Packet Forwar
16[IMV] 64: 64 69 6E 67 0A 20 20 50 6C 65 61 73 65 20 64 69 ding. Please di
16[IMV] 80: 73 61 62 6C 65 20 74 68 65 20 66 6F 72 77 61 72 sable the forwar
16[IMV] 96: 64 69 6E 67 20 6F 66 20 49 50 20 70 61 63 6B 65 ding of IP packe
16[IMV] 112: 74 73 02 65 6E ts.en
16[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
16[TNC] IMV 1 is setting reason string to 'Improper OS settings were detected'
16[TNC] IMV 1 is setting reason language to 'en'
16[TNC] IMV 1 provides recommendation 'isolate' and evaluation 'non-compliant major'
</pre>
h3. Sending Max Attribute Size Request for IF-M message type 'TCG/SWID'
<pre>
16[IMV] IMV 2 requests a segmentation contract for PA message type 'TCG/SWID' 0x005597/0x00000003
16[IMV] maximum attribute size of 100000000 bytes with maximum segment size of 65446 bytes
</pre>
h3. Sending SWID Request for a Complete Tag Inventory
<pre>
16[IMV] IMV 2 handles SWIDT workitem 3
16[IMV] IMV 2 issues SWID request 3
</pre>
<pre>
16[TNC] creating PA-TNC message with ID 0x8fc76ae4
16[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021
16[TNC] creating PA-TNC attribute type 'TCG/SWID Request' 0x005597/0x00000011
16[IMV] created PA-TNC message: => 52 bytes @ 0x7eaaa0
16[IMV] 0: 01 00 00 00 8F C7 6A E4 00 00 55 97 00 00 00 21 ......j...U....!
16[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 55 97 ..............U.
16[IMV] 32: 00 00 00 11 00 00 00 18 00 00 00 00 00 00 00 03 ................
16[IMV] 48: 00 00 00 00 ....
16[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
16[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
16[TNC] creating PB-TNC SDATA batch
16[TNC] adding IETF/PB-PA message
16[TNC] adding IETF/PB-PA message
16[TNC] sending PB-TNC SDATA batch (225 bytes) for Connection ID 1
16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
16[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
02[CFG] received RADIUS Access-Request from client '10.1.0.1'
02[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
02[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
01[CFG] received RADIUS Access-Request from client '10.1.0.1'
01[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
01[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 30 more RADIUS exchanges
14[CFG] received RADIUS Access-Request from client '10.1.0.1'
14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
14[TNC] received TNCCS batch (32754 bytes) for Connection ID 1
14[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
14[TNC] processing PB-TNC CDATA batch
14[TNC] processing IETF/PB-PA message (32746 bytes)
</pre>
<pre>
14[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
14[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
14[IMV] => 32722 bytes @ 0x81f620
14[IMV] 0: 01 00 00 00 C6 E7 09 AA 00 00 55 97 00 00 00 22 ..........U...."
14[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 55 97 ..............U.
14[IMV] 32: 00 00 00 23 00 00 7F B6 C0 00 00 01 00 00 55 97 ...#..........U.
14[IMV] 48: 00 00 00 14 00 01 C4 84 00 00 01 74 00 00 00 03 ...........t....
14[IMV] 64: F1 07 0C 90 00 00 00 01 00 00 00 00 01 35 3C 53 .............5<S
14[IMV] 80: 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 20 oftwareIdentity
14[IMV] 96: 6E 61 6D 65 3D 22 61 63 70 69 2D 73 75 70 70 6F name="acpi-suppo
14[IMV] 112: 72 74 2D 62 61 73 65 22 20 75 6E 69 71 75 65 49 rt-base" uniqueI
14[IMV] 128: 64 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 d="debian_7.5-x8
14[IMV] 144: 36 5F 36 34 2D 61 63 70 69 2D 73 75 70 70 6F 72 6_64-acpi-suppor
14[IMV] 160: 74 2D 62 61 73 65 2D 30 2E 31 34 30 2D 35 22 20 t-base-0.140-5"
14[IMV] 176: 76 65 72 73 69 6F 6E 3D 22 30 2E 31 34 30 2D 35 version="0.140-5
14[IMV] 192: 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D " versionScheme=
14[IMV] 208: 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 "alphanumeric" x
14[IMV] 224: 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 mlns="http://sta
14[IMV] 240: 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 ndards.iso.org/i
14[IMV] 256: 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 so/19770/-2/2014
14[IMV] 272: 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E /schema.xsd"><En
14[IMV] 288: 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E tity name="stron
14[IMV] 304: 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 gSwan" regid="re
14[IMV] 320: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E gid.2004-03.org.
14[IMV] 336: 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 strongswan" role
14[IMV] 352: 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E ="tagcreator" />
14[IMV] 368: 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 </SoftwareIdenti
14[IMV] 384: 74 79 3E 00 00 00 00 01 31 3C 53 6F 66 74 77 61 ty>.....1<Softwa
14[IMV] 400: 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D 65 3D reIdentity name=
14[IMV] 416: 22 61 63 70 69 64 22 20 75 6E 69 71 75 65 49 64 "acpid" uniqueId
...
14[IMV] 32624: 20 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 /></SoftwareIde
14[IMV] 32640: 6E 74 69 74 79 3E 00 00 00 00 01 2F 3C 53 6F 66 ntity>...../<Sof
14[IMV] 32656: 74 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 twareIdentity na
14[IMV] 32672: 6D 65 3D 22 6C 69 62 61 70 72 31 22 20 75 6E 69 me="libapr1" uni
14[IMV] 32688: 71 75 65 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E queId="debian_7.
14[IMV] 32704: 35 2D 78 38 36 5F 36 34 2D 6C 69 62 61 70 72 31 5-x86_64-libapr1
14[IMV] 32720: 2D 31 -1
14[TNC] processing PA-TNC message with ID 0xc6e709aa
14[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022
14[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Max Attribute Size Response for IF-M Message Type 'TCG/SWID '
<pre>
14[IMV] received a segmentation contract response for PA message type 'TCG/SWID' 0x005597/0x00000003
14[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes
</pre>
h3. Received First Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
14[TNC] received first segment for base attribute ID 1 (32678 bytes)
14[TNC] processing PA-TNC attribute type 'TCG/SWID Tag Inventory' 0x005597/0x00000014
14[LIB] 70 bytes insufficient to parse 303 bytes of data
14[IMV] received SWID tag inventory with 106 items for request 3 at eid 1 of epoch 0xf1070c90, 266 items to follow
14[IMV] <SoftwareIdentity name="acpi-support-base" uniqueId="debian_7.5-x86_64-acpi-support-base-0.140-5" version="0.140-5" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
14[IMV] <SoftwareIdentity name="acpid" uniqueId="debian_7.5-x86_64-acpid-1:2.0.16-1+deb7u1" version="1:2.0.16-1+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 103 more SWID Tags
14[IMV] <SoftwareIdentity name="libapache2-mod-wsgi" uniqueId="debian_7.5-x86_64-libapache2-mod-wsgi-3.3-4" version="3.3-4" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
h3. Sending Next Segment Request for Base Attribute with ID 1
<pre>
14[TNC] creating PA-TNC message with ID 0x636ebdaa
14[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024
14[IMV] created PA-TNC message: => 24 bytes @ 0x7b2e10
14[IMV] 0: 01 00 00 00 63 6E BD AA 00 00 55 97 00 00 00 24 ....cn....U....$
14[IMV] 16: 00 00 00 10 00 00 00 01 ........
14[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
14[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
14[TNC] creating PB-TNC SDATA batch
14[TNC] adding IETF/PB-PA message
14[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] ignoring RADIUS Access-Request 0x3f, already processing
15[CFG] received RADIUS Access-Request from client '10.1.0.1'
15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 31 more RADIUS exchanges
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
12[TNC] received TNCCS batch (32734 bytes) for Connection ID 1
12[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
12[TNC] processing PB-TNC CDATA batch
12[TNC] processing IETF/PB-PA message (32726 bytes)
</pre>
<pre>
12[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
12[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
12[IMV] => 32702 bytes @ 0x80b530
12[IMV] 0: 01 00 00 00 A7 75 C2 64 00 00 55 97 00 00 00 23 .....u.d..U....#
12[IMV] 16: 00 00 7F B6 80 00 00 01 2E 34 2E 36 2D 33 2B 64 .........4.6-3+d
12[IMV] 32: 65 62 37 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 eb7u1" version="
12[IMV] 48: 31 2E 34 2E 36 2D 33 2B 64 65 62 37 75 31 22 20 1.4.6-3+deb7u1"
12[IMV] 64: 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D 22 61 versionScheme="a
12[IMV] 80: 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 6D 6C lphanumeric" xml
12[IMV] 96: 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 6E 64 ns="http://stand
12[IMV] 112: 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 6F ards.iso.org/iso
12[IMV] 128: 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 2F 73 /19770/-2/2014/s
12[IMV] 144: 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 69 chema.xsd"><Enti
12[IMV] 160: 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53 ty name="strongS
12[IMV] 176: 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 67 69 wan" regid="regi
12[IMV] 192: 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 d.2004-03.org.st
12[IMV] 208: 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 3D 22 rongswan" role="
12[IMV] 224: 74 61 67 63 72 65 61 74 6F 72 22 20 2F 3E 3C 2F tagcreator" /></
12[IMV] 240: 53 6F 66 74 77 61 72 65 49 64 65 6E 74 69 74 79 SoftwareIdentity
12[IMV] 256: 3E 00 00 00 00 01 37 3C 53 6F 66 74 77 61 72 65 >.....7<Software
12[IMV] 272: 49 64 65 6E 74 69 74 79 20 6E 61 6D 65 3D 22 6C Identity name="l
12[IMV] 288: 69 62 61 70 72 31 2D 64 65 76 22 20 75 6E 69 71 ibapr1-dev" uniq
...
12[IMV] 32416: 01 31 3C 53 6F 66 74 77 61 72 65 49 64 65 6E 74 .1<SoftwareIdent
12[IMV] 32432: 69 74 79 20 6E 61 6D 65 3D 22 6C 69 62 6C 6F 67 ity name="liblog
12[IMV] 32448: 34 63 78 78 31 30 22 20 75 6E 69 71 75 65 49 64 4cxx10" uniqueId
12[IMV] 32464: 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 ="debian_7.5-x86
12[IMV] 32480: 5F 36 34 2D 6C 69 62 6C 6F 67 34 63 78 78 31 30 _64-liblog4cxx10
12[IMV] 32496: 2D 30 2E 31 30 2E 30 2D 31 2E 32 22 20 76 65 72 -0.10.0-1.2" ver
12[IMV] 32512: 73 69 6F 6E 3D 22 30 2E 31 30 2E 30 2D 31 2E 32 sion="0.10.0-1.2
12[IMV] 32528: 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D 65 3D " versionScheme=
12[IMV] 32544: 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 20 78 "alphanumeric" x
12[IMV] 32560: 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 74 61 mlns="http://sta
12[IMV] 32576: 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 2F 69 ndards.iso.org/i
12[IMV] 32592: 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 31 34 so/19770/-2/2014
12[IMV] 32608: 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 45 6E /schema.xsd"><En
12[IMV] 32624: 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 6F 6E tity name="stron
12[IMV] 32640: 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 72 65 gSwan" regid="re
12[IMV] 32656: 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 67 2E gid.2004-03.org.
12[IMV] 32672: 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F 6C 65 strongswan" role
12[IMV] 32688: 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 ="tagcreator"
12[TNC] processing PA-TNC message with ID 0xa775c264
12[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Next Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
12[TNC] received next segment for base attribute ID 1 (32678 bytes)
12[LIB] 284 bytes insufficient to parse 305 bytes of data
12[IMV] received SWID tag inventory with 102 items for request 3 at eid 1 of epoch 0xf1070c90, 164 items to follow
12[IMV] <SoftwareIdentity name="libapr1" uniqueId="debian_7.5-x86_64-libapr1-1.4.6-3+deb7u1" version="1.4.6-3+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
12[IMV] <SoftwareIdentity name="libapr1-dev" uniqueId="debian_7.5-x86_64-libapr1-dev-1.4.6-3+deb7u1" version="1.4.6-3+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 99 more SWID Tags
12[IMV] <SoftwareIdentity name="liblocale-gettext-perl" uniqueId="debian_7.5-x86_64-liblocale-gettext-perl-1.05-7+b1" version="1.05-7+b1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
h3. Sending Next Segment Request for Base Attribute with ID 1
<pre>
12[TNC] creating PA-TNC message with ID 0x5382f1b3
12[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024
12[IMV] created PA-TNC message: => 24 bytes @ 0x7c6f20
12[IMV] 0: 01 00 00 00 53 82 F1 B3 00 00 55 97 00 00 00 24 ....S.....U....$
12[IMV] 16: 00 00 00 10 00 00 00 01 ........
12[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
12[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
12[TNC] creating PB-TNC SDATA batch
12[TNC] adding IETF/PB-PA message
12[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] ignoring RADIUS Access-Request 0x60, already processing
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 31 more RADIUS exchanges
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
04[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
04[TNC] received TNCCS batch (32734 bytes) for Connection ID 1
04[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
04[TNC] processing PB-TNC CDATA batch
04[TNC] processing IETF/PB-PA message (32726 bytes)
</pre>
<pre>
04[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
04[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
04[IMV] => 32702 bytes @ 0x82b510
04[IMV] 0: 01 00 00 00 08 CC 13 66 00 00 55 97 00 00 00 23 .......f..U....#
04[IMV] 16: 00 00 7F B6 80 00 00 01 2F 3E 3C 2F 53 6F 66 74 ......../></Soft
04[IMV] 32: 77 61 72 65 49 64 65 6E 74 69 74 79 3E 00 00 00 wareIdentity>...
04[IMV] 48: 00 01 39 3C 53 6F 66 74 77 61 72 65 49 64 65 6E ..9<SoftwareIden
04[IMV] 64: 74 69 74 79 20 6E 61 6D 65 3D 22 6C 69 62 6C 6F tity name="liblo
04[IMV] 80: 67 34 63 78 78 31 30 2D 64 65 76 22 20 75 6E 69 g4cxx10-dev" uni
...
04[IMV] 32288: 74 69 74 79 3E 00 00 00 00 01 43 3C 53 6F 66 74 tity>.....C<Soft
04[IMV] 32304: 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D wareIdentity nam
04[IMV] 32320: 65 3D 22 6D 75 6C 74 69 61 72 63 68 2D 73 75 70 e="multiarch-sup
04[IMV] 32336: 70 6F 72 74 22 20 75 6E 69 71 75 65 49 64 3D 22 port" uniqueId="
04[IMV] 32352: 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 5F 36 debian_7.5-x86_6
04[IMV] 32368: 34 2D 6D 75 6C 74 69 61 72 63 68 2D 73 75 70 70 4-multiarch-supp
04[IMV] 32384: 6F 72 74 2D 32 2E 31 33 2D 33 38 2B 64 65 62 37 ort-2.13-38+deb7
04[IMV] 32400: 75 31 22 20 76 65 72 73 69 6F 6E 3D 22 32 2E 31 u1" version="2.1
04[IMV] 32416: 33 2D 33 38 2B 64 65 62 37 75 31 22 20 76 65 72 3-38+deb7u1" ver
04[IMV] 32432: 73 69 6F 6E 53 63 68 65 6D 65 3D 22 61 6C 70 68 sionScheme="alph
04[IMV] 32448: 61 6E 75 6D 65 72 69 63 22 20 78 6D 6C 6E 73 3D anumeric" xmlns=
04[IMV] 32464: 22 68 74 74 70 3A 2F 2F 73 74 61 6E 64 61 72 64 "http://standard
04[IMV] 32480: 73 2E 69 73 6F 2E 6F 72 67 2F 69 73 6F 2F 31 39 s.iso.org/iso/19
04[IMV] 32496: 37 37 30 2F 2D 32 2F 32 30 31 34 2F 73 63 68 65 770/-2/2014/sche
04[IMV] 32512: 6D 61 2E 78 73 64 22 3E 3C 45 6E 74 69 74 79 20 ma.xsd"><Entity
04[IMV] 32528: 6E 61 6D 65 3D 22 73 74 72 6F 6E 67 53 77 61 6E name="strongSwan
04[IMV] 32544: 22 20 72 65 67 69 64 3D 22 72 65 67 69 64 2E 32 " regid="regid.2
04[IMV] 32560: 30 30 34 2D 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 004-03.org.stron
04[IMV] 32576: 67 73 77 61 6E 22 20 72 6F 6C 65 3D 22 74 61 67 gswan" role="tag
04[IMV] 32592: 63 72 65 61 74 6F 72 22 20 2F 3E 3C 2F 53 6F 66 creator" /></Sof
04[IMV] 32608: 74 77 61 72 65 49 64 65 6E 74 69 74 79 3E 00 00 twareIdentity>..
04[IMV] 32624: 00 00 01 47 3C 53 6F 66 74 77 61 72 65 49 64 65 ...G<SoftwareIde
04[IMV] 32640: 6E 74 69 74 79 20 6E 61 6D 65 3D 22 6D 79 73 71 ntity name="mysq
04[IMV] 32656: 6C 2D 63 6F 6D 6D 6F 6E 22 20 75 6E 69 71 75 65 l-common" unique
04[IMV] 32672: 49 64 3D 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 Id="debian_7.5-x
04[IMV] 32688: 38 36 5F 36 34 2D 6D 79 73 71 6C 2D 63 6F 86_64-mysql-co
04[TNC] processing PA-TNC message with ID 0x08cc1366
04[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Next Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
04[TNC] received next segment for base attribute ID 1 (32678 bytes)
04[LIB] 74 bytes insufficient to parse 327 bytes of data
04[IMV] received SWID tag inventory with 106 items for request 3 at eid 1 of epoch 0xf1070c90, 58 items to follow
04[IMV] <SoftwareIdentity name="liblog4cxx10" uniqueId="debian_7.5-x86_64-liblog4cxx10-0.10.0-1.2" version="0.10.0-1.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
04[IMV] <SoftwareIdentity name="liblog4cxx10-dev" uniqueId="debian_7.5-x86_64-liblog4cxx10-dev-0.10.0-1.2" version="0.10.0-1.2" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 103 more SWID Tags
04[IMV] <SoftwareIdentity name="multiarch-support" uniqueId="debian_7.5-x86_64-multiarch-support-2.13-38+deb7u1" version="2.13-38+deb7u1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
h3. Sending Next Segment Request for Base Attribute with ID 1
<pre>
04[TNC] creating PA-TNC message with ID 0x76280e6a
04[TNC] creating PA-TNC attribute type 'TCG/Next Segment Request' 0x005597/0x00000024
04[IMV] created PA-TNC message: => 24 bytes @ 0x7a7860
04[IMV] 0: 01 00 00 00 76 28 0E 6A 00 00 55 97 00 00 00 24 ....v(.j..U....$
04[IMV] 16: 00 00 00 10 00 00 00 01 ........
04[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
</pre>
<pre>
04[TNC] PB-TNC state transition from 'Server Working' to 'Client Working'
04[TNC] creating PB-TNC SDATA batch
04[TNC] adding IETF/PB-PA message
04[TNC] sending PB-TNC SDATA batch (56 bytes) for Connection ID 1
04[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] ignoring RADIUS Access-Request 0x81, already processing
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
... 15 more RADIUS exchanges
16[CFG] received RADIUS Access-Request from client '10.1.0.1'
16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
16[TNC] received TNCCS batch (17866 bytes) for Connection ID 1
16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working'
16[TNC] processing PB-TNC CDATA batch
16[TNC] processing IETF/PB-PA message (17858 bytes)
</pre>
<pre>
16[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003
16[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 to IMV 2
16[IMV] 0: 01 00 00 00 15 7F 65 95 00 00 55 97 00 00 00 23 ......e...U....#
16[IMV] 16: 00 00 45 A2 00 00 00 01 6D 6D 6F 6E 2D 35 2E 35 ..E.....mmon-5.5
16[IMV] 32: 2E 33 35 2B 64 66 73 67 2D 30 2B 77 68 65 65 7A .35+dfsg-0+wheez
16[IMV] 48: 79 31 22 20 76 65 72 73 69 6F 6E 3D 22 35 2E 35 y1" version="5.5
16[IMV] 64: 2E 33 35 2B 64 66 73 67 2D 30 2B 77 68 65 65 7A .35+dfsg-0+wheez
16[IMV] 80: 79 31 22 20 76 65 72 73 69 6F 6E 53 63 68 65 6D y1" versionSchem
16[IMV] 96: 65 3D 22 61 6C 70 68 61 6E 75 6D 65 72 69 63 22 e="alphanumeric"
16[IMV] 112: 20 78 6D 6C 6E 73 3D 22 68 74 74 70 3A 2F 2F 73 xmlns="http://s
16[IMV] 128: 74 61 6E 64 61 72 64 73 2E 69 73 6F 2E 6F 72 67 tandards.iso.org
16[IMV] 144: 2F 69 73 6F 2F 31 39 37 37 30 2F 2D 32 2F 32 30 /iso/19770/-2/20
16[IMV] 160: 31 34 2F 73 63 68 65 6D 61 2E 78 73 64 22 3E 3C 14/schema.xsd"><
16[IMV] 176: 45 6E 74 69 74 79 20 6E 61 6D 65 3D 22 73 74 72 Entity name="str
16[IMV] 192: 6F 6E 67 53 77 61 6E 22 20 72 65 67 69 64 3D 22 ongSwan" regid="
16[IMV] 208: 72 65 67 69 64 2E 32 30 30 34 2D 30 33 2E 6F 72 regid.2004-03.or
16[IMV] 224: 67 2E 73 74 72 6F 6E 67 73 77 61 6E 22 20 72 6F g.strongswan" ro
16[IMV] 240: 6C 65 3D 22 74 61 67 63 72 65 61 74 6F 72 22 20 le="tagcreator"
16[IMV] 256: 2F 3E 3C 2F 53 6F 66 74 77 61 72 65 49 64 65 6E /></SoftwareIden
16[IMV] 272: 74 69 74 79 3E 00 00 00 00 01 21 3C 53 6F 66 74 tity>.....!<Soft
16[IMV] 288: 77 61 72 65 49 64 65 6E 74 69 74 79 20 6E 61 6D wareIdentity nam
16[IMV] 304: 65 3D 22 6E 61 6E 6F 22 20 75 6E 69 71 75 65 49 e="nano" uniqueI
...
16[IMV] 17520: 00 01 37 3C 53 6F 66 74 77 61 72 65 49 64 65 6E ..7<SoftwareIden
16[IMV] 17536: 74 69 74 79 20 6E 61 6D 65 3D 22 7A 6C 69 62 31 tity name="zlib1
16[IMV] 17552: 67 2D 64 65 76 22 20 75 6E 69 71 75 65 49 64 3D g-dev" uniqueId=
16[IMV] 17568: 22 64 65 62 69 61 6E 5F 37 2E 35 2D 78 38 36 5F "debian_7.5-x86_
16[IMV] 17584: 36 34 2D 7A 6C 69 62 31 67 2D 64 65 76 2D 31 3A 64-zlib1g-dev-1:
16[IMV] 17600: 31 2E 32 2E 37 2E 64 66 73 67 2D 31 33 22 20 76 1.2.7.dfsg-13" v
16[IMV] 17616: 65 72 73 69 6F 6E 3D 22 31 3A 31 2E 32 2E 37 2E ersion="1:1.2.7.
16[IMV] 17632: 64 66 73 67 2D 31 33 22 20 76 65 72 73 69 6F 6E dfsg-13" version
16[IMV] 17648: 53 63 68 65 6D 65 3D 22 61 6C 70 68 61 6E 75 6D Scheme="alphanum
16[IMV] 17664: 65 72 69 63 22 20 78 6D 6C 6E 73 3D 22 68 74 74 eric" xmlns="htt
16[IMV] 17680: 70 3A 2F 2F 73 74 61 6E 64 61 72 64 73 2E 69 73 p://standards.is
16[IMV] 17696: 6F 2E 6F 72 67 2F 69 73 6F 2F 31 39 37 37 30 2F o.org/iso/19770/
16[IMV] 17712: 2D 32 2F 32 30 31 34 2F 73 63 68 65 6D 61 2E 78 -2/2014/schema.x
16[IMV] 17728: 73 64 22 3E 3C 45 6E 74 69 74 79 20 6E 61 6D 65 sd"><Entity name
16[IMV] 17744: 3D 22 73 74 72 6F 6E 67 53 77 61 6E 22 20 72 65 ="strongSwan" re
16[IMV] 17760: 67 69 64 3D 22 72 65 67 69 64 2E 32 30 30 34 2D gid="regid.2004-
16[IMV] 17776: 30 33 2E 6F 72 67 2E 73 74 72 6F 6E 67 73 77 61 03.org.strongswa
16[IMV] 17792: 6E 22 20 72 6F 6C 65 3D 22 74 61 67 63 72 65 61 n" role="tagcrea
16[IMV] 17808: 74 6F 72 22 20 2F 3E 3C 2F 53 6F 66 74 77 61 72 tor" /></Softwar
16[IMV] 17824: 65 49 64 65 6E 74 69 74 79 3E eIdentity>
16[TNC] processing PA-TNC message with ID 0x157f6595
16[TNC] processing PA-TNC attribute type 'TCG/Attribute Segment Envelope' 0x005597/0x00000023
</pre>
h3. Received Last Segment of Base Attribute 'TCG/SWID Tag Inventory' with ID 1
<pre>
16[TNC] received last segment for base attribute ID 1 (17810 bytes)
16[IMV] received SWID tag inventory with 58 items for request 3 at eid 1 of epoch 0xf1070c90, 0 items to follow
16[IMV] <SoftwareIdentity name="mysql-common" uniqueId="debian_7.5-x86_64-mysql-common-5.5.35+dfsg-0+wheezy1" version="5.5.35+dfsg-0+wheezy1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
16[IMV] <SoftwareIdentity name="nano" uniqueId="debian_7.5-x86_64-nano-2.2.6-1+b1" version="2.2.6-1+b1" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
... 55 more SWID Tags
16[IMV] <SoftwareIdentity name="zlib1g-dev" uniqueId="debian_7.5-x86_64-zlib1g-dev-1:1.2.7.dfsg-13" version="1:1.2.7.dfsg-13" versionScheme="alphanumeric" xmlns="http://standards.iso.org/iso/19770/-2/2014/schema.xsd"><Entity name="strongSwan" regid="regid.2004-03.org.strongswan" role="tagcreator" /></SoftwareIdentity>
</pre>
<pre>
16[IMV] IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and 372 SWID tags
16[TNC] creating PA-TNC message with ID 0x39b02ad7
16[TNC] creating PA-TNC attribute type 'IETF/Assessment Result' 0x000000/0x00000009
16[IMV] created PA-TNC message: => 24 bytes @ 0x7a7600
16[IMV] 0: 01 00 00 00 39 B0 2A D7 00 00 00 00 00 00 00 09 ....9.*.........
16[IMV] 16: 00 00 00 10 00 00 00 00 ........
16[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
16[TNC] IMV 2 provides recommendation 'allow' and evaluation 'compliant'
16[IMV] running policy script: 2>&1 ipsec imv_policy_manager stop 2
16[IMV] policy: imv_policy_manager stop successful
16[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Isolated'
16[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Isolated'
</pre>
<pre>
16[TNC] PB-TNC state transition from 'Server Working' to 'Decided'
16[TNC] creating PB-TNC RESULT batch
16[TNC] adding IETF/PB-PA message
16[TNC] adding IETF/PB-Assessment-Result message
16[TNC] adding IETF/PB-Access-Recommendation message
16[TNC] adding IETF/PB-Reason-String message
16[TNC] sending PB-TNC RESULT batch (141 bytes) for Connection ID 1
16[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
</pre>
<pre>
16[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
02[CFG] received RADIUS Access-Request from client '10.1.0.1'
02[CFG] ignoring RADIUS Access-Request 0x93, already processing
01[CFG] received RADIUS Access-Request from client '10.1.0.1'
01[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
<pre>
01[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT]
01[TNC] received TNCCS batch (8 bytes) for Connection ID 1
01[TNC] PB-TNC state transition from 'Decided' to 'End'
01[TNC] processing PB-TNC CLOSE batch
01[TNC] final recommendation is 'isolate' and evaluation is 'non-compliant major'
01[TNC] policy enforced on peer 'dave' is 'isolate'
01[TNC] policy enforcement point added group membership 'isolate'
01[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_PT_EAP successful
01[IMV] IMV 1 "OS" deleted the state of Connection ID 1
01[IMV] IMV 2 "SWID" deleted the state of Connection ID 1
01[TNC] removed TNCCS Connection ID 1
01[TLS] sending TLS close notify
</pre>
h2. PT-EAP Connection by Access Requestor "carol" via EAP-RADIUS
<pre>
01[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
10[CFG] received RADIUS Access-Request from client '10.1.0.1'
10[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
10[CFG] sending RADIUS Access-Accept to client '10.1.0.1'
10[CFG] removed RADIUS connection for user 'dave' NAS 'strongSwan'
</pre>
h2. PT-EAP Connection by Access Requestor "carol" via EAP-RADIUS
Set up an EAP-TTLS connection between AR and PDP
<pre>
09[CFG] received RADIUS Access-Request from client '10.1.0.1'
09[CFG] created RADIUS connection for user 'carol' NAS 'strongSwan'
09[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
11[CFG] received RADIUS Access-Request from client '10.1.0.1'
11[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA
11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org'
11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
</pre>
<pre>
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
04[CFG] received RADIUS Access-Request from client '10.1.0.1'
04[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
13[CFG] received RADIUS Access-Request from client '10.1.0.1'
13[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID]
13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
12[CFG] received RADIUS Access-Request from client '10.1.0.1'
12[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
</pre>
Received EAP-Identity of AR "carol"
<pre>
12[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID]
12[IKE] received EAP identity 'carol'
12[IKE] phase2 method EAP_MD5 selected
12[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
</pre>
<pre>
12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1'
03[CFG] received RADIUS Access-Request from client '10.1.0.1'
03[CFG] found RADIUS connection for user 'carol' NAS 'strongSwan'
</pre>
EAP-MD5 based authentication of AR "carol"
<pre>
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5]
03[IKE] EAP_TTLS phase2 authentication of 'carol' with EAP_MD5 successful
03[IKE] phase2 [ Incomplete diff, document too large... ]