Endpoint Compliance via PT-EAP Protocol » History » Version 7
« Previous -
Version 7/40
(diff) -
Next » -
Current version
Andreas Steffen, 07.10.2014 13:13
Endpoint Compliance via PT-EAP Protocol¶
- Table of contents
- Endpoint Compliance via PT-EAP Protocol
Starting the strongSwan Policy Decision Point (PDP)¶
The strongSwan PDP starts and loads its server certificate and the client credentials
00[DMN] Starting IKE charon daemon (strongSwan 5.2.1dr1, Linux 3.16.1, x86_64) 00[LIB] openssl FIPS mode(0) - disabled 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' 00[CFG] loaded ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' 00[CFG] loading crls from '/etc/ipsec.d/crls' 00[CFG] loading secrets from '/etc/ipsec.secrets' 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/aaaKey.pem' 00[CFG] loaded EAP secret for carol 00[CFG] loaded EAP secret for dave
Next the OS and SWID IMVs are loaded
00[TNC] TNC recommendation policy is 'default' 00[TNC] loading IMVs from '/etc/tnc_config' 00[TNC] added IETF attributes 00[TNC] added ITA-HSR attributes 00[TNC] added TCG attributes 00[LIB] libimcv initialized 00[IMV] IMV 1 "OS" initialized 00[TNC] IMV 1 supports 1 message type: 'IETF/Operating System' 0x000000/0x00000001 00[TNC] IMV 1 "OS" loaded from '/usr/local/lib/ipsec/imcvs/imv-os.so' 00[IMV] IMV 2 "SWID" initialized 00[TNC] IMV 2 supports 1 message type: 'TCG/SWID' 0x005597/0x00000003 O00[TNC] IMV 2 "SWID" loaded from '/usr/local/lib/ipsec/imcvs/imv-swid.so'
The PDP loads all plugins needed to communicate via its EAP-RADIUS and PT-TLS interfaces and spawns 16 worker threads
00[IKE] eap method EAP_TTLS selected 00[LIB] loaded plugins: charon aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite 00[JOB] spawning 16 worker threads 09[CFG] received stroke: add connection 'aaa' 09[CFG] left nor right host is our side, assuming left=local 09[CFG] loaded certificate "C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" from 'aaaCert.pem' 09[CFG] added configuration 'aaa'
PT-EAP Connection by Access Requestor "dave" transported over EAP-RADIUS¶
04[CFG] received RADIUS Access-Request from client '10.1.0.1' 04[CFG] created RADIUS connection for user 'dave' NAS 'strongSwan' 04[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 11[CFG] received RADIUS Access-Request from client '10.1.0.1' 11[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
Set up an EAP-TTLS connection between AR and PDP
11[TLS] negotiated TLS 1.2 using suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA 11[TLS] sending TLS server certificate 'C=CH, O=Linux strongSwan, CN=aaa.strongswan.org' 11[TLS] sending TLS cert request for 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA'
11[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 12[CFG] received RADIUS Access-Request from client '10.1.0.1' 12[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' 12[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 13[CFG] received RADIUS Access-Request from client '10.1.0.1' 13[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan' 13[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/ID] 13[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 14[CFG] received RADIUS Access-Request from client '10.1.0.1' 14[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
Received EAP-Identity of AR "dave"
14[IKE] received tunneled EAP-TTLS AVP [EAP/RES/ID] 14[IKE] received EAP identity 'dave' 14[IKE] phase2 method EAP_MD5 selected 14[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/MD5]
14[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 03[CFG] received RADIUS Access-Request from client '10.1.0.1' 03[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
EAP-MD5 based authentication of AR "dave"
03[IKE] received tunneled EAP-TTLS AVP [EAP/RES/MD5] 03[IKE] EAP_TTLS phase2 authentication of 'dave' with EAP_MD5 successful 03[IKE] phase2 method EAP_PT_EAP selected 03[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
03[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 15[CFG] received RADIUS Access-Request from client '10.1.0.1' 15[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
Upon reception of the first PB-TNC client batch, open an IF-TNCCS 2.0 connection
15[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT] 15[IMV] IMV 1 "OS" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 15[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes 15[IMV] user AR identity 'dave' authenticated by password 15[IMV] IMV 2 "SWID" created a state for IF-TNCCS 2.0 Connection ID 1: +long +excl -soh 15[IMV] over IF-T for Tunneled EAP 2.0 with maximum PA-TNC message size of 65490 bytes 15[IMV] user AR identity 'dave' authenticated by password 15[IMV] IMV 1 "OS" changed state of Connection ID 1 to 'Handshake' 15[IMV] IMV 2 "SWID" changed state of Connection ID 1 to 'Handshake'
15[TNC] received TNCCS batch (91 bytes) for Connection ID 1 15[TNC] PB-TNC state transition from 'Init' to 'Server Working' 15[TNC] processing PB-TNC CDATA batch 15[TNC] processing IETF/PB-PA message (52 bytes) 15[TNC] setting language preference to 'en'
Received an Attribute Size Request for the 'TCG/SWID' PA message subtype from the SWID IMC
15[TNC] handling PB-PA message type 'TCG/SWID' 0x005597/0x00000003 15[IMV] IMV 2 "SWID" received message for Connection ID 1 from IMC 2 15[IMV] => 28 bytes @ 0x7a5490 15[IMV] 0: 01 00 00 00 26 4B C3 0A 00 00 55 97 00 00 00 21 ....&K....U....! 15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 ............ 15[TNC] processing PA-TNC message with ID 0x264bc30a 15[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021 15[IMV] received a segmentation contract from IMC 2 for PA message type 'TCG/SWID' 0x005597/0x00000003 15[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 32678 bytes
Creating an Attribute Size Response for the 'TCG/SWID' PA message subtype back to the SWID IMC
15[TNC] creating PA-TNC message with ID 0x45425ec5 15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022 15[IMV] created PA-TNC message: => 28 bytes @ 0x7a5b00 15[IMV] 0: 01 00 00 00 45 42 5E C5 00 00 55 97 00 00 00 22 ....EB^...U...." 15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 ............ 15[TNC] creating PB-PA message type 'TCG/SWID' 0x005597/0x00000003
Creating an Attribute Size Request for the 'IETF Operating Systen' PA message subtype to any IMC subscribing to it
15[IMV] IMV 1 requests a segmentation contract for PA message type 'IETF/Operating System' 0x000000/0x00000001 15[IMV] maximum attribute size of 100'000'000 bytes with maximum segment size of 65446 bytes 15[TNC] creating PA-TNC message with ID 0x2ae6641f 15[TNC] creating PA-TNC attribute type 'TCG/Max Attribute Size Request' 0x005597/0x00000021 15[TNC] creating PA-TNC attribute type 'IETF/Attribute Request' 0x000000/0x00000001 15[IMV] created PA-TNC message: => 96 bytes @ 0x7a7ff0 15[IMV] 0: 01 00 00 00 2A E6 64 1F 00 00 55 97 00 00 00 21 ....*.d...U....! 15[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 FF A6 00 00 00 00 ................ 15[IMV] 32: 00 00 00 01 00 00 00 44 00 00 00 00 00 00 00 02 .......D........ 15[IMV] 48: 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 03 ................ 15[IMV] 64: 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 0B ................ 15[IMV] 80: 00 00 00 00 00 00 00 0C 00 00 90 2A 00 00 00 08 ...........*.... 15[TNC] creating PB-PA message type 'IETF/Operating System' 0x000000/0x00000001
After appending an Attribute Request for various standard IETF attributes to this PA-TNC message, a first PB-TNC server batch is sent to the TNC client running on the AR
15[TNC] PB-TNC state transition from 'Server Working' to 'Client Working' 15[TNC] creating PB-TNC SDATA batch 15[TNC] adding TCG/PB-PDP-Referral message 15[TNC] adding IETF/PB-PA message 15[TNC] adding IETF/PB-PA message 15[TNC] sending PB-TNC SDATA batch (222 bytes) for Connection ID 1 15[IKE] sending tunneled EAP-TTLS AVP [EAP/REQ/PT]
15[CFG] sending RADIUS Access-Challenge to client '10.1.0.1' 16[CFG] received RADIUS Access-Request from client '10.1.0.1' 16[CFG] found RADIUS connection for user 'dave' NAS 'strongSwan'
16[IKE] received tunneled EAP-TTLS AVP [EAP/RES/PT] 16[TNC] received TNCCS batch (248 bytes) for Connection ID 1 16[TNC] PB-TNC state transition from 'Client Working' to 'Server Working' 16[TNC] processing PB-TNC CDATA batch 16[TNC] processing IETF/PB-PA message (240 bytes)
16[TNC] handling PB-PA message type 'IETF/Operating System' 0x000000/0x00000001 16[IMV] IMV 1 "OS" received message for Connection ID 1 from IMC 1 to IMV 1 16[IMV] => 216 bytes @ 0x7a45b0 16[IMV] 0: 01 00 00 00 FD DE 12 F4 00 00 55 97 00 00 00 22 ..........U...." 16[IMV] 16: 00 00 00 14 05 F5 E1 00 00 00 7F A6 00 00 00 00 ................ 16[IMV] 32: 00 00 00 02 00 00 00 17 00 25 72 00 00 44 65 62 .........%r..Deb 16[IMV] 48: 69 61 6E 00 00 00 00 00 00 00 04 00 00 00 19 0A ian............. 16[IMV] 64: 37 2E 35 20 78 38 36 5F 36 34 00 00 00 00 00 00 7.5 x86_64...... 16[IMV] 80: 00 00 00 03 00 00 00 1C 00 00 00 07 00 00 00 05 ................ 16[IMV] 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 ................ 16[IMV] 112: 00 00 00 24 03 01 00 00 32 30 31 34 2D 31 30 2D ...$....2014-10- 16[IMV] 128: 30 36 54 31 39 3A 33 31 3A 30 30 5A 00 00 00 00 06T19:31:00Z.... 16[IMV] 144: 00 00 00 0B 00 00 00 10 00 00 00 01 00 00 00 00 ................ 16[IMV] 160: 00 00 00 0C 00 00 00 10 00 00 00 00 00 00 90 2A ...............* 16[IMV] 176: 00 00 00 08 00 00 00 2C 61 61 62 62 63 63 64 64 .......,aabbccdd 16[IMV] 192: 65 65 66 66 31 31 32 32 33 33 34 34 35 35 36 36 eeff112233445566 16[IMV] 208: 37 37 38 38 39 39 30 30 77889900 16[TNC] processing PA-TNC message with ID 0xfdde12f4 16[TNC] processing PA-TNC attribute type 'TCG/Max Attribute Size Response' 0x005597/0x00000022 16[TNC] processing PA-TNC attribute type 'IETF/Product Information' 0x000000/0x00000002 16[TNC] processing PA-TNC attribute type 'IETF/String Version' 0x000000/0x00000004 16[TNC] processing PA-TNC attribute type 'IETF/Numeric Version' 0x000000/0x00000003 16[TNC] processing PA-TNC attribute type 'IETF/Operational Status' 0x000000/0x00000005 16[TNC] processing PA-TNC attribute type 'IETF/Forwarding Enabled' 0x000000/0x0000000b 16[TNC] processing PA-TNC attribute type 'IETF/Factory Default Password Enabled' 0x000000/0x0000000c 16[TNC] processing PA-TNC attribute type 'ITA-HSR/Device ID' 0x00902a/0x00000008
16[IMV] received a segmentation contract response for PA message type 'IETF/Operating System' 0x000000/0x00000001 16[IMV] maximum attribute size of 100000000 bytes with maximum segment size of 32678 bytes
16[IMV] operating system name is 'Debian' from vendor Debian Project 16[IMV] operating system version is '7.5 x86_64' 16[IMV] operating system numeric version is 7.5 16[IMV] operational status: operational, result: successful 16[IMV] last boot: Oct 06 19:31:00 UTC 2014 16[IMV] IPv4 forwarding is enabled 16[IMV] factory default password is disabled 16[IMV] device ID is aabbccddeeff11223344556677889900