strongSwan

h1. Trusted Network Connect (TNC) HOWTO

The "Trusted Computing Group":http://www.trustedcomputinggroup.org/ (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called "Trusted Network Connect":http://www.trustedcomputinggroup.org/developers/trusted_network_connect.

!TNC_Architecture.png!

strongSwan supports both the older XML-based "IF-TNCCS 1.1":http://www.trustedcomputinggroup.org/files/resource_files/64697C86-1D09-3519-ADE44ADD6B39B71D/TNC_IF-TNCCS_v1_1_r15.pdf  "TNC Client-Server Interface" and the latest "IF-TNCCS-2.0":http://www.trustedcomputinggroup.org/files/resource_files/495CA3DD-1D09-3519-AD0043966E821ECB/IF-TNCCS_TLVBinding_v2_0_r16a.pdf "TLV Bindings" but currently not the "IF-TNCCS SoH 1.0":http://www.trustedcomputinggroup.org/files/resource_files/8D2DF7F3-1D09-3519-AD76CE4433FECE07/IF-TNCCS-SOH_v1.0_r8.pdf "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework.

The TCG IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Broker (PB) Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by "RFC 5793":http://tools.ietf.org/html/rfc5793 which is part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by "RFC 5209":http://tools.ietf.org/html/rfc5209.

!NEA_Architecture_small.png!

As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by "IF-T":http://www.trustedcomputinggroup.org/files/resource_files/8CC75909-1D09-3519-ADA6958AA29CF223/TNC_IFT_v1_1_r10.pdf "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel.

By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server.

* [[TNCC|Configuration as a TNC Client]]

* [[TNCS|Configuration as a TNC Server]]

* [[PEP|Configuration as a PEP with EAP-RADIUS Interface]]

strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that adhere to the "IF-IMC 1.2":http://www.trustedcomputinggroup.org/files/resource_files/8CB977E1-1D09-3519-AD48484530EF6639/TNC_IFIMC_v1_2_r8.pdf and "IF-IMV 1.2":http://www.trustedcomputinggroup.org/files/static_page_files/646808C3-1D09-3519-AD2E60765779A42A/TNC_IFIMV_v1_2_r8.pdf interface specifications, respectively.

h2. Deployment

* IF-TNCCS 1.1 support was introduced in October 2010 with strongSwan 4.5.0. The *tnccs_11* charon plugin uses Mike McCauley's "libtnc":http://sourceforge.net/projects/libtnc/ library. A strongSwan VPN Gateway configured as a PEP can connect to a FreeRADIUS server running the "TNC@FHH":http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh plugin.

  - TNC Client - TNC Server "Example":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc/

  - TNC Client - PEP - FreeRADIUS "Example":http://www.strongswan.org/uml/testresults/ikev2/rw-eap-tnc-radius/

* IF-TNCCS 2.0 support was implemented by MSE master student Sansar Choinyambuu and first published with the strongSwan 4.5.1dr2 developers release in December 2010. The code does not make use of the libtnc library.

  - TNC Client - TNC Server "Example":http://www.strongswan.org/uml/testresults45dr/ikev2/rw-eap-tnc-20/