Trusted Network Connect (TNC) HOWTO » History » Version 15

« Previous - Version 15/92 (diff) - Next » - Current version
Andreas Steffen, 14.12.2010 06:27

Trusted Network Connect (TNC) HOWTO¶

The Trusted Computing Group (TCG) has defined and released an open architecture and a growing set of standards for endpoint integrity called Trusted Network Connect.

strongSwan supports both the older XML-based IF-TNCCS 1.1 "TNC Client-Server Interface" and the latest IF-TNCCS-2.0 "TLV Bindings" but currently not the IF-TNCCS SoH 1.0 "State of Health Protocol Bindings" used by Microsoft's Network Access Protection (NAP) framework.

The TCG IF-TNCCS 2.0 protocol is equivalent to the IETF "Posture Broker (PB) Protocol Compatible with Trusted Network Connect" (PB-TNC) defined by RFC 5793 which is part of the IETF's "Network Endpoint Assessment" (NEA) framework defined by RFC 5209.

NEA Architecture

As a transport protocol to exchange IF-TNCCS 1.1 or IF-TNCCS 2.0 messages between TNC Client and TNC Server, strongSwan uses the EAP-TNC method defined by IF-T "Protocol Bindings for Tunneled EAP Methods 1.1". EAP-TNC as an inner non-secure protocol is then encapsulated in an outer encrypted and authenticated IKEv2-EAP-TTLS tunnel.

By activating the appropriate plugins, a strongSwan VPN Client can act as a TNC Client and a strongSwan VPN Gateway can take on either the role of a "Policy Enforcement Point" (PEP) only which forwards all EAP-TTLS packets via EAP-RADIUS to an external AAA-Server or alternatively can additionally act as a TNC Server.

Configuration as a TNC Client

Configuration as a TNC Server

Configuration as a PEP with EAP-RADIUS Interface

strongSwan can dynamically load any number of Integrity Measurement Collectors (IMCs) and Integrity Measurement Verifiers (IMVs) that adhere to the IF-IMC 1.2 and IF-IMV 1.2 interface specifications, respectively.

Deployment¶

IF-TNCCS 1.1 support was introduced in October 2010 with the strongSwan 4.5.0 stable release. The tnccs_11 charon plugin uses Mike McCauley's libtnc library. A strongSwan VPN Gateway configured as a PEP can connect to a FreeRADIUS server running the TNC@FHH plugin.
- TNC Client - TNC Server Example
- TNC Client - PEP - FreeRADIUS Example

IF-TNCCS 2.0 support was in December 201 with the strongSwan 4.5.1dr2 developers release. The tnccs_20 charon plugin was implemented by MSE master student Sansar Choinyambuu. The code does not make use of the libtnc library.
- TNC Client - TNC Server Example

Files (5)

NEA_Architecture_small.png (40.2 KB) NEA_Architecture_small.png	NEA Architecture	Andreas Steffen, 13.12.2010 16:41
TCG_TNC_Architecture.png (86 KB) TCG_TNC_Architecture.png	TCG TNC Architecture	Andreas Steffen, 14.08.2011 15:30
raspberry_2.jpg (298 KB) raspberry_2.jpg	Raspberry Pi 2 IoT Device	Andreas Steffen, 16.08.2015 10:32
raspi_front_small.jpg (78.3 KB) raspi_front_small.jpg	Booth at CeBIT 2016	Andreas Steffen, 18.03.2016 13:38
raspi_back_small.jpg (98.2 KB) raspi_back_small.jpg	Raspberry Pi 2 Hardware	Andreas Steffen, 18.03.2016 13:39

Project

General

Profile

strongSwan

Documentation¶

Resources¶

Wiki