Andreas Steffen
9 years ago
parent
ac17ca1ad7
commit
342bc6e545
@ -0,0 +1,26 @@
|
||||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
|
||||
using EAP-TTLS authentication only with the gateway presenting a server certificate and
|
||||
the clients doing EAP-MD5 password-based authentication.
|
||||
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
||||
state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
|
||||
client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
|
||||
is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
|
||||
exchange PA-TNC attributes.
|
||||
<p>
|
||||
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
|
||||
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
|
||||
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
|
||||
<em>Attribute Request</em> PA-TNC attribute. <b>dave</b> is instructed to do a reference
|
||||
measurement on all files in the <b>/bin</b> directory. <b>carol</b> is then prompted to
|
||||
measure a couple of individual files and the files in the <b>/bin</b> directory as
|
||||
well as to get metadata on the <b>/etc/tnc_confg</b> configuration file.
|
||||
<p>
|
||||
Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements,
|
||||
the mandatory default being <b>ecp256</b>, with the strongswan.conf option
|
||||
<b>mandatory_dh_groups = no</b> no ECC support is required.
|
||||
<p>
|
||||
<b>carol</b> passes the health test and <b>dave</b> fails because IP forwarding is
|
||||
enabled. Based on these assessments which are communicated to the IMCs using the
|
||||
<em>Assessment Result</em> PA-TNC attribute, the clients are connected by gateway <b>moon</b>
|
||||
to the "rw-allow" and "rw-isolate" subnets, respectively.
|
||||
</p>
|
||||
@ -0,0 +1,20 @@
|
||||
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
|
||||
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
|
||||
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
|
||||
moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
|
||||
dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
|
||||
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
|
||||
@ -0,0 +1,23 @@
|
||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3, pts 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
||||
@ -0,0 +1,3 @@
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
@ -0,0 +1,22 @@
|
||||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-os {
|
||||
push_info = yes
|
||||
}
|
||||
imc-attestation {
|
||||
mandatory_dh_groups = no
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,4 @@
|
||||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
|
||||
@ -0,0 +1,23 @@
|
||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imc 3, pts 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightauth=any
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
||||
@ -0,0 +1,3 @@
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
||||
@ -0,0 +1,25 @@
|
||||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
tnc-imc {
|
||||
preferred_language = de
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-os {
|
||||
push_info = no
|
||||
}
|
||||
imc-attestation {
|
||||
mandatory_dh_groups = no
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,4 @@
|
||||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so
|
||||
IMC "Attestation" /usr/local/lib/ipsec/imcvs/imc-attestation.so
|
||||
@ -0,0 +1,34 @@
|
||||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
charondebug="tnc 3, imv 3, pts 3"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=eap-ttls
|
||||
leftfirewall=yes
|
||||
rightauth=eap-ttls
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
||||
@ -0,0 +1,6 @@
|
||||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
||||
@ -0,0 +1,29 @@
|
||||
/* Devices */
|
||||
|
||||
INSERT INTO devices ( /* 1 */
|
||||
value, product, created
|
||||
) VALUES (
|
||||
'aabbccddeeff11223344556677889900', 28, 1372330615
|
||||
);
|
||||
|
||||
/* Groups Members */
|
||||
|
||||
INSERT INTO groups_members (
|
||||
group_id, device_id
|
||||
) VALUES (
|
||||
10, 1
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age, rec_fail, rec_noresult
|
||||
) VALUES (
|
||||
3, 10, 0, 2, 2
|
||||
);
|
||||
|
||||
INSERT INTO enforcements (
|
||||
policy, group_id, max_age
|
||||
) VALUES (
|
||||
16, 2, 0
|
||||
);
|
||||
|
||||
DELETE FROM enforcements WHERE id = 1;
|
||||
@ -0,0 +1,34 @@
|
||||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes md5 sha1 sha2 hmac gmp pem pkcs1 random nonce x509 revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
phase2_piggyback = yes
|
||||
phase2_tnc = yes
|
||||
}
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
database = sqlite:///etc/pts/config.db
|
||||
policy_script = ipsec imv_policy_manager
|
||||
plugins {
|
||||
imv-attestation {
|
||||
hash_algorithm = sha1
|
||||
dh_group = modp2048
|
||||
mandatory_dh_groups = no
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
attest {
|
||||
load = random nonce openssl sqlite
|
||||
database = sqlite:///etc/pts/config.db
|
||||
}
|
||||
|
||||
@ -0,0 +1,4 @@
|
||||
#IMV configuration file for strongSwan client
|
||||
|
||||
IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
|
||||
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so
|
||||
@ -0,0 +1,8 @@
|
||||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::iptables-restore < /etc/iptables.flush
|
||||
carol::iptables-restore < /etc/iptables.flush
|
||||
dave::iptables-restore < /etc/iptables.flush
|
||||
carol::echo 1 > /proc/sys/net/ipv4/ip_forward
|
||||
moon::rm /etc/pts/config.db
|
||||
@ -0,0 +1,18 @@
|
||||
moon::iptables-restore < /etc/iptables.rules
|
||||
carol::iptables-restore < /etc/iptables.rules
|
||||
dave::iptables-restore < /etc/iptables.rules
|
||||
carol::echo 0 > /proc/sys/net/ipv4/ip_forward
|
||||
dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
|
||||
moon::cd /usr/local/share/strongswan/templates/database/imv; cat tables.sql data.sql /etc/pts/data1.sql | sqlite3 /etc/pts/config.db
|
||||
moon::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
moon::ipsec start
|
||||
dave::ipsec start
|
||||
carol::ipsec start
|
||||
dave::sleep 1
|
||||
dave::ipsec up home
|
||||
carol::ipsec up home
|
||||
carol::sleep 1
|
||||
moon::ipsec attest --sessions
|
||||
moon::ipsec attest --devices
|
||||
@ -0,0 +1,26 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# guest instances used for this test
|
||||
|
||||
# All guest instances that are required for this test
|
||||
#
|
||||
VIRTHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# Guest instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# Guest instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# Guest instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS=
|
||||
|
||||
Loading…
Reference in new issue