added the ikev2/rw-eap-tnc-20 scenario based on the RFC 5792 PA-TNC protocol
This commit is contained in:
parent
510f37abd4
commit
83348c80e4
|
@ -217,6 +217,16 @@ then
|
|||
echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL
|
||||
fi
|
||||
|
||||
if [ "$USE_IMC_TEST" = "yes" ]
|
||||
then
|
||||
echo -n " --enable-imc-test" >> $INSTALLSHELL
|
||||
fi
|
||||
|
||||
if [ "$USE_IMV_TEST" = "yes" ]
|
||||
then
|
||||
echo -n " --enable-imv-test" >> $INSTALLSHELL
|
||||
fi
|
||||
|
||||
if [ "$USE_SQL" = "yes" ]
|
||||
then
|
||||
echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL
|
||||
|
|
|
@ -19,7 +19,7 @@ UMLTESTDIR=~/strongswan-testing
|
|||
|
||||
# Bzipped kernel sources
|
||||
# (file extension .tar.bz2 required)
|
||||
KERNEL=$UMLTESTDIR/linux-2.6.38.tar.bz2
|
||||
KERNEL=$UMLTESTDIR/linux-2.6.38.5.tar.bz2
|
||||
|
||||
# Extract kernel version
|
||||
KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'`
|
||||
|
@ -51,6 +51,8 @@ USE_TNC_IMV="yes"
|
|||
USE_TNCCS_11="yes"
|
||||
USE_TNCCS_20="yes"
|
||||
USE_TNCCS_DYNAMIC="yes"
|
||||
USE_IMC_TEST="yes"
|
||||
USE_IMV_TEST="yes"
|
||||
USE_SQL="yes"
|
||||
USE_MEDIATION="yes"
|
||||
USE_OPENSSL="yes"
|
||||
|
|
|
@ -3,7 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
|
|||
the clients doing EAP-MD5 password-based authentication.
|
||||
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
||||
health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
|
||||
compliant with <b>RFC 5793 PB-TNC</b>.
|
||||
compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate using the <b>RFC 5792 PA-TNC</b>
|
||||
protocol.
|
||||
<p>
|
||||
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
|
||||
clients are connected by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets,
|
||||
|
|
|
@ -6,11 +6,9 @@ dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YE
|
|||
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
||||
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon::cat /var/log/auth.log::policy enforced on peer 'carol@strongswan.org' is 'allow'::YES
|
||||
moon::cat /var/log/daemon.log::policy enforcement point added group membership 'allow'::YES
|
||||
moon::cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon::cat /var/log/auth.log::policy enforced on peer 'dave@strongswan.org' is 'isolate'::YES
|
||||
moon::cat /var/log/daemon.log::policy enforcement point added group membership 'isolate'::YES
|
||||
moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
config setup
|
||||
plutostart=no
|
||||
charondebug="tls 2, tnc 3"
|
||||
charondebug="tnc 3, imc 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
|
@ -9,3 +9,7 @@ charon {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
imc-test {
|
||||
command = allow
|
||||
}
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "Dummy" /usr/local/lib/libdummyimc.so
|
||||
#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
|
||||
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
config setup
|
||||
plutostart=no
|
||||
charondebug="tls 2, tnc 3"
|
||||
charondebug="tnc 3, imc 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
|
@ -9,3 +9,7 @@ charon {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
imc-test {
|
||||
command = isolate
|
||||
}
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "Dummy" /usr/local/lib/libdummyimc.so
|
||||
#IMC "HostScanner" /usr/local/lib/libhostscannerimc.so
|
||||
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
config setup
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
charondebug="tls 2, tnc 3"
|
||||
charondebug="tnc 3, imv 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
|
|
|
@ -14,3 +14,7 @@ charon {
|
|||
}
|
||||
}
|
||||
}
|
||||
|
||||
imv-test {
|
||||
rounds = 1
|
||||
}
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
#IMV configuration file for strongSwan server
|
||||
|
||||
IMV "Dummy" /usr/local/lib/libdummyimv.so
|
||||
#IMV "HostScanner" /usr/local/lib/libhostscannerimv.so
|
||||
IMV "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so
|
||||
|
|
Loading…
Reference in New Issue