added the tnc/tnccs-20-retry scenario
This commit is contained in:
parent
26691de27f
commit
da73199fe5
|
@ -0,0 +1,13 @@
|
|||
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
|
||||
using EAP-TTLS authentication only with the gateway presenting a server certificate and
|
||||
the clients doing EAP-MD5 password-based authentication.
|
||||
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
||||
health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
|
||||
compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
|
||||
protocol defined by <b>RFC 5792 PA-TNC</b>.
|
||||
<p>
|
||||
The first time around both <b>carol</b> and <b>dave</b> fail the health test but they
|
||||
request a handshake retry. After remediation <b>carol</b> succeeds but <b>dave</b>
|
||||
still fails. Thus based on this second round of measurements the clients are connected
|
||||
by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
|
||||
</p>
|
|
@ -0,0 +1,19 @@
|
|||
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
|
||||
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
||||
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||
dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
|
||||
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
||||
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||
moon::cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||
moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
|
||||
dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
|
||||
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
charondebug="tnc 3, imc 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_CAROL
|
||||
leftid=carol@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -0,0 +1,21 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
command = isolate
|
||||
retry = yes
|
||||
retry_command = allow
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
plutostart=no
|
||||
charondebug="tnc 3, imc 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn home
|
||||
left=PH_IP_DAVE
|
||||
leftid=dave@strongswan.org
|
||||
leftauth=eap
|
||||
leftfirewall=yes
|
||||
right=PH_IP_MOON
|
||||
rightid=@moon.strongswan.org
|
||||
rightsendcert=never
|
||||
rightsubnet=10.1.0.0/16
|
||||
auto=add
|
|
@ -0,0 +1,3 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -0,0 +1,23 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
tnc-imc {
|
||||
preferred_language = ru , de, en
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imc-test {
|
||||
command = isolate
|
||||
retry = yes
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
#IMC configuration file for strongSwan client
|
||||
|
||||
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
|
@ -0,0 +1,36 @@
|
|||
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||
|
||||
config setup
|
||||
strictcrlpolicy=no
|
||||
plutostart=no
|
||||
charondebug="tnc 3, imv 2"
|
||||
|
||||
conn %default
|
||||
ikelifetime=60m
|
||||
keylife=20m
|
||||
rekeymargin=3m
|
||||
keyingtries=1
|
||||
keyexchange=ikev2
|
||||
|
||||
conn rw-allow
|
||||
rightgroups=allow
|
||||
leftsubnet=10.1.0.0/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-isolate
|
||||
rightgroups=isolate
|
||||
leftsubnet=10.1.0.16/28
|
||||
also=rw-eap
|
||||
auto=add
|
||||
|
||||
conn rw-eap
|
||||
left=PH_IP_MOON
|
||||
leftcert=moonCert.pem
|
||||
leftid=@moon.strongswan.org
|
||||
leftauth=eap-ttls
|
||||
leftfirewall=yes
|
||||
rightauth=eap-ttls
|
||||
rightid=*@strongswan.org
|
||||
rightsendcert=never
|
||||
right=%any
|
|
@ -0,0 +1,6 @@
|
|||
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||
|
||||
: RSA moonKey.pem
|
||||
|
||||
carol@strongswan.org : EAP "Ar3etTnp"
|
||||
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -0,0 +1,24 @@
|
|||
# /etc/strongswan.conf - strongSwan configuration file
|
||||
|
||||
charon {
|
||||
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
|
||||
multiple_authentication=no
|
||||
plugins {
|
||||
eap-ttls {
|
||||
phase2_method = md5
|
||||
phase2_piggyback = yes
|
||||
phase2_tnc = yes
|
||||
}
|
||||
eap-tnc {
|
||||
protocol = tnccs-2.0
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
libimcv {
|
||||
plugins {
|
||||
imv-test {
|
||||
rounds = 0
|
||||
}
|
||||
}
|
||||
}
|
|
@ -0,0 +1,3 @@
|
|||
#IMV configuration file for strongSwan server
|
||||
|
||||
IMV "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so
|
|
@ -0,0 +1,6 @@
|
|||
moon::ipsec stop
|
||||
carol::ipsec stop
|
||||
dave::ipsec stop
|
||||
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||
dave::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,13 @@
|
|||
moon::/etc/init.d/iptables start 2> /dev/null
|
||||
carol::/etc/init.d/iptables start 2> /dev/null
|
||||
dave::/etc/init.d/iptables start 2> /dev/null
|
||||
moon::cat /etc/tnc_config
|
||||
carol::cat /etc/tnc_config
|
||||
dave::cat /etc/tnc_config
|
||||
moon::ipsec start
|
||||
carol::ipsec start
|
||||
dave::ipsec start
|
||||
carol::sleep 1
|
||||
carol::ipsec up home
|
||||
dave::ipsec up home
|
||||
dave::sleep 1
|
|
@ -0,0 +1,26 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# This configuration file provides information on the
|
||||
# UML instances used for this test
|
||||
|
||||
# All UML instances that are required for this test
|
||||
#
|
||||
UMLHOSTS="alice venus moon carol winnetou dave"
|
||||
|
||||
# Corresponding block diagram
|
||||
#
|
||||
DIAGRAM="a-v-m-c-w-d.png"
|
||||
|
||||
# UML instances on which tcpdump is to be started
|
||||
#
|
||||
TCPDUMPHOSTS="moon"
|
||||
|
||||
# UML instances on which IPsec is started
|
||||
# Used for IPsec logging purposes
|
||||
#
|
||||
IPSECHOSTS="moon carol dave"
|
||||
|
||||
# UML instances on which FreeRadius is started
|
||||
#
|
||||
RADIUSHOSTS=
|
||||
|
Loading…
Reference in New Issue