added the tnc/tnccs-20-retry scenario
This commit is contained in:
parent
26691de27f
commit
da73199fe5
|
@ -0,0 +1,13 @@
|
||||||
|
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
|
||||||
|
using EAP-TTLS authentication only with the gateway presenting a server certificate and
|
||||||
|
the clients doing EAP-MD5 password-based authentication.
|
||||||
|
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
|
||||||
|
health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
|
||||||
|
compliant with <b>RFC 5793 PB-TNC</b>. The IMC and IMV communicate are using the <b>IF-M</b>
|
||||||
|
protocol defined by <b>RFC 5792 PA-TNC</b>.
|
||||||
|
<p>
|
||||||
|
The first time around both <b>carol</b> and <b>dave</b> fail the health test but they
|
||||||
|
request a handshake retry. After remediation <b>carol</b> succeeds but <b>dave</b>
|
||||||
|
still fails. Thus based on this second round of measurements the clients are connected
|
||||||
|
by gateway <b>moon</b> to the "rw-allow" and "rw-isolate" subnets, respectively.
|
||||||
|
</p>
|
|
@ -0,0 +1,19 @@
|
||||||
|
carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
|
||||||
|
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
||||||
|
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
|
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
|
||||||
|
dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
|
||||||
|
dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
|
||||||
|
dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
|
||||||
|
dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
|
||||||
|
moon::cat /var/log/daemon.log::added group membership 'allow'::YES
|
||||||
|
moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
|
||||||
|
moon::cat /var/log/daemon.log::added group membership 'isolate'::YES
|
||||||
|
moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
|
||||||
|
moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
|
||||||
|
moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
|
||||||
|
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
|
||||||
|
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
|
||||||
|
dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
|
||||||
|
dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
|
||||||
|
|
|
@ -0,0 +1,23 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
plutostart=no
|
||||||
|
charondebug="tnc 3, imc 2"
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
|
||||||
|
conn home
|
||||||
|
left=PH_IP_CAROL
|
||||||
|
leftid=carol@strongswan.org
|
||||||
|
leftauth=eap
|
||||||
|
leftfirewall=yes
|
||||||
|
right=PH_IP_MOON
|
||||||
|
rightid=@moon.strongswan.org
|
||||||
|
rightsendcert=never
|
||||||
|
rightsubnet=10.1.0.0/16
|
||||||
|
auto=add
|
|
@ -0,0 +1,3 @@
|
||||||
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
|
|
||||||
|
carol@strongswan.org : EAP "Ar3etTnp"
|
|
@ -0,0 +1,21 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
|
||||||
|
multiple_authentication=no
|
||||||
|
plugins {
|
||||||
|
eap-tnc {
|
||||||
|
protocol = tnccs-2.0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
libimcv {
|
||||||
|
plugins {
|
||||||
|
imc-test {
|
||||||
|
command = isolate
|
||||||
|
retry = yes
|
||||||
|
retry_command = allow
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
|
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
|
@ -0,0 +1,23 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
plutostart=no
|
||||||
|
charondebug="tnc 3, imc 2"
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
|
||||||
|
conn home
|
||||||
|
left=PH_IP_DAVE
|
||||||
|
leftid=dave@strongswan.org
|
||||||
|
leftauth=eap
|
||||||
|
leftfirewall=yes
|
||||||
|
right=PH_IP_MOON
|
||||||
|
rightid=@moon.strongswan.org
|
||||||
|
rightsendcert=never
|
||||||
|
rightsubnet=10.1.0.0/16
|
||||||
|
auto=add
|
|
@ -0,0 +1,3 @@
|
||||||
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
|
|
||||||
|
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -0,0 +1,23 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown
|
||||||
|
multiple_authentication=no
|
||||||
|
plugins {
|
||||||
|
eap-tnc {
|
||||||
|
protocol = tnccs-2.0
|
||||||
|
}
|
||||||
|
tnc-imc {
|
||||||
|
preferred_language = ru , de, en
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
libimcv {
|
||||||
|
plugins {
|
||||||
|
imc-test {
|
||||||
|
command = isolate
|
||||||
|
retry = yes
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
#IMC configuration file for strongSwan client
|
||||||
|
|
||||||
|
IMC "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imc-test.so
|
|
@ -0,0 +1,36 @@
|
||||||
|
# /etc/ipsec.conf - strongSwan IPsec configuration file
|
||||||
|
|
||||||
|
config setup
|
||||||
|
strictcrlpolicy=no
|
||||||
|
plutostart=no
|
||||||
|
charondebug="tnc 3, imv 2"
|
||||||
|
|
||||||
|
conn %default
|
||||||
|
ikelifetime=60m
|
||||||
|
keylife=20m
|
||||||
|
rekeymargin=3m
|
||||||
|
keyingtries=1
|
||||||
|
keyexchange=ikev2
|
||||||
|
|
||||||
|
conn rw-allow
|
||||||
|
rightgroups=allow
|
||||||
|
leftsubnet=10.1.0.0/28
|
||||||
|
also=rw-eap
|
||||||
|
auto=add
|
||||||
|
|
||||||
|
conn rw-isolate
|
||||||
|
rightgroups=isolate
|
||||||
|
leftsubnet=10.1.0.16/28
|
||||||
|
also=rw-eap
|
||||||
|
auto=add
|
||||||
|
|
||||||
|
conn rw-eap
|
||||||
|
left=PH_IP_MOON
|
||||||
|
leftcert=moonCert.pem
|
||||||
|
leftid=@moon.strongswan.org
|
||||||
|
leftauth=eap-ttls
|
||||||
|
leftfirewall=yes
|
||||||
|
rightauth=eap-ttls
|
||||||
|
rightid=*@strongswan.org
|
||||||
|
rightsendcert=never
|
||||||
|
right=%any
|
|
@ -0,0 +1,6 @@
|
||||||
|
# /etc/ipsec.secrets - strongSwan IPsec secrets file
|
||||||
|
|
||||||
|
: RSA moonKey.pem
|
||||||
|
|
||||||
|
carol@strongswan.org : EAP "Ar3etTnp"
|
||||||
|
dave@strongswan.org : EAP "W7R0g3do"
|
|
@ -0,0 +1,24 @@
|
||||||
|
# /etc/strongswan.conf - strongSwan configuration file
|
||||||
|
|
||||||
|
charon {
|
||||||
|
load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown
|
||||||
|
multiple_authentication=no
|
||||||
|
plugins {
|
||||||
|
eap-ttls {
|
||||||
|
phase2_method = md5
|
||||||
|
phase2_piggyback = yes
|
||||||
|
phase2_tnc = yes
|
||||||
|
}
|
||||||
|
eap-tnc {
|
||||||
|
protocol = tnccs-2.0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
libimcv {
|
||||||
|
plugins {
|
||||||
|
imv-test {
|
||||||
|
rounds = 0
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,3 @@
|
||||||
|
#IMV configuration file for strongSwan server
|
||||||
|
|
||||||
|
IMV "Test" /usr/local/libexec/ipsec/plugins/libstrongswan-imv-test.so
|
|
@ -0,0 +1,6 @@
|
||||||
|
moon::ipsec stop
|
||||||
|
carol::ipsec stop
|
||||||
|
dave::ipsec stop
|
||||||
|
moon::/etc/init.d/iptables stop 2> /dev/null
|
||||||
|
carol::/etc/init.d/iptables stop 2> /dev/null
|
||||||
|
dave::/etc/init.d/iptables stop 2> /dev/null
|
|
@ -0,0 +1,13 @@
|
||||||
|
moon::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
carol::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
dave::/etc/init.d/iptables start 2> /dev/null
|
||||||
|
moon::cat /etc/tnc_config
|
||||||
|
carol::cat /etc/tnc_config
|
||||||
|
dave::cat /etc/tnc_config
|
||||||
|
moon::ipsec start
|
||||||
|
carol::ipsec start
|
||||||
|
dave::ipsec start
|
||||||
|
carol::sleep 1
|
||||||
|
carol::ipsec up home
|
||||||
|
dave::ipsec up home
|
||||||
|
dave::sleep 1
|
|
@ -0,0 +1,26 @@
|
||||||
|
#!/bin/bash
|
||||||
|
#
|
||||||
|
# This configuration file provides information on the
|
||||||
|
# UML instances used for this test
|
||||||
|
|
||||||
|
# All UML instances that are required for this test
|
||||||
|
#
|
||||||
|
UMLHOSTS="alice venus moon carol winnetou dave"
|
||||||
|
|
||||||
|
# Corresponding block diagram
|
||||||
|
#
|
||||||
|
DIAGRAM="a-v-m-c-w-d.png"
|
||||||
|
|
||||||
|
# UML instances on which tcpdump is to be started
|
||||||
|
#
|
||||||
|
TCPDUMPHOSTS="moon"
|
||||||
|
|
||||||
|
# UML instances on which IPsec is started
|
||||||
|
# Used for IPsec logging purposes
|
||||||
|
#
|
||||||
|
IPSECHOSTS="moon carol dave"
|
||||||
|
|
||||||
|
# UML instances on which FreeRadius is started
|
||||||
|
#
|
||||||
|
RADIUSHOSTS=
|
||||||
|
|
Loading…
Reference in New Issue