From: Andreas Steffen Date: Thu, 26 Jun 2014 07:47:03 +0000 (+0200) Subject: Updated description of TNC scenarios concerning RFC 7171 PT-EAP support X-Git-Tag: 5.2.0rc1~10 X-Git-Url: https://git.strongswan.org/?p=strongswan.git;a=commitdiff_plain;h=75598e5053ee8a88a45dbdd9cc5760b789c28f4e Updated description of TNC scenarios concerning RFC 7171 PT-EAP support --- diff --git a/testing/tests/tnc/tnccs-20-os/description.txt b/testing/tests/tnc/tnccs-20-os/description.txt index 9411134..c4a2c90 100644 --- a/testing/tests/tnc/tnccs-20-os/description.txt +++ b/testing/tests/tnc/tnccs-20-os/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel +to determine the state of carol's and dave's operating system via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs +exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol +defined by RFC 5792 PA-TNC. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, Numeric Version, Operational Status, Forwarding Enabled, Factory Default Password Enabled diff --git a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt index 2997650..febf074 100644 --- a/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt +++ b/testing/tests/tnc/tnccs-20-pts-no-ecc/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 -client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair -is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to -exchange PA-TNC attributes. -

+

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the state of carol's and dave's operating system via the +TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC. The OS IMC +and OS IMV pair is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC +to exchange PA-TNC attributes. +

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an @@ -14,7 +15,7 @@ to the Attestation IMV, whereas dave must be prompted by the IMV to do so measurement on all files in the /bin directory. carol is then prompted to measure a couple of individual files and the files in the /bin directory as well as to get metadata on the /etc/tnc_confg configuration file. -

+

Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements, the mandatory default being ecp256, with the strongswan.conf option mandatory_dh_groups = no no ECC support is required. diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt index 0a4716c..e532ab2 100644 --- a/testing/tests/tnc/tnccs-20-pts/description.txt +++ b/testing/tests/tnc/tnccs-20-pts/description.txt @@ -1,12 +1,13 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -state of carol's and dave's operating system via the TNCCS 2.0 +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel +to determine the state of carol's and dave's operating system via the TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC. -

+

carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an diff --git a/testing/tests/tnc/tnccs-20-server-retry/description.txt b/testing/tests/tnc/tnccs-20-server-retry/description.txt index b37fbd4..f9ee7b8 100644 --- a/testing/tests/tnc/tnccs-20-server-retry/description.txt +++ b/testing/tests/tnc/tnccs-20-server-retry/description.txt @@ -1,10 +1,11 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The IMC and IMV communicate are using the IF-M -protocol defined by RFC 5792 PA-TNC. +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The IMCs and IMVs exchange +messages over the IF-M protocol defined by RFC 5792 PA-TNC.

The first time the TNC clients carol and dave send their measurements, TNC server moon requests a handshake retry. In the retry carol succeeds diff --git a/testing/tests/tnc/tnccs-20-tls/description.txt b/testing/tests/tnc/tnccs-20-tls/description.txt index a032d2d..f193bd2 100644 --- a/testing/tests/tnc/tnccs-20-tls/description.txt +++ b/testing/tests/tnc/tnccs-20-tls/description.txt @@ -1,9 +1,10 @@ The roadwarriors carol and dave set up a connection each to gateway moon, both ends doing certificate-based EAP-TLS authentication only. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 2.0 client-server interface -compliant with RFC 5793 PB-TNC. The IMC and IMV communicate are using the IF-M -protocol defined by RFC 5792 PA-TNC. +

+In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS +tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 +client-server interface compliant with RFC 5793 PB-TNC. The IMCs and IMVs exchange +messages over the IF-M protocol defined by RFC 5792 PA-TNC.

carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, diff --git a/testing/tests/tnc/tnccs-dynamic/description.txt b/testing/tests/tnc/tnccs-dynamic/description.txt index 21e9bc6..86f6323 100644 --- a/testing/tests/tnc/tnccs-dynamic/description.txt +++ b/testing/tests/tnc/tnccs-dynamic/description.txt @@ -1,6 +1,7 @@ The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication. +

In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of TNC client carol via the TNCCS 1.1 client-server interface and of TNC client dave via the TNCCS 2.0 client-server interface. TNC server