summaryrefslogtreecommitdiff
path: root/testing/tests/tnc/tnccs-20-pts
diff options
context:
space:
mode:
authorYves-Alexis Perez <corsac@debian.org>2014-07-11 07:23:31 +0200
committerYves-Alexis Perez <corsac@debian.org>2014-07-11 07:23:31 +0200
commit81c63b0eed39432878f78727f60a1e7499645199 (patch)
tree82387d8fecd1c20788fd8bd784a9b0bde091fb6b /testing/tests/tnc/tnccs-20-pts
parentc5ebfc7b9c16551fe825dc1d79c3f7e2f096f6c9 (diff)
downloadvyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.tar.gz
vyos-strongswan-81c63b0eed39432878f78727f60a1e7499645199.zip
Imported Upstream version 5.2.0
Diffstat (limited to 'testing/tests/tnc/tnccs-20-pts')
-rw-r--r--testing/tests/tnc/tnccs-20-pts/description.txt13
-rw-r--r--testing/tests/tnc/tnccs-20-pts/evaltest.dat16
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf8
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf6
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql2
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf7
-rw-r--r--testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config1
7 files changed, 23 insertions, 30 deletions
diff --git a/testing/tests/tnc/tnccs-20-pts/description.txt b/testing/tests/tnc/tnccs-20-pts/description.txt
index e78a70091..e532ab2cf 100644
--- a/testing/tests/tnc/tnccs-20-pts/description.txt
+++ b/testing/tests/tnc/tnccs-20-pts/description.txt
@@ -1,12 +1,13 @@
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gateway <b>moon</b>
using EAP-TTLS authentication only with the gateway presenting a server certificate and
the clients doing EAP-MD5 password-based authentication.
-In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0 </b>
-client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS IMC and OS IMV pair
-is using the <b>IF-M 1.0</b> measurement protocol defined by <b>RFC 5792 PA-TNC</b> to
-exchange PA-TNC attributes.
-<p>
+<p/>
+In a next step the <b>RFC 7171 PT-EAP</b> transport protocol is used within the EAP-TTLS tunnel
+to determine the state of <b>carol</b>'s and <b>dave</b>'s operating system via the <b>TNCCS 2.0</b>
+client-server interface compliant with <b>RFC 5793 PB-TNC</b>. The OS and Attestation IMCs
+exchange PA-TNC attributes with the OS IMV via the <b>IF-M 1.0</b> measurement protocol
+defined by <b>RFC 5792 PA-TNC</b>.
+<p/>
<b>carol</b> sends information on her operating system consisting of the PA-TNC attributes
<em>Product Information</em>, <em>String Version</em>, and <em>Device ID</em> up-front
to the Attestation IMV, whereas <b>dave</b> must be prompted by the IMV to do so via an
diff --git a/testing/tests/tnc/tnccs-20-pts/evaltest.dat b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
index 5eb944055..2d18138e4 100644
--- a/testing/tests/tnc/tnccs-20-pts/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pts/evaltest.dat
@@ -2,19 +2,19 @@ carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'
carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
-dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES
dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES
dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES
-dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*carol@strongswan.org - allow::YES
+dave:: cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/28::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*carol@strongswan.org - allow::YES
moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES
-moon:: ipsec attest --session 2> /dev/null::Debian 7.2 x86_64.*dave@strongswan.org - isolate::YES
-moon:: cat /var/log/daemon.log::added group membership 'isolate'::YES
+moon:: ipsec attest --session 2> /dev/null::Debian 7.5 x86_64.*dave@strongswan.org - allow::YES
+moon:: cat /var/log/daemon.log::added group membership 'allow'::YES
moon:: cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES
-moon:: ipsec statusall 2> /dev/null::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+moon:: ipsec statusall 2> /dev/null::rw-allow.*10.1.0.0/28 === 192.168.0.200/32::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
-dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::YES
-dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::NO
+dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_req=1::YES
+dave:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_req=1::NO
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
index e6046833c..f64fe6a0c 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/carol/etc/strongswan.conf
@@ -2,12 +2,8 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-tnccs tnc-imc tnccs-20 updown
- multiple_authentication=no
- plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
- }
+
+ multiple_authentication = no
}
libimcv {
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
index 3236a18fa..79c79b87f 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/dave/etc/strongswan.conf
@@ -2,11 +2,9 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
- multiple_authentication=no
+
+ multiple_authentication = no
plugins {
- eap-tnc {
- protocol = tnccs-2.0
- }
tnc-imc {
preferred_language = de
}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
index 2bb7e7924..8b36df5e3 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/pts/data1.sql
@@ -3,7 +3,7 @@
INSERT INTO devices ( /* 1 */
value, product, created
) VALUES (
- 'aabbccddeeff11223344556677889900', 28, 1372330615
+ 'aabbccddeeff11223344556677889900', 42, 1372330615
);
/* Groups Members */
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
index 0298a5151..e81908f31 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/strongswan.conf
@@ -2,16 +2,15 @@
charon {
load = curl openssl pem pkcs1 random nonce revocation stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnc-imv tnc-tnccs tnccs-20 updown sqlite
- multiple_authentication=no
+
+ multiple_authentication = no
+
plugins {
eap-ttls {
phase2_method = md5
phase2_piggyback = yes
phase2_tnc = yes
}
- eap-tnc {
- protocol = tnccs-2.0
- }
}
}
diff --git a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
index 6507baaa1..4865036f4 100644
--- a/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
+++ b/testing/tests/tnc/tnccs-20-pts/hosts/moon/etc/tnc_config
@@ -1,4 +1,3 @@
#IMV configuration file for strongSwan client
-IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so
IMV "Attestation" /usr/local/lib/ipsec/imcvs/imv-attestation.so