summaryrefslogtreecommitdiff
path: root/testing/tests/tnc
diff options
context:
space:
mode:
Diffstat (limited to 'testing/tests/tnc')
-rw-r--r--testing/tests/tnc/tnccs-11-fhh/description.txt2
-rw-r--r--testing/tests/tnc/tnccs-11-radius-block/description.txt4
-rw-r--r--testing/tests/tnc/tnccs-11-radius-pts/description.txt2
-rw-r--r--testing/tests/tnc/tnccs-11-radius/description.txt2
-rw-r--r--testing/tests/tnc/tnccs-11-supplicant/description.txt2
-rw-r--r--testing/tests/tnc/tnccs-20-fhh/description.txt4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat4
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules6
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf5
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~34
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf3
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets3
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf3
-rw-r--r--testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf2
14 files changed, 66 insertions, 10 deletions
diff --git a/testing/tests/tnc/tnccs-11-fhh/description.txt b/testing/tests/tnc/tnccs-11-fhh/description.txt
index 406b163e1..8ce1157e9 100644
--- a/testing/tests/tnc/tnccs-11-fhh/description.txt
+++ b/testing/tests/tnc/tnccs-11-fhh/description.txt
@@ -4,7 +4,7 @@ the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
The Dummy IMC and IMV from the
-<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
diff --git a/testing/tests/tnc/tnccs-11-radius-block/description.txt b/testing/tests/tnc/tnccs-11-radius-block/description.txt
index 55b63ed47..67b1a2a34 100644
--- a/testing/tests/tnc/tnccs-11-radius-block/description.txt
+++ b/testing/tests/tnc/tnccs-11-radius-block/description.txt
@@ -2,7 +2,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gatewa
At the outset the gateway authenticates itself to the clients by sending an IKEv2
<b>RSA signature</b> accompanied by a certificate.
<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
@@ -10,5 +10,5 @@ health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server
The IMC and IMV communicate are using the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements <b>carol</b>
-is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas
+is authenticated successfully and is granted access to the subnet behind <b>moon</b> whereas
<b>dave</b> fails the layered EAP authentication and is rejected.
diff --git a/testing/tests/tnc/tnccs-11-radius-pts/description.txt b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
index f71837b6d..d5729dd7b 100644
--- a/testing/tests/tnc/tnccs-11-radius-pts/description.txt
+++ b/testing/tests/tnc/tnccs-11-radius-pts/description.txt
@@ -2,7 +2,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gatewa
At the outset the gateway authenticates itself to the clients by sending an IKEv2
<b>RSA signature</b> accompanied by a certificate.
<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
diff --git a/testing/tests/tnc/tnccs-11-radius/description.txt b/testing/tests/tnc/tnccs-11-radius/description.txt
index 83e5b96f3..4017c6eda 100644
--- a/testing/tests/tnc/tnccs-11-radius/description.txt
+++ b/testing/tests/tnc/tnccs-11-radius/description.txt
@@ -2,7 +2,7 @@ The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each to gatewa
At the outset the gateway authenticates itself to the clients by sending an IKEv2
<b>RSA signature</b> accompanied by a certificate.
<b>carol</b> and <b>dave</b> then set up an <b>EAP-TTLS</b> tunnel each via <b>moon</b> to the
-<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
<b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
diff --git a/testing/tests/tnc/tnccs-11-supplicant/description.txt b/testing/tests/tnc/tnccs-11-supplicant/description.txt
index 6505750b2..5d0155382 100644
--- a/testing/tests/tnc/tnccs-11-supplicant/description.txt
+++ b/testing/tests/tnc/tnccs-11-supplicant/description.txt
@@ -1,7 +1,7 @@
The layer 2 supplicants <b>carol</b> and <b>dave</b> want to connect to a network
via switch <b>moon</b> which delegates the IEEE 802.1X authentication to the RADIUS
server <b>alice</b>. <b>carol</b> and <b>dave</b> set up an <b>EAP-TTLS</b> tunnel
-each via <b>moon</b> to the <a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated
+each via <b>moon</b> to the <a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup"> <b>TNC@FHH</b></a>-enhanced FreeRADIUS server <b>alice</b> authenticated
by an X.509 AAA certificate.
The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
diff --git a/testing/tests/tnc/tnccs-20-fhh/description.txt b/testing/tests/tnc/tnccs-20-fhh/description.txt
index e68f363bb..8bf1543d2 100644
--- a/testing/tests/tnc/tnccs-20-fhh/description.txt
+++ b/testing/tests/tnc/tnccs-20-fhh/description.txt
@@ -3,8 +3,8 @@ using EAP-TTLS authentication only with the gateway presenting a server certific
the clients doing EAP-MD5 password-based authentication.
In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
health of <b>carol</b> and <b>dave</b> via the <b>TNCCS 2.0 </b> client-server interface
-compliant with <b>RFC 5793 PB-TNC</b>. The Dummy IMC and IMV from the
-<a href="http://trust.inform.fh-hannover.de/joomla/index.php/projects/tncfhh" target="popup">
+compliant with <b>RFC 5793 PB-TNC</b>. The Dummy IMC and IMV from the
+<a href="http://trust.f4.hs-hannover.de/projects/tncatfhh.html" target="popup">
<b>TNC@FHH</b></a> project are used which communicate over a proprietary protocol.
<p>
<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
index 3b48073e6..c3409fd66 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/evaltest.dat
@@ -9,6 +9,8 @@ alice::cat /var/log/daemon.log::certificate status is good::YES
alice::cat /var/log/daemon.log::skipping SASL, client already authenticated by TLS certificate::YES
alice::cat /var/log/daemon.log::user AR identity.*C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org.*authenticated by certificate::YES
alice::cat /var/log/daemon.log::received SWID tag inventory with ... items for request 3 at eid 1 of epoch::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.200 is blocked::YES
+moon:: cat /var/log/auth.log::host with IP address 192.168.0.200 is blocked::YES
alice::cat /var/log/daemon.log::accepting PT-TLS stream from PH_IP_CAROL::YES
alice::cat /var/log/daemon.log::SASL PLAIN authentication successful::YES
alice::cat /var/log/daemon.log::SASL client identity is.*carol::YES
@@ -17,3 +19,5 @@ alice::cat /var/log/daemon.log::received SWID tag ID inventory with ... items fo
alice::cat /var/log/daemon.log::1 SWID tag target::YES
alice::cat /var/log/daemon.log::received SWID tag inventory with 1 item for request 9 at eid 1 of epoch::YES
alice::cat /var/log/daemon.log::regid.2004-03.org.strongswan_strongSwan-::YES
+alice::cat /var/log/daemon.log::successful system command: ssh root@moon.*logger -t charon -p auth.alert.*host with IP address 192.168.0.100 is allowed::YES
+moon::cat /var/log/auth.log::host with IP address 192.168.0.100 is allowed::YES
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
index 1586214d8..48b1cf5a6 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/iptables.rules
@@ -13,10 +13,14 @@
-A INPUT -i eth0 -p tcp --dport 271 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 271 -j ACCEPT
-# allow ssh
+# allow inbound ssh
-A INPUT -p tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp --sport 22 -j ACCEPT
+# allow outbound ssh
+-A OUTPU -p tcp --dport 22 -j ACCEPT
+-A INPUT -p tcp --sport 22 -j ACCEPT
+
# allow crl fetch from winnetou
-A INPUT -i eth0 -p tcp --sport 80 -s 192.168.0.150 -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -d 192.168.0.150 -j ACCEPT
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
index 935973c36..857e6d6d6 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf
@@ -27,3 +27,8 @@ libimcv {
}
}
}
+
+imv_policy_manager {
+ command_allow = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is allowed\""'
+ command_block = ssh root@moon 'logger -t charon -p auth.alert "\"host with IP address %s is blocked\""'
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~
new file mode 100644
index 000000000..87dd585b6
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/strongswan.conf~
@@ -0,0 +1,34 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+ load = pem pkcs1 nonce x509 openssl curl revocation constraints socket-default kernel-netlink stroke tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+ plugins {
+ tnc-pdp {
+ server = aaa.strongswan.org
+ radius {
+ secret = gv6URkSs
+ }
+ }
+ }
+}
+
+libtls {
+ suites = TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+}
+
+libimcv {
+ database = sqlite:///etc/pts/config.db
+ policy_script = ipsec imv_policy_manager
+
+ plugins {
+ imv-swid {
+ rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+ }
+ }
+}
+
+imv_policy_manager {
+ command_allow = host with IP address %s is allowed
+ command_block = host with IP address %s is blocked
+}
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf
new file mode 100644
index 000000000..ecd9d47aa
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.conf
@@ -0,0 +1,3 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+# this file is not used in this scenario
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets
new file mode 100644
index 000000000..41cf8f84b
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/ipsec.secrets
@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+# this file is not used in this scenario
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf
new file mode 100644
index 000000000..d99a4b78a
--- /dev/null
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/moon/etc/strongswan.conf
@@ -0,0 +1,3 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+# this file is not used in this scenario
diff --git a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
index 0887e4d09..5f4f8e725 100644
--- a/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
+++ b/testing/tests/tnc/tnccs-20-pdp-pt-tls/test.conf
@@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon"
# Guest instances on which IPsec is started
# Used for IPsec logging purposes
#
-IPSECHOSTS="carol dave alice"
+IPSECHOSTS="carol moon dave alice"
# Guest instances on which FreeRadius is started
#
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-06 11:46:18 +0000