From e0e280b7669435b991b7e457abd8aa450930b3e8 Mon Sep 17 00:00:00 2001 From: Yves-Alexis Perez Date: Mon, 24 Sep 2018 15:11:14 +0200 Subject: New upstream version 5.7.0 --- testing/tests/tnc/tnccs-20-pdp-eap/description.txt | 4 +++- testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat | 14 +++++++++----- .../tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf | 7 +++++-- .../tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config | 4 ++-- .../tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config | 4 ++-- .../tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf | 2 +- .../tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config | 4 ++-- 7 files changed, 24 insertions(+), 15 deletions(-) (limited to 'testing/tests/tnc/tnccs-20-pdp-eap') diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/description.txt b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt index a178211e1..234941171 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/description.txt +++ b/testing/tests/tnc/tnccs-20-pdp-eap/description.txt @@ -6,7 +6,9 @@ authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects t client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 client-server interface defined by RFC 5793 PB-TNC. The communication between IMCs and IMVs -is based on the IF-M protocol defined by RFC 5792 PA-TNC. +is based on the IF-M protocol defined by RFC 5792 PA-TNC. The SWIMA IMC on carol +is requested to deliver a concise Software ID Inventory whereas dave must send a full +Software Inventory.

carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat index 258352834..dfe42aed9 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat +++ b/testing/tests/tnc/tnccs-20-pdp-eap/evaltest.dat @@ -1,18 +1,22 @@ dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -dave:: cat /var/log/daemon.log::collected ... SWID tags::YES +dave:: cat /var/log/daemon.log::collected ... SW records::YES dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Quarantined::YES dave:: cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES -carol::cat /var/log/daemon.log::collected ... SWID tag IDs::YES -carol::cat /var/log/daemon.log::collected 1 SWID tag::YES +carol::cat /var/log/daemon.log::collected ... SW ID records::YES +carol::cat /var/log/daemon.log::strongswan.org__strongSwan.*swidtag::YES +carol::cat /var/log/daemon.log::collected 1 SW record::YES carol::cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Allowed::YES carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by password::YES -alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 3: allow - received inventory of 0 SWID tag IDs and ... SWID tags::YES +alice::cat /var/log/daemon.log::received software inventory with.*items for request 3 at last eid 1 of epoch::YES alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by password::YES -alice::cat /var/log/daemon.log::IMV 2 handled SWIDT workitem 9: allow - received inventory of ... SWID tag IDs and 1 SWID tag::YES +alice::cat /var/log/daemon.log::failed to collect SW ID events, fallback to SW ID inventory::YES +alice::cat /var/log/daemon.log::received software ID inventory with.*items for request 9 at last eid 1 of epoch::YES +alice::cat /var/log/daemon.log::1 SWID tag target::YES +alice::cat /var/log/daemon.log::received software inventory with 1 item for request 9 at last eid 1 of epoch::YES moon:: cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES moon:: cat /var/log/daemon.log::RADIUS authentication of 'dave' successful::YES moon:: cat /var/log/daemon.log::authentication of '192.168.0.200' with EAP successful::YES diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf index e01fe4b4c..72dbbfa52 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/strongswan.conf @@ -34,8 +34,11 @@ libimcv { policy_script = /usr/local/libexec/ipsec/imv_policy_manager plugins { - imv-swid { - rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + imv-swima { + rest_api + { + uri = http://admin-user:strongSwan@tnc.strongswan.org/api/ + } } } } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config index ebe88bc99..0c6812b41 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/tnc_config @@ -1,4 +1,4 @@ -#IMV configuration file for strongSwan client +#IMV configuration file for strongSwan client IMV "OS" /usr/local/lib/ipsec/imcvs/imv-os.so -IMV "SWID" /usr/local/lib/ipsec/imcvs/imv-swid.so +IMV "SWIMA" /usr/local/lib/ipsec/imcvs/imv-swima.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config index a954883a4..8139c3a4c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/carol/etc/tnc_config @@ -1,4 +1,4 @@ -#IMC configuration file for strongSwan client +#IMC configuration file for strongSwan client IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so +IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf index 852e0714e..55d07f574 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/strongswan.conf @@ -32,7 +32,7 @@ libimcv { imc-os { push_info = no } - imc-swid { + imc-swima { swid_directory = /usr/share swid_pretty = no } diff --git a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config index a954883a4..8139c3a4c 100644 --- a/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config +++ b/testing/tests/tnc/tnccs-20-pdp-eap/hosts/dave/etc/tnc_config @@ -1,4 +1,4 @@ -#IMC configuration file for strongSwan client +#IMC configuration file for strongSwan client IMC "OS" /usr/local/lib/ipsec/imcvs/imc-os.so -IMC "SWID" /usr/local/lib/ipsec/imcvs/imc-swid.so +IMC "SWIMA" /usr/local/lib/ipsec/imcvs/imc-swima.so -- cgit v1.2.3