The layer 2 supplicants carol and dave want to connect to a network via switch moon which delegates the IEEE 802.1X authentication to the RADIUS server alice. carol and dave set up an EAP-TTLS tunnel each via moon to the TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 1.1 client-server interface. The communication between IMCs and IMVs is based on the IF-M protocol defined by RFC 5792 PA-TNC.
carol passes the health test and dave fails. Based on these measurements the clients are connected by switch moon to the "allow" and "isolate" VLANs, respectively.