The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication.
In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel to determine the state of carol's and dave's operating system via the IF-TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC. The OS and Attestation IMCs exchange PA-TNC attributes with the OS IMV via the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC. carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, Numeric Version, Operational Status, Forwarding Enabled, Factory Default Password Enabled and Device ID up-front, whereas dave must be prompted by the IMV to do so via an Attribute Request PA-TNC attribute. carol is then prompted to send a list of installed packages using the Installed Packages PA-TNC attribute. Since dave successfully connected to the VPN gateway shortly before, no new list of installed packages is requested again but because IP forwarding is enabled dave receives a corresponding Remediation Instructions PA-TNC attribute.carol passes the health test and dave fails. Based on these assessments which are communicated to the IMCs using the Assessment Result PA-TNC attribute, the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively.