The roadwarriors carol and dave set up a connection each to the policy enforcement point moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 RSA signature accompanied by a certificate. carol and dave then set up an EAP-TTLS tunnel each via gateway moon to the policy decision point alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 2.0 client-server interface defined by RFC 5793 PB-TNC. The communication between IMCs and IMVs is based on the IF-M protocol defined by RFC 5792 PA-TNC.
carol passes the health test and dave fails. Based on these measurements the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively.