final version of ikev2/rw-eap-tnc-radius scenario

testing/tests/ikev2/rw-eap-tnc-radius/description.txt

@@ -5,4 +5,6 @@ At the outset the gateway authenticates itself to the clients by sending an IKEv
 the FreeRADIUS server <b>alice</b> authenticated by an X.509 AAA certificate.
 The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on <b>EAP-MD5</b>.
 In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the
-health of <b>carol</b> and <b>dave</b> (not implemented yet).
+health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 1.1</b> client-server interface.
+<b>carol</b> passes the health test and <b>dave</b> fails. Based on these measurements the
+clients are connected by gateway <b>moon</b> to the "rw-access" and "rw-isolate" subnets, respectively.

testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat

@@ -1,4 +1,19 @@
 carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
-carol::cat /var/log/daemon.log::server requested EAP_TTLS authentication::YES
-carol::cat /var/log/daemon.log::server requested EAP_MD5 authentication::YES
-carol::cat /var/log/daemon.log::server requested EAP_TNC authentication::YES
+carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES
+carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES
+dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES
+dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES
+dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES
+dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'access'::YES
+moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES                              
+moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES
+moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES
+moon::ipsec statusall::rw-access.*10.1.0.0/28 === 192.168.0.100/32::YES
+moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES
+carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES
+carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO
+dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES
+dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO
+

testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second

@@ -18,13 +18,13 @@ post-auth {
 	if (control:TNC-Status == "Access") {
 		update reply {
 			Tunnel-Type := ESP 
-			Filter-Id := "rw-access"
+			Filter-Id := "access"
 		}
 	}
 	elsif (control:TNC-Status == "Isolate") {
 		update reply {
 			Tunnel-Type := ESP 
-			Filter-Id := "rw-isolate"	
+			Filter-Id := "isolate"	
 		}
 	}
 

testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf

@@ -11,12 +11,14 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 
-conn rw-allow
+conn rw-access
+	rightgroups=access
 	leftsubnet=10.1.0.0/28
 	also=rw-eap
 	auto=add
 
 conn rw-isolate
+	rightgroups=isolate
 	leftsubnet=10.1.0.16/28
 	also=rw-eap
 	auto=add

testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat

@@ -2,7 +2,13 @@ moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
 dave::/etc/init.d/iptables start 2> /dev/null
 alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
+alice::cat /etc/raddb/sites-enabled/inner-tunnel-second
 alice::/etc/init.d/radiusd start
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::cat /etc/tnc/dummyimc.file
+dave::cat /etc/tnc/dummyimc.file
 moon::ipsec start
 carol::ipsec start
 dave::ipsec start