testing: Added tnc/tnccs-20-hcd-eap scenario

testing/tests/tnc/tnccs-20-hcd-eap/description.txt

@@ -0,0 +1,11 @@
+The hardcopy devices <b>carol</b> and <b>dave</b> set up a connection each to the policy enforcement
+point <b>moon</b>. At the outset the gateway authenticates itself to the devices by sending an IKEv2
+<b>RSA signature</b> accompanied by a certificate. <b>carol</b> and <b>dave</b> then set up an
+<b>EAP-TTLS</b> tunnel each via gateway <b>moon</b> to the policy decision point <b>alice</b>
+authenticated by an X.509 AAA certificate.  In a next step the EAP-TNC protocol is used within
+the EAP-TTLS tunnel to determine the health of <b>carol</b> and <b>dave</b> via the <b>IF-TNCCS 2.0</b>
+client-server interface defined by <b>RFC 5793 PB-TNC</b>. The communication between IMCs and IMVs
+is based on the <b>IF-M</b> protocol defined by <b>RFC 5792 PA-TNC</b>.
+<p>
+The HCD IMC on the hardcopy devices <b>carol</b> and <b>dave</b> sends printer attributes to the HCD IMV
+located on the RADIUS server <b>alice</b>. Because some mandatory HCD attributes are missing, the hardcopy devices <b>carol</b> and <b>dave</b> are blocked from accessing the network behind gateway <b>moon</b>.

testing/tests/tnc/tnccs-20-hcd-eap/evaltest.dat

@@ -0,0 +1,16 @@
+dave:: cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+dave:: cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+dave:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES
+dave:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
+dave:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA.* successful::YES
+carol::cat /var/log/daemon.log::PDP server.*aaa.strongswan.org.*is listening on port 271::YES
+carol:: cat /var/log/daemon.log::PB-TNC assessment result is.*don.*t know::YES
+carol:: cat /var/log/daemon.log::PB-TNC access recommendation is .*Access Denied::YES
+carol:: cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES
+alice::cat /var/log/daemon.log::user AR identity.*dave.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::user AR identity.*carol.*authenticated by certificate::YES
+alice::cat /var/log/daemon.log::policy enforced on peer.*dave@strongswan.org.*is.*no access::YES
+alice::cat /var/log/daemon.log::policy enforced on peer.*carol@strongswan.org.*is.*no access::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES
+moon:: cat /var/log/daemon.log::RADIUS authentication of.*dave@strongswan.org.*failed::YES

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/apache2/sites-available/default

@@ -0,0 +1,26 @@
+WSGIPythonPath /var/www/tnc
+
+<VirtualHost *:80>
+    ServerName tnc.strongswan.org
+    ServerAlias tnc
+    ServerAdmin webmaster@localhost
+
+    DocumentRoot /var/www/tnc
+
+    <Directory /var/www/tnc/config>
+        <Files wsgi.py>
+            Order deny,allow
+            Allow from all
+        </Files>
+    </Directory>
+
+    WSGIScriptAlias / /var/www/tnc/config/wsgi.py
+    WSGIApplicationGroup %{GLOBAL}
+    WSGIPassAuthorization On
+
+    Alias /static/ /var/www/tnc/static/
+
+    ErrorLog ${APACHE_LOG_DIR}/tnc/error.log
+    LogLevel warn
+    CustomLog ${APACHE_LOG_DIR}/tnc/access.log combined
+</VirtualHost>

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.conf

@@ -0,0 +1,9 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 2, imv 3"
+
+conn aaa
+	leftcert=aaaCert.pem
+	leftid=aaa.strongswan.org
+	auto=add

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/certs/aaaCert.pem

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEIDCCAwigAwIBAgIBIjANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ
+MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS
+b290IENBMB4XDTEwMDgwNDA4Mzg0MVoXDTE1MDgwMzA4Mzg0MVowRTELMAkGA1UE
+BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEmFhYS5z
+dHJvbmdzd2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK2R
+RcAYdZ/jOhHBSjrLDYT1OhRJ2mXjyuSbWyJQogF9c6sY8W2GhTC4e1gNThZM9+Pm
+Vzs0R39kzxsmOFhuTfwIhavMzvkWJ7945WDvTpuo2teK4fTtfix3iuyycVXywa7W
+Uum6vZb4uwNoFsZtlYSUFs+app/1VC3X8vEFvP9p//KW2fwbJ6PzR1XN/8AibxoF
+AnfqAXUenRQ1Xs/07/xF4bkZ5MUNTFTo5H+BAc49lAC16TarSTPnX1D925kIGxni
+wePHlIZrCYQTFr003+YNUehVvUxyv0NuIwlxFPokFPLDkQWk6SDvD87FW5IJ06cg
+EbrCFjcIR9/2vIepJd8CAwEAAaOCARkwggEVMAkGA1UdEwQCMAAwCwYDVR0PBAQD
+AgOoMB0GA1UdDgQWBBQS5lPpgsOE14sz7JGZimSmSbZOeDBtBgNVHSMEZjBkgBRd
+p91wBlEyfue2bbO15eBg6i5N76FJpEcwRTELMAkGA1UEBhMCQ0gxGTAXBgNVBAoT
+EExpbnV4IHN0cm9uZ1N3YW4xGzAZBgNVBAMTEnN0cm9uZ1N3YW4gUm9vdCBDQYIB
+ADAdBgNVHREEFjAUghJhYWEuc3Ryb25nc3dhbi5vcmcwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwOQYDVR0fBDIwMDAuoCygKoYoaHR0cDovL2NybC5zdHJvbmdzd2FuLm9y
+Zy9zdHJvbmdzd2FuLmNybDANBgkqhkiG9w0BAQsFAAOCAQEAqM2eqrsJmAop2roa
+yNeJt8317sdAll8TvDf+s4EeCtcpDT0cIX5vCumpL6E7nV9NWWDazGCAOkwWDPpp
+iuq6R0Js8r0MbyIUbVgOe3xIOqLKd9YW0sb1IwfR/zvWcPUjnUHlqfRH7gdiR4G2
+bWIvKenl3hOQege/XnJNPUwzxeVX7k/qPivOk4I3pLnBjTRtFQdweHM95ex7Fk/d
+HoeWjw5q3MxS3ZwXpKQxZvWU5SDkkc2NJ0/0sm+wca8NC86cXkGqcLFEgJo2l3Dr
+EpZgxIhllub0M88PU7dQrDmy8OQ5j0fhayB1xpVO+REn3norclXZ2yrl4uz0eWR4
+v42sww==
+-----END CERTIFICATE-----

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.d/private/aaaKey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEArZFFwBh1n+M6EcFKOssNhPU6FEnaZePK5JtbIlCiAX1zqxjx
+bYaFMLh7WA1OFkz34+ZXOzRHf2TPGyY4WG5N/AiFq8zO+RYnv3jlYO9Om6ja14rh
+9O1+LHeK7LJxVfLBrtZS6bq9lvi7A2gWxm2VhJQWz5qmn/VULdfy8QW8/2n/8pbZ
+/Bsno/NHVc3/wCJvGgUCd+oBdR6dFDVez/Tv/EXhuRnkxQ1MVOjkf4EBzj2UALXp
+NqtJM+dfUP3bmQgbGeLB48eUhmsJhBMWvTTf5g1R6FW9THK/Q24jCXEU+iQU8sOR
+BaTpIO8PzsVbkgnTpyARusIWNwhH3/a8h6kl3wIDAQABAoIBAQCJDzatQqNf5uds
+Ld6YHtBGNf/vFYLJAuCtNaD5sAK+enpkmgXMH3X9yzBbj+Yh5hW6eaJYtiffiZOi
+NMQ50KD0bSZhTBIE0GIC6Uz5BwBkGyr1Gk7kQsZoBt5Fm4O0A0a+8a/3secU2MWV
+IxUZDGANmYOJ3O3HUstuiCDoA0gDyDt44n0RWOhKrPQmTP6vTItd/14Zi1Pg9ez3
+Mej/ulDmVV1R474EwUXbLLPBjP3vk++SLukWn4iWUeeHgDHSn0b/T5csUcH0kQMI
+aYRU2FOoCPZpRxyTr9aZxcHhr5EhQSCg7zc8u0IjpTFm8kZ4uN+60777w1A/FH5X
+YHq+yqVBAoGBANy6zM0egvyWQaX4YeoML65393iXt9OXW3uedMbmWc9VJ0bH7qdq
+b4X5Xume8yY1/hF8nh7aC1npfVjdBuDse0iHJ/eBGfCJ2VoC6/ZoCzBD7q0Qn2If
+/Sr/cbtQNTDkROT75hAo6XbewPGt7RjynH8sNmtclsZ0yyXHx0ml90tlAoGBAMlN
+P4ObM0mgP2NMPeDFqUBnHVj/h/KGS9PKrqpsvFOUm5lxJNRIxbEBavWzonphRX1X
+V83RICgCiWDAnqUaPfHh9mVBlyHCTWxrrnu3M9qbr5vZMFTyYiMoLxSfTmW5Qk8t
+cArqBDowQbiaKJE9fHv+32Q0IYRhJFVcxZRdQXHzAoGALRBmJ6qHC5KRrJTdSK9c
+PL55Y8F14lkQcFiVdtYol8/GyQigjMWKJ0wWOJQfCDoVuPQ8RAg4MQ8ebDoT4W/m
+a5RMcJeG+Djsixf1nMT5I816uRKft6TYRyMH0To64dR4zFcxTTNNFtu7gJwFwAYo
+NT6NjbXFgpbtsrTq1vpvVpECgYA0ldlhp8leEl58sg34CaqNCGLCPP5mfG6ShP/b
+xUvtCYUcMFJOojQCaTxnsuVe0so0U/y750VfLkp029yVhKVp6n1TNi8kwn03NWn/
+J3yEPudA7xuRFUBNrtGdsX/pUtvfkx8RutAf4ztH3f1683Txb0MsCfI3gqjbI8D5
+YOMXwQKBgAJnMfPslZIg6jOpBCo6RjdwvjZyPXXyn4dcCyW//2+olPdWnuu+HRCZ
+SkAWB7lSRLSvDZARHb63k+gwSl8lmwrSM53nDwaRdTKjhK2BFWsAKJNOhrOUQqJu
+EXvH4R1NrqOkPqLoG5Iw3XFUh5lQGKvKkU28W6Weolj2saljbW2b
+-----END RSA PRIVATE KEY-----

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA aaaKey.pem

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/pts/data1.sql

@@ -0,0 +1,61 @@
+/* Devices */
+
+INSERT INTO devices (                  /*  1 */
+  value, product, created
+)
+SELECT 'aabbccddeeff11223344556677889900', id, 1372330615
+FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
+
+/* Groups Members */
+
+INSERT INTO groups_members (
+  group_id, device_id
+) VALUES (
+  10, 1
+);
+
+/* Identities */
+
+INSERT INTO identities (
+  type, value
+) VALUES ( /* dave@strongswan.org */
+  5, X'64617665'
+);
+
+/* Sessions */
+
+INSERT INTO sessions (
+  time, connection, identity, device, product, rec
+)
+SELECT NOW, 1, 1, 1, id, 0
+FROM products WHERE name = 'Debian DEBIAN_VERSION x86_64';
+
+/* Results */
+
+INSERT INTO results (
+  session, policy, rec, result
+) VALUES (
+  1, 1, 0, 'processed 355 packages: 0 not updated, 0 blacklisted, 4 ok, 351 not found'
+);
+
+/* Enforcements */
+
+INSERT INTO enforcements (
+  policy, group_id, max_age, rec_fail, rec_noresult
+) VALUES (
+  3, 10, 0, 2, 2
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  17, 2, 86400
+);
+
+INSERT INTO enforcements (
+  policy, group_id, max_age
+) VALUES (
+  18, 10, 86400
+);
+
+DELETE FROM enforcements WHERE id = 1;

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongTNC/settings.ini

@@ -0,0 +1,19 @@
+[debug]
+DEBUG=0
+TEMPLATE_DEBUG=0
+DEBUG_TOOLBAR=0
+
+[db]
+DJANGO_DB_URL=sqlite:////var/www/tnc/django.db
+STRONGTNC_DB_URL = sqlite:////etc/pts/config.db
+
+[localization]
+LANGUAGE_CODE=en-us
+TIME_ZONE=Europe/Zurich
+
+[admins]
+Your Name: alice@strongswan.org
+
+[security]
+SECRET_KEY=strongSwan
+ALLOWED_HOSTS=127.0.0.1,10.10.0.1,tnc.strongswan.org,tnc

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/strongswan.conf

@@ -0,0 +1,35 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac socket-default kernel-netlink stroke eap-identity eap-ttls eap-md5 eap-tnc tnc-pdp tnc-imv tnc-tnccs tnccs-20 sqlite
+
+  plugins {
+    eap-ttls {
+      request_peer_auth = yes
+      phase2_piggyback = yes
+      phase2_tnc = yes
+      max_message_count = 0
+    }
+    eap-tnc {
+      max_message_count = 0
+    }
+    tnc-pdp {
+      server = aaa.strongswan.org
+      radius {
+        secret = gv6URkSs
+      }
+    }
+  }
+}
+
+libimcv {
+  debug_level = 3 
+  database = sqlite:///etc/pts/config.db
+  policy_script = ipsec imv_policy_manager
+
+  plugins {
+    imv-swid {
+      rest_api_uri = http://admin-user:strongSwan@tnc.strongswan.org/api/
+    }
+  }
+}

testing/tests/tnc/tnccs-20-hcd-eap/hosts/alice/etc/tnc_config

@@ -0,0 +1,3 @@
+#IMV configuration file for strongSwan client 
+
+IMV "HCD"	/usr/local/lib/ipsec/imcvs/imv-hcd.so

testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/ipsec.conf

@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 2, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_CAROL
+	leftcert=carolCert.pem
+	leftid=carol@strongswan.org
+	leftauth=eap
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add

testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/strongswan.conf

@@ -0,0 +1,138 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  plugins {
+    eap-ttls {
+      max_message_count = 0
+    }
+    eap-tnc {
+      max_message_count = 0
+    }
+    tnccs-20 {
+      max_batch_size = 16370
+      max_message_size = 16338
+    }
+  }
+}
+
+libimcv {
+  os_info {
+    name = strongPrint OS
+    version = 1.0
+    default_password_enabled = yes
+  }
+
+  plugins {
+    imc-hcd {
+      push_info = no 
+      subtypes {
+        system {
+          attributes_natural_language = en
+          machine_type_model = strongPrint Laser X.509a
+          vendor_name = ITA-HSR
+          vendor_smi_code = 36906
+          pstn_fax_enabled = yes
+          time_source = 0.ch.pool.ntp.org
+          user_application_enabled = yes
+          user_application_persistence_enabled = no
+
+          firmware {
+		    fw-1 {
+              name = Firmware ABC 
+              patches = "security patch 2014-05-08\nupgrade 2014-08-16\nsecurity patch 2015-3-22"
+              string_version = 1.0.7
+              version = 00000001000000000000000700000000
+            }
+		    fw-2 {
+              name = Firmware UVW 
+              string_version = 13.8.5
+              version = 0000000D000000080000000500000000
+            }
+          }
+
+          resident_application {
+            resident-app-1 {
+              name = Resident App XYZ 
+              patches = "xmas patch 2014-12-24\nservice patch 2015-05-22"
+              string_version = 2.5
+              version = 00000002000000050000000000000000
+            }
+          }
+
+          user_application {
+            user-app-1 {
+              name = My Java Photo App
+              patches =
+              string_version = 5.2.3.8.1
+              version = 00000005000000020000000300080001
+            }
+            user-app-2 {
+              name = Print Your Dinosaur!
+              patches =
+              string_version = 1.0
+              version = 00000001000000000000000000000000
+            }
+            user-app-3 {
+              name = Label Everything App
+              patches =
+              string_version = 7.5.8.2.3
+              version = 00000007000000050000000800020003
+            }
+          }
+
+          certification_state = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+          configuration_state = f0f1f2f3f4f5f6f7f8f9fafbfcfdfeffe0e1e2e3e4e5e6e7e8e9eaebecedeeefd0d1d2d3d4d5d6d7d8d9dadbdcdddedf
+        }
+
+        console {
+          attributes_natural_language = ru
+        }
+
+        marker {
+          attributes_natural_language = fr
+        }
+
+        finisher {
+          attributes_natural_language = de
+        }
+
+        interface {
+          attributes_natural_language = en
+ 
+          resident_application {
+		    resident-app-if {
+              name = Resident App Interface+ 
+              patches = "service patch 2015-02-09"
+              string_version = 2.5
+              version = 00000002000000050000000000000000
+            }
+          }
+        }
+
+        scanner {
+          attributes_natural_language = en
+ 
+          firmware {
+            fw-scanner {
+              name = Scanner Firmware 
+              patches = "security patch 2013-08-11\nsecurity patch 2015-5-30"
+              string_version = 2.5.3
+              version = 00000002000000050000000300000000
+            }
+          }
+
+          user_application {
+            user-app-scanner {
+              name = EasyScan
+              patches =
+              string_version = 2.2.3.5.7
+              version = 00000002000000020000000300050007
+            }
+          }
+        }
+      }
+    }
+  }
+}

testing/tests/tnc/tnccs-20-hcd-eap/hosts/carol/etc/tnc_config

@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"	/usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "HCD"	/usr/local/lib/ipsec/imcvs/imc-hcd.so

testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/ipsec.conf

@@ -0,0 +1,24 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+	charondebug="tnc 2, imc 3"
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn home
+	left=PH_IP_DAVE
+	leftauth=eap
+	leftcert=daveCert.pem
+	leftid=dave@strongswan.org
+	leftfirewall=yes
+	right=PH_IP_MOON
+	rightid=@moon.strongswan.org
+	rightsubnet=10.1.0.0/16
+	rightauth=pubkey
+	aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org"
+	auto=add

testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/strongswan.conf

@@ -0,0 +1,108 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnc-tnccs tnccs-20 updown
+
+  plugins {
+    eap-ttls {
+      max_message_count = 0
+    }
+    eap-tnc {
+      max_message_count = 0
+    }
+    tnccs-20 {
+      max_batch_size = 16370
+      max_message_size = 16338
+    }
+  }
+}
+
+libimcv {
+  os_info {
+    name = strongPrint OS
+    version = 1.1
+    default_password_enabled = no
+  }
+
+  plugins {
+    imc-hcd {
+      push_info = no
+      subtypes {
+        system {
+          attributes_natural_language = en
+          machine_type_model = strongPrint Laser X.509a
+          vendor_name = ITA-HSR
+          vendor_smi_code = 36906
+          pstn_fax_enabled = yes
+          time_source = 0.ch.pool.ntp.org
+          user_application_enabled = no 
+          user_application_persistence_enabled = no
+
+          firmware {
+		    fw-1 {
+              name = Firmware ABC 
+              patches = "security patch 2014-05-08\nupgrade 2014-08-16\nsecurity patch 2015-3-22"
+              string_version = 1.0.7
+              version = 00000001000000000000000700000000
+            }
+		    fw-2 {
+              name = Firmware UVW 
+              string_version = 13.8.5
+              version = 0000000D000000080000000500000000
+            }
+          }
+
+          resident_application {
+            resident-app-1 {
+              name = Resident App XYZ 
+              patches = "xmas patch 2014-12-24\nservice patch 2015-05-22"
+              string_version = 2.5
+              version = 00000002000000050000000000000000
+            }
+          }
+
+          certification_state = 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f
+          configuration_state = f0f1f2f3f4f5f6f7f8f9fafbfcfdfeffe0e1e2e3e4e5e6e7e8e9eaebecedeeefd0d1d2d3d4d5d6d7d8d9dadbdcdddedf
+        }
+
+        console {
+          attributes_natural_language = ru
+        }
+
+        marker {
+          attributes_natural_language = fr
+        }
+
+        finisher {
+          attributes_natural_language = de
+        }
+
+        interface {
+          attributes_natural_language = en
+ 
+          resident_application {
+		    resident-app-if {
+              name = Resident App Interface+ 
+              patches = "service patch 2015-02-09"
+              string_version = 2.5
+              version = 00000002000000050000000000000000
+            }
+          }
+        }
+
+        scanner {
+          attributes_natural_language = en
+ 
+          firmware {
+            fw-scanner {
+              name = Scanner Firmware 
+              patches = "security patch 2013-08-11\nsecurity patch 2015-5-30"
+              string_version = 2.5.3
+              version = 00000002000000050000000300000000
+            }
+          }
+        }
+      }
+    }
+  }
+}

testing/tests/tnc/tnccs-20-hcd-eap/hosts/dave/etc/tnc_config

@@ -0,0 +1,4 @@
+#IMC configuration file for strongSwan client 
+
+IMC "OS"	/usr/local/lib/ipsec/imcvs/imc-os.so
+IMC "HCD"	/usr/local/lib/ipsec/imcvs/imc-hcd.so

testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.conf

@@ -0,0 +1,33 @@
+# /etc/ipsec.conf - strongSwan IPsec configuration file
+
+config setup
+
+conn %default
+	ikelifetime=60m
+	keylife=20m
+	rekeymargin=3m
+	keyingtries=1
+	keyexchange=ikev2
+
+conn rw-allow
+	rightgroups=allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	rightgroups=isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
+conn rw-eap
+	left=PH_IP_MOON
+	leftcert=moonCert.pem
+	leftid=@moon.strongswan.org
+	leftauth=pubkey
+	leftfirewall=yes
+	rightauth=eap-radius
+	rightsendcert=never
+	right=%any
+	eap_identity=%any

testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/ipsec.secrets

@@ -0,0 +1,3 @@
+# /etc/ipsec.secrets - strongSwan IPsec secrets file
+
+: RSA moonKey.pem

testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/iptables.rules

@@ -0,0 +1,36 @@
+*filter
+
+# default policy is DROP
+-P INPUT DROP
+-P OUTPUT DROP
+-P FORWARD DROP
+
+# allow esp
+-A INPUT  -i eth0 -p 50 -j ACCEPT
+-A OUTPUT -o eth0 -p 50 -j ACCEPT
+
+# allow IKE
+-A INPUT  -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT
+
+# allow MobIKE
+-A INPUT  -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT
+-A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT
+
+# allow ssh
+-A INPUT  -p tcp --dport 22 -j ACCEPT
+-A OUTPUT -p tcp --sport 22 -j ACCEPT
+
+# allow crl fetch from winnetou
+-A INPUT  -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT
+-A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT
+
+# allow crl fetch from winnetou for AAA server alice
+-A FORWARD -i eth0 -o eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -d PH_IP_ALICE -j ACCEPT
+-A FORWARD -o eth0 -i eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -s PH_IP_ALICE -j ACCEPT
+
+# allow RADIUS protocol with alice
+-A INPUT  -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT
+-A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT
+
+COMMIT

testing/tests/tnc/tnccs-20-hcd-eap/hosts/moon/etc/strongswan.conf

@@ -0,0 +1,14 @@
+# /etc/strongswan.conf - strongSwan configuration file
+
+charon {
+  load = aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-identity eap-radius updown
+  multiple_authentication=no
+  plugins {
+    eap-radius {
+      secret = gv6URkSs
+      #server = PH_IP6_ALICE 
+      server = PH_IP_ALICE
+      filter_id = yes
+    }
+  }
+}

testing/tests/tnc/tnccs-20-hcd-eap/posttest.dat

@@ -0,0 +1,8 @@
+moon::ipsec stop
+carol::ipsec stop
+dave::ipsec stop
+alice::ipsec stop
+winnetou::ip route del 10.1.0.0/16 via 192.168.0.1
+moon::iptables-restore < /etc/iptables.flush
+carol::iptables-restore < /etc/iptables.flush
+dave::iptables-restore < /etc/iptables.flush

testing/tests/tnc/tnccs-20-hcd-eap/pretest.dat

@@ -0,0 +1,17 @@
+moon::iptables-restore < /etc/iptables.rules
+carol::iptables-restore < /etc/iptables.rules
+dave::iptables-restore < /etc/iptables.rules
+winnetou::ip route add 10.1.0.0/16 via 192.168.0.1
+alice::cat /etc/tnc_config
+carol::cat /etc/tnc_config
+dave::cat /etc/tnc_config
+carol::echo 0 > /proc/sys/net/ipv4/ip_forward
+dave::echo aabbccddeeff11223344556677889900 > /var/lib/dbus/machine-id
+alice::ipsec start
+moon::ipsec start
+carol::ipsec start
+dave::ipsec start
+dave::sleep 1
+carol::ipsec up home
+dave::ipsec up home
+dave::sleep 1

testing/tests/tnc/tnccs-20-hcd-eap/test.conf

@@ -0,0 +1,26 @@
+#!/bin/bash
+#
+# This configuration file provides information on the
+# guest instances used for this test
+
+# All guest instances that are required for this test
+#
+VIRTHOSTS="alice venus moon carol winnetou dave"
+
+# Corresponding block diagram
+#
+DIAGRAM="a-v-m-c-w-d.png"
+
+# Guest instances on which tcpdump is to be started
+#
+TCPDUMPHOSTS="moon"
+
+# Guest instances on which IPsec is started
+# Used for IPsec logging purposes
+#
+IPSECHOSTS="moon carol dave alice"
+
+# Guest instances on which FreeRadius is started
+#
+RADIUSHOSTS=
+