updated ikev2/rw-eap-tnc-radius scenario

9 files changed, 38 insertions, 8 deletions

diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
index 2d4961288..a7207ab82 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second
@@ -15,6 +15,19 @@ session {
 }
 
 post-auth {
+	if (control:TNC-Status == "Access") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "rw-access"
+		}
+	}
+	elsif (control:TNC-Status == "Isolate") {
+		update reply {
+			Tunnel-Type := ESP 
+			Filter-Id := "rw-isolate"	
+		}
+	}
+
 	Post-Auth-Type REJECT {
 		attr_filter.access_reject
 	}
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
index d5631a9f5..5496df7ad 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets
@@ -1,3 +1,3 @@
 # /etc/ipsec.secrets - strongSwan IPsec secrets file
 
-dave@strongswan.org : EAP "UgaM65Va"
+dave@strongswan.org : EAP "W7R0g3do"
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
index 0179dcddc..8692c0eef 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf
@@ -1,6 +1,6 @@
 # /etc/strongswan.conf - strongSwan configuration file
 
 charon {
-  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc updown
+  load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnccs-11 updown
   multiple_authentication=no
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
new file mode 100644
index 000000000..a5a9a68f3
--- /dev/null
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config
@@ -0,0 +1,3 @@
+#IMC configuration file for strongSwan client 
+
+IMC "Dummy" /usr/local/lib/libdummyimc.so
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
index fc8f84638..94f19ed55 100755
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf
@@ -11,9 +11,18 @@ conn %default
 	keyingtries=1
 	keyexchange=ikev2
 
+conn rw-allow
+	leftsubnet=10.1.0.0/28
+	also=rw-eap
+	auto=add
+
+conn rw-isolate
+	leftsubnet=10.1.0.16/28
+	also=rw-eap
+	auto=add
+
 conn rw-eap
 	left=PH_IP_MOON
-	leftsubnet=10.1.0.0/16
 	leftcert=moonCert.pem
 	leftid=@moon.strongswan.org
 	leftauth=pubkey
@@ -22,4 +31,3 @@ conn rw-eap
 	rightid=*@strongswan.org
 	rightsendcert=never
 	right=%any
-	auto=add
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
index 4d2d3058d..f4e456bbe 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf
@@ -7,6 +7,7 @@ charon {
     eap-radius {
       secret = gv6URkSs 
       server = PH_IP_ALICE
+      filter_id = yes
     }
   }
 }
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
index 561107489..132752119 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat
@@ -1,6 +1,8 @@
 moon::ipsec stop
 carol::ipsec stop
+dave::ipsec stop
 alice::/etc/init.d/radiusd stop
 alice::rm /etc/raddb/sites-enabled/inner-tunnel-second
 moon::/etc/init.d/iptables stop 2> /dev/null
 carol::/etc/init.d/iptables stop 2> /dev/null
+dave::/etc/init.d/iptables stop 2> /dev/null
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
index c7714e592..dc15f6ec0 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat
@@ -1,9 +1,12 @@
 moon::/etc/init.d/iptables start 2> /dev/null
 carol::/etc/init.d/iptables start 2> /dev/null
+dave::/etc/init.d/iptables start 2> /dev/null
 alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second
 alice::/etc/init.d/radiusd start 
 moon::ipsec start
 carol::ipsec start
+dave::ipsec start
 carol::sleep 1
 carol::ipsec up home
-carol::sleep 1
+dave::ipsec up home
+dave::sleep 1
diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
index 64c01ca6f..6095d151e 100644
--- a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
+++ b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf
@@ -5,11 +5,11 @@
 
 # All UML instances that are required for this test
 #
-UMLHOSTS="alice carol winnetou moon"
+UMLHOSTS="alice moon carol winnetou dave"
 
 # Corresponding block diagram
 #
-DIAGRAM="a-m-c-w.png"
+DIAGRAM="a-m-c-w-dv.png"
 
 # UML instances on which tcpdump is to be started
 #
@@ -18,7 +18,7 @@ TCPDUMPHOSTS="moon"
 # UML instances on which IPsec is started
 # Used for IPsec logging purposes
 #
-IPSECHOSTS="moon carol"
+IPSECHOSTS="moon carol dave"
 
 # UML instances on which FreeRadius is started
 #