HowTo build TNC-Server

From TNC@FHH

Jump to: navigation, search

This article describes how you can build TNC-Server (FreeRADIUS and NAA-TNCS) from scratch. The build process is described for Linux only since NAA-TNCS does not support Windows.

Note: If this HowTo does not answer all of your questions, see the corresponding README files contained by the downloadable source packages.

Contents

General Preconditions

This HowTo has been tested with Debian Etchy/Lenny. Some steps described may vary depending on the used distribution. Following packages must be installed:

  • g++ (recommend version >= 4.1.0)
  • gnu make (recommend version >= 3.81)
  • libTNCUtil-dev (recommend version == 0.4.3)
  • xerces-c-dev (recommend version >= 2.7.0)
  • libtools-dev (recommend version >= 1.5.22)
    (libltdl3-dev on Debian)

If you don't have install the precondition package libTNCutil-dev you can find an HowTo about build TNCUtil. You can install the other packages (on Debian) with: 

$ aptitude update
$ aptitude install build-essential libxerces27-dev libltdl3-dev

Step 0: Download TNC-Server

Download current version (e.g. v0.4.3) of TNC-Server source files (NAA-TNCS-src).

Step 1: Extract TNC-Server

Extract the TNC-Server tar-archive in the current directory (preferably in the same parent directory with TNCUtil). You can extract the archive with: 

$ tar -xzf NAA-TNCS-src_[version].tar.gz

Step 2: Configure TNC-Server build

Now switch to the new directory with 

$ cd NAA-TNCS

And run configure script. Since we are working with linux, set the argument appropriate. See --help option for more details: 

~/NAA-TNCS$ ./configure linux

If you have the TNCUtil files in an other directory, you must overwrite the "TNCUtilPath"-parameter (please see --help for more information).

Step 3: Compile TNC-Server

In order to compile TNC-Server, run make script. 

$ make

When make is finished, a new library libNAA-TNCS.so resides in the build subdirectory.

Step 4: Installing TNC-Server

To install the library, run 

$ make install

After that, the library is installed in /usr/local/lib/ and the header file 'naatncs.h' is copied to /usr/local/include/.

Step 5: Patching, Building and Installing FreeRadius

The next step is to build FreeRADIUS which will later make use of libNAA-TNCS.so. This HowTo has been tested with version 2.1.1 of FreeRadius.

  • Precondition:
    • libssl-dev and openssl
      for installing (on Debian): "aptitude install openssl libssl-dev"
  • Obtain the FreeRADIUS source files (e.g. from [1]).
  • Extract the FreeRADIUS archive.
  • Download FreeRadius-TNC-Patch (FreeRADIUS-EAP-TNC-Patch-src).
  • Apply EAP TNC Patch to FreeRADIUS:
    • Extract the FreeRADIUS TNC Patch archive
    • Switch to the new directory
    • copy the src directory to the directory containing the FreeRADIUS source files, e.g.: 
  $ cp -r src/ ../freeradius-2.[x]/
  • Go to the freeradius-2.[x] directory.
  • Run configure with ssl support (on default with-openssl is yes): 
 $ ./configure
  • Build the FreeRADIUS server 
 $ make
  • Install the FreeRADIUS server 
 $ make install
 $ ldconfig

Step 6: Configure FreeRADIUS

Now we must configure FreeRADIUS.

  • First we configure the EAP-Method and change the config-file "/usr/local/etc/raddb/eap.conf" in: 
eap {
        # ...
        default_eap_type = ttls
        # ...
        tnc {
                # the V-LAN for acces allow:
                vlan_access = 96
                # the V-LAN for acces isolate:
                vlan_isolate = 97
        }
        # ...
        ttls {
                default_eap_type = tnc
                #...
                #Comment out the next line:
                #virtual_server = "inner-tunnel"
        }
        # ...
 }
  • And second we add the Policy Enforcement Point (PEP) (e.g. Switch) in file "/usr/local/etc/raddb/clients.conf": 
# ...
client 192.168.1.8 {
    secret    = secret-text
    shortname = a-short-name-for-PEP
}
# ...

Step 7: Installing IMVs

Now the installation and configuration of an IMV, in this case the IMVHostScanner, will be described.

  • Download the current version of the IMVHostScanner
  • Extract the archive 
$ tar -xzf IMVHostScanner-src_0.2.0.tar.gz
  • Move to the folder of the IMVHostScanner and run 
$ ./configure linux
$ make

After that, the library libIMVHostScanner lies inside the /build/-folder.

  • Create (or edit) the file tnc_config in /etc/.
  • Insert the line 
IMV "HostScanner" <path-to-IMVHostScanner>/build/libIMVHostScanner.so

(adjust the path to your IMVHostScanner-directory).

  • Create a new directory /etc/tnc/ 
$ sudo mkdir /etc/tnc
  • Copy the file imv_hostscanner.policy into the new folder 
$ sudo cp <path-to-IMVHostScanner>/etc/tnc/imv_hostscanner.policy /etc/tnc/

(adjust the path to your IMVHostScanner-directory)

  • Edit this file.
  • Here are pairs of protocolls, ports and a allowed state
    • protocolls can be UDP and TCP
    • ports can be all regular port numbers
    • state can be open, closed and whatever
  • An example for this file could be the following: 
#Telnet
TCP 23 = closed
  • This would force the IMV to send an not allowed to the TNC-Server, if the port TCP 23 was open on the client-side.

Step 8: Start the Server

  • Create tnc_log.properties with: 
$ echo "default=3" > tnc_log.properties
  • And start server with full logging in the console: 
$ radiusd -X

[in process]

Retrieved from "http://tnc.inform.fh-hannover.de/tnc/wiki/index.php/HowTo_build_TNC-Server"
Personal tools