From 502a293e303955f616a61dc4a103c102686b3c90 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 9 Mar 2008 12:14:15 +0200
Subject: [PATCH] TNC: Added TNC server support into documentation and
 ChangeLogs

---
 hostapd/ChangeLog              | 4 ++++
 hostapd/defconfig              | 3 +++
 hostapd/eap_testing.txt        | 3 +++
 hostapd/hostapd.conf           | 6 ++++++
 wpa_supplicant/eap_testing.txt | 4 +++-
 www/hostapd/index.html         | 5 +++--
 6 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/hostapd/ChangeLog b/hostapd/ChangeLog
index 960111258..84a3ce5a3 100644
--- a/hostapd/ChangeLog
+++ b/hostapd/ChangeLog
@@ -4,6 +4,10 @@ ChangeLog for hostapd
 	* added peer identity into EAP-FAST PAC-Opaque and skip Phase 2
 	  Identity Request if identity is already known
 	* added support for EAP Sequences in EAP-FAST Phase 2
+	* added support for EAP-TNC (Trusted Network Connect)
+	  (this version implements the EAP-TNC method and EAP-TTLS/EAP-FAST
+	  changes needed to run two methods in sequence (IF-T) and the IF-IMV
+	  and IF-TNCCS interfaces from TNCS)
 
 2008-02-22 - v0.6.3
 	* fixed Reassociation Response callback processing when using internal
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 56ecfc665..623f86a2a 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -101,6 +101,9 @@ CONFIG_EAP_TTLS=y
 # EAP-IKEv2
 #CONFIG_EAP_IKEV2=y
 
+# Trusted Network Connect (EAP-TNC)
+#CONFIG_EAP_TNC=y
+
 # PKCS#12 (PFX) support (used to read private key and certificate file from
 # a file that usually has extension .p12 or .pfx)
 CONFIG_PKCS12=y
diff --git a/hostapd/eap_testing.txt b/hostapd/eap_testing.txt
index c0516bcc1..04468c39f 100644
--- a/hostapd/eap_testing.txt
+++ b/hostapd/eap_testing.txt
@@ -49,6 +49,7 @@ EAP-TTLS/EAP-MSCHAPv2	+   +   -   -   -
 EAP-TTLS/EAP-TLS	+   F   -   -   -
 EAP-TTLS/EAP-SIM	+   +   -   -   -
 EAP-TTLS/EAP-AKA	+   +   -   -   -
+EAP-TTLS + TNC		+   -   -   -   -
 EAP-SIM			+   +   -   -   +
 EAP-AKA			+   +   -   -   -
 EAP-PAX			+   -   -   -   -
@@ -67,7 +68,9 @@ EAP-FAST/MD5(auth)	+   -   +   -   -
 EAP-FAST/TLS(auth)	+   -   -   -   -
 EAP-FAST/SIM(auth)	+   -   -   -   -
 EAP-FAST/AKA(auth)	+   -   -   -   -
+EAP-FAST + TNC		+   -   -   -   -
 EAP-IKEv2		+   -   -   -   -
+EAP-TNC			+   -   -   -   -
 
 1) EAP-TLS itself worked, but peer certificate validation failed at
    least when using the internal TLS server (peer included incorrect
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 3c9fc6557..1d8bfa75a 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -490,6 +490,12 @@ eap_server=0
 # (default: 0 = disabled).
 #eap_sim_aka_result_ind=1
 
+# Trusted Network Connect (TNC)
+# If enabled, TNC validation will be required before the peer is allowed to
+# connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
+# EAP method is enabled, the peer will be allowed to connect without TNC.
+#tnc=1
+
 
 ##### IEEE 802.11f - Inter-Access Point Protocol (IAPP) #######################
 
diff --git a/wpa_supplicant/eap_testing.txt b/wpa_supplicant/eap_testing.txt
index c55806cea..bdcb21bef 100644
--- a/wpa_supplicant/eap_testing.txt
+++ b/wpa_supplicant/eap_testing.txt
@@ -91,6 +91,7 @@ EAP-TTLS/EAP-PSK	-   -   -   -   -   -   -   -   -   -   +   -
 EAP-TTLS/EAP-PAX	-   -   -   -   -   -   -   -   -   -   +   -
 EAP-TTLS/EAP-SAKE	-   -   -   -   -   -   -   -   -   -   +   -
 EAP-TTLS/EAP-GPSK	-   -   -   -   -   -   -   -   -   -   +   -
+EAP-TTLS + TNC		-   -   -   -   -   +   -   -   -   -   +   -
 EAP-SIM			+   -   -   ?   -   +   -   ?   -   -   +   -
 EAP-AKA			-   -   -   -   -   +   -   -   -   -   +   -
 EAP-PSK			+7  -   -   -   -   +   -   -   -   -   +   -
@@ -110,8 +111,9 @@ EAP-FAST/MD5(auth)	-   -   -   -   -   -   -   -   -   -   +   -
 EAP-FAST/TLS(auth)	-   -   -   -   -   -   -   -   -   -   +   +
 EAP-FAST/SIM(auth)	-   -   -   -   -   -   -   -   -   -   +   -
 EAP-FAST/AKA(auth)	-   -   -   -   -   -   -   -   -   -   +   -
+EAP-FAST + TNC		-   -   -   -   -   -   -   -   -   -   +   -
 LEAP			+   -   +   +   +   +   F   +6  -   +   -   +
-EAP-TNC			+9  -   -   -   -   +   -   -   -   -   -   -
+EAP-TNC			+9  -   -   -   -   +   -   -   -   -   +   -
 EAP-IKEv2		+10 -   -   -   -   -   -   -   -   -   +   -
 
 1) PEAPv1 required new label, "client PEAP encryption" instead of "client EAP
diff --git a/www/hostapd/index.html b/www/hostapd/index.html
index c50a265e9..72331e4a0 100644
--- a/www/hostapd/index.html
+++ b/www/hostapd/index.html
@@ -3,7 +3,7 @@
   <head>
     <title>hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator</title>
     <meta name="description" content="hostapd (IEEE 802.1X, WPA, WPA2, RSN, IEEE 802.11i Authenticator and RADIUS authentication server)">
-    <meta name="keywords" content="WPA, WPA2, IEEE 802.11i, IEEE 802.1X, WPA Authenticator, hostapd, TKIP, CCMP, EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA, EAP-GTC, EAP-MSCHAPv2, EAP-MD5, EAP-PAX, EAP-PSK, EAP-FAST, IEEE 802.1X Supplicant, IEEE 802.1aa, EAPOL, RSN, pre-authentication, PMKSA caching, BSD WPA Authenticator, FreeBSD WPA Authenticator, RADIUS authentication server, EAP authenticator, EAP server">
+    <meta name="keywords" content="WPA, WPA2, IEEE 802.11i, IEEE 802.1X, WPA Authenticator, hostapd, TKIP, CCMP, EAP-PEAP, EAP-TLS, EAP-TTLS, EAP-SIM, EAP-AKA, EAP-GTC, EAP-MSCHAPv2, EAP-MD5, EAP-PAX, EAP-PSK, EAP-FAST, IEEE 802.1X Supplicant, IEEE 802.1aa, EAPOL, RSN, pre-authentication, PMKSA caching, BSD WPA Authenticator, FreeBSD WPA Authenticator, RADIUS authentication server, EAP authenticator, EAP server, EAP-TNC, TNCS, IF-IMV, IF-TNCCS">
     <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   </head>
 
@@ -68,6 +68,7 @@ material, they cannot be used with WPA or IEEE 802.1X WEP keying.</p>
 <li>EAP-MD5-Challenge</li>
 <li>EAP-MSCHAPv2</li>
 <li>EAP-GTC</li>
+<li>EAP-TNC (Trusted Network Connect; TNCS, IF-IMV, IF-T, IF-TNCCS)</li>
 </ul>
 
 <p>More information about EAP methods and interoperability testing is
@@ -265,7 +266,7 @@ Internet Systems Consortium (ISC).
     <address><a href="mailto:j@w1.fi">Jouni Malinen</a></address>
 <!-- Created: Sun Jan  2 17:20:17 PST 2005 -->
 <!-- hhmts start -->
-Last modified: Sat Feb 23 15:47:24 PST 2008
+Last modified: Sun Mar  9 12:12:08 EET 2008
 <!-- hhmts end -->
     </div>
   </body>