The roadwarriors carol and dave set up a connection each to gateway moon. At the outset the gateway authenticates itself to the clients by sending an IKEv2 RSA signature accompanied by a certificate. carol and dave then set up an EAP-TTLS tunnel each via moon to the TNC@FHH-enhanced FreeRADIUS server alice authenticated by an X.509 AAA certificate. The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the health of carol and dave via the IF-TNCCS 1.1 client-server interface. The IMC and IMV communicate are using the IF-M protocol defined by RFC 5792 PA-TNC.
carol passes the health test and dave fails. Based on these measurements carol is authenticated successfully and is granted access to the subnet behind moon whereas dave fails the layered EAP authentication and is rejected.