The roadwarriors carol and dave set up a connection each to gateway moon using EAP-TTLS authentication only with the gateway presenting a server certificate and the clients doing EAP-MD5 password-based authentication.
In a next step the RFC 7171 PT-EAP transport protocol is used within the EAP-TTLS tunnel to determine the state of carol's and dave's operating system via the TNCCS 2.0 client-server interface compliant with RFC 5793 PB-TNC. The OS IMC and OS IMV pair is using the IF-M 1.0 measurement protocol defined by RFC 5792 PA-TNC to exchange PA-TNC attributes. carol sends information on her operating system consisting of the PA-TNC attributes Product Information, String Version, and Device ID up-front to the Attestation IMV, whereas dave must be prompted by the IMV to do so via an Attribute Request PA-TNC attribute. dave is instructed to do a reference measurement on all files in the /bin directory. carol is then prompted to measure a couple of individual files and the files in the /bin directory as well as to get metadata on the /etc/tnc_confg configuration file. Since the Attestation IMV negotiates a Diffie-Hellman group for TPM-based measurements, the mandatory default being ecp256, with the strongswan.conf option mandatory_dh_groups = no no ECC support is required.carol passes the health test and dave fails because IP forwarding is enabled. Based on these assessments which are communicated to the IMCs using the Assessment Result PA-TNC attribute, the clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively.