EAP-TNC SoH Health Attributes

Jouni Malinen j
Sat Dec 10 03:16:04 PST 2011

On Wed, Dec 07, 2011 at 10:31:06AM -0500, Francois Gaudreault wrote:
> On educational environments, we are seeing growing demands for SoH.  
> Endpoints that are not compliant with the "policy" are not allowed in.  
> It's working OK with Microsoft, but what you do for those having Linux 
> workstations?  This situation might be rare for large business, but in 
> universities or college, a lot of people prefer MacOSX/Linux over 
> Microsoft.  And you want to enforce the policy on Linux/MacOS as well.

Is there an expectation that network administrators use a reasonable
policy for Linux/OS X or this more likely just to workaround the
Microsoft-focused policy by providing whatever information it takes to
get connected?

> I know it is a Microsoft thing, but I believe Linux too has a firewall 
> (iptables), can have anti-spyware/anti-virus installed (clamav), etc.  I 
> believe we could in some way be able to write code to grab the state of 
> those software, and populate the proper attributes just the way 
> Microsoft do it with its dll.

I would not have anything against providing such capability in
wpa_supplicant (through an external program to actually get at least
some of the information). Some things like checking whether clamav is
installed does not sound very useful taken into account how it is
normally used on Linux, but well, I guess it is fine to provide the
information as long as the network administrators can handle information
with somewhat different rules.
Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list