topic Re: Splunk Authentication with Radius Server in Other Admin

Splunk Authentication with Radius Server

Amira — Thu, 07 Nov 2024 05:00:00 GMT

We are experiencing issues configuring RADIUS authentication within Splunk. Despite following all required steps and configurations, authentication via RADIUS is not working as expected, and users are unable to authenticate through the RADIUS server.

- Installed radius client on splunk machine and configure the radiusclient.conf file with radius server data
- Updated the authentication.conf file located in $SPLUNK_HOME/etc/system/local/, as well as updates to web.confto support RADIUS authentication requests in Splunk Web.
- Used the radtest tool to validate the connection between the Splunk RADIUS client

- Monitored the Splunk authentication logs in $SPLUNK_HOME/var/log/splunk/splunkd.log to identify any errors, and consistently encountered the following error: Could not find [externalTwoFactorAuthSettings] in authentication stanza.
- Integrated radiusScripted.py to assist with RADIUS authentication, configuring it to work with the authentication settings.
It appears that Splunk is unable to successfully authenticate with the RADIUS server, with repeated errors indicating missing configuration stanzas or settings that are not recognized.

Environment Details:

Splunk Version: 9.1.5
Authentication Configuration Files: authentication.conf, web.conf
Additional Scripts: radiusScripted.py

Please advise on troubleshooting steps or configuration adjustments needed to resolve this issue. Any insights or documentation on RADIUS integration best practices with Splunk would be highly appreciated.

thanks

Re: Splunk Authentication with Radius Server

PickleRick — Thu, 07 Nov 2024 08:24:36 GMT

Splunk does not have native capability to authenticate users against RADIUS server. If you're using an external app (there is at least one on Splunkbase but it doesn't seem to be actively maintained), you probably have to either dig into the script code or try to contact the author. I don't suppose it's a very popular way of authentication with Splunk.

Re: Splunk Authentication with Radius Server

Amira — Sun, 10 Nov 2024 07:29:13 GMT

Thank you, Pickle for your response.

I attempted to follow the Splunk documentation below, which does not contain a lot of information; however, I attempted to change the configuration file "authentication.conf" with the stanza containing the radius information [IP secret port], as well as to use the python script and fill it with the necessary data, but with no success.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/ConfigureSplunkToUsePAMOrRADIUSAuthentication

I also tested my linux server's connectivity by installing the radius client and using the radtest function to examine the delivered request, but I received no response from the server.

So I'm looking for a trustworthy manual to follow, but I can't locate one, and I'm not sure if that program is available to use and test via.

Re: Splunk Authentication with Radius Server

PickleRick — Sun, 10 Nov 2024 09:25:52 GMT

Well, Splunk lets you use external script to use any not natively supported authentication scheme but it's up to you to implement it. RADIUS is here listed only as one of examples of authentication methods you could want to integrate this way but it's in no way a manual how to do so.

Re: Splunk Authentication with Radius Server

Amira — Sun, 10 Nov 2024 09:32:42 GMT

thank you Pickle, I now understand why it is not mentioned in details.

so it is a customized approach to use external methods.

Re: Splunk Authentication with Radius Server

Amira — Thu, 05 Dec 2024 05:43:15 GMT

Hi Pickle,

I wanted to update you that I made a mistake with the configuration in authentication.conf. Instead of defining a specific stanza for RADIUS, I should have used the [Scripted] stanza.

With this correction, the Python script is now working properly. It handles local authentication for dumped users and successfully authenticates one user via the script configured for RADIUS.

I’m now working on customizing the script further to directly authenticate users from RADIUS.

Thank you!