Does this give every valid RADIUS user access to the Splunk server and at what level?
We use Cisco ACS for TACACS and RADIUS service and we have all kinds of options on the ACS server for RADIUS attributes. Does the RADIUS authentication app pay any attention to that?
By default, successfully authenticated users are assigned the "user" role. However, this can be overridden by creating a vendor specific attribute with a name of "Vendor Specific" with a vendor code of "RADIUS standard" containing a string. Set the string to a colon separated list of roles (like "admin:can_delete"). The app should begin picking this up and assigning roles accordingly.
This was previously undocumented so I created a page detailing how to do this with IAS here: http://lukemurphey.net/projects/splunk-radius-auth/wiki/Configuring_Roles.
As of version 1.1, the setup screen allows users to specify which RADIUS attribute the app ought to use to load the user roles from (a comma or colon separated list). You can also specify the default roles that ought to be used if the RADIUS server doesn't specify them.
For the most part yes. You could do something special in your radius server to return Access-Denied status for some user/host combination if your server supports policy like that. In our case we defined a new Splunk role called 'nologin' which we can assign to radisu accounts the same way as any other Splunk role. Then we modified the Radius app to check for this role and deny access to any user that has it. (The idea was this would be an analogue of the .nologin file in the home directory behaviour of the UNIX/Linux login process.)
It's a three or four line hack in Splunk Radius app. Happy to share if there's any interest.