All Apps and Add-ons
Highlighted

Auth question

New Member

Does this give every valid RADIUS user access to the Splunk server and at what level?

We use Cisco ACS for TACACS and RADIUS service and we have all kinds of options on the ACS server for RADIUS attributes. Does the RADIUS authentication app pay any attention to that?

Tags (1)
0 Karma
Highlighted

Re: Auth question

Champion

By default, successfully authenticated users are assigned the "user" role. However, this can be overridden by creating a vendor specific attribute with a name of "Vendor Specific" with a vendor code of "RADIUS standard" containing a string. Set the string to a colon separated list of roles (like "admin:can_delete"). The app should begin picking this up and assigning roles accordingly.

This was previously undocumented so I created a page detailing how to do this with IAS here: http://lukemurphey.net/projects/splunk-radius-auth/wiki/Configuring_Roles.

0 Karma
Highlighted

Re: Auth question

Champion

As of version 1.1, the setup screen allows users to specify which RADIUS attribute the app ought to use to load the user roles from (a comma or colon separated list). You can also specify the default roles that ought to be used if the RADIUS server doesn't specify them.

0 Karma
Highlighted

Re: Auth question

Explorer

For the most part yes. You could do something special in your radius server to return Access-Denied status for some user/host combination if your server supports policy like that. In our case we defined a new Splunk role called 'nologin' which we can assign to radisu accounts the same way as any other Splunk role. Then we modified the Radius app to check for this role and deny access to any user that has it. (The idea was this would be an analogue of the .nologin file in the home directory behaviour of the UNIX/Linux login process.)

It's a three or four line hack in Splunk Radius app. Happy to share if there's any interest.

E.

0 Karma