All Apps and Add-ons

How to improve radius sample script to read Service-Type from radius response

mortenn_hapro_n
New Member

Hello,

I am currently integrating Splunk 6.0 with our Cisco ISE to handle authentication.
Rather than having a static user mapping list as the sample script suggests, I want to handle it over Radius.

For this purpose, I decided to go with the Service-Type Radius attribute.

I now have this:

root@Splunk1:/opt# radclient -s -r 2 ise.hapro.no auth xxxxxx

NAS-IP-Address="10.100.26.34",User-Name="xxxxx",User-Password="xxxxxxxxx"
Received response ID X, code 2, length = 125
User-Name = "xxxxx"
Service-Type = Administrative-User
State = xxxxxx
Class = xxxxxx

       Total approved auths:  1
         Total denied auths:  0
           Total lost auths:  0

Unfortunately, I do not know/like python enough to fix the script to parse the Service-Type attribute and use that in stead of the lookup it uses by default.

If someone would be kind enough to touch up the radiusScripted.py sample for me, I would be very greatful!

-- Cheers, Morten

0 Karma
1 Solution

LukeMurphey
Champion

Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.

All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).

View solution in original post

0 Karma

LukeMurphey
Champion

Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.

All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).

0 Karma

mortenn_hapro_n
New Member

The issue was a leftover authentication.conf, after deleting that, enabling the radius authentication worked.

0 Karma

mortenn_hapro_n
New Member

Traceback (most recent call last):
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 581, in handleEdit self.configureAuthenticationScript(not disabled)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 201, in wrapper r = fx(self, *args, **kwargs)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 493, in configureAuthenticationScript entity.setEntity( en, sessionKey = self.getSessionKey() )

0 Karma

mortenn_hapro_n
New Member

Sure thing, we can do it on email - my username is my email, just replace the underscores..

0 Karma

LukeMurphey
Champion

I'm struggling to determine what is happening here. Do the logs have a stacktrace? Also, we can take this discussion to email too if you want.

0 Karma

LukeMurphey
Champion

I would love to get the details for configuring Cisco ISE. BTW: I'm researching that bug you found. As soon as I can get a repro, I'll fix it.

0 Karma

mortenn_hapro_n
New Member

Doing the search, I find this:
RESTException: [HTTP 409] [{'code': None, 'type': 'ERROR', 'text': "In handler 'Scripted-auth': The configuration 'radius_auth_script' already exists."}]

But I did erase the configuration file I added for the script.. is the restart after installing the app not enough, maybe?

I can provide you with details on how to configure Cisco ISE, if you want to update the wiki-page the app refers to, btw.

0 Karma

LukeMurphey
Champion

Sorry for the delay. What is the error message that you are seeing? Also, could you run a search for the following and let me know what errors you see? index=_internal sourcetype="radius_auth*"

0 Karma

mortenn_hapro_n
New Member

The error mentioned in my last comment only happens when I try to enable RADIUS authentication. I have been able to successfully configure and test the app. Any ideas as to what the problem could be?

0 Karma

mortenn_hapro_n
New Member

Thanks, I have been trying it out now, but I keep getting this message while configuring the app: Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/radius_auth/admin/radius_auth/default

0 Karma

LukeMurphey
Champion

I just tested it. The app works fine on Splunk 6.0. I'll update the app page to note that 6.0 is supported.

0 Karma

LukeMurphey
Champion

I think it will support 6.0 even though it isn't marked as such. I'll test it and verify that it works on 6.0 (or fix it if it doesn't).

0 Karma

mortenn_hapro_n
New Member

Unfortunately, that app does not support splunk 6.0..

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...