All Apps and Add-ons

How to improve radius sample script to read Service-Type from radius response

mortenn_hapro_n
New Member

Hello,

I am currently integrating Splunk 6.0 with our Cisco ISE to handle authentication.
Rather than having a static user mapping list as the sample script suggests, I want to handle it over Radius.

For this purpose, I decided to go with the Service-Type Radius attribute.

I now have this:

root@Splunk1:/opt# radclient -s -r 2 ise.hapro.no auth xxxxxx

NAS-IP-Address="10.100.26.34",User-Name="xxxxx",User-Password="xxxxxxxxx"
Received response ID X, code 2, length = 125
User-Name = "xxxxx"
Service-Type = Administrative-User
State = xxxxxx
Class = xxxxxx

       Total approved auths:  1
         Total denied auths:  0
           Total lost auths:  0

Unfortunately, I do not know/like python enough to fix the script to parse the Service-Type attribute and use that in stead of the lookup it uses by default.

If someone would be kind enough to touch up the radiusScripted.py sample for me, I would be very greatful!

-- Cheers, Morten

0 Karma
1 Solution

LukeMurphey
Champion

Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.

All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).

View solution in original post

0 Karma

LukeMurphey
Champion

Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.

All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).

0 Karma

mortenn_hapro_n
New Member

The issue was a leftover authentication.conf, after deleting that, enabling the radius authentication worked.

0 Karma

mortenn_hapro_n
New Member

Traceback (most recent call last):
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 581, in handleEdit self.configureAuthenticationScript(not disabled)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 201, in wrapper r = fx(self, *args, **kwargs)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 493, in configureAuthenticationScript entity.setEntity( en, sessionKey = self.getSessionKey() )

0 Karma

mortenn_hapro_n
New Member

Sure thing, we can do it on email - my username is my email, just replace the underscores..

0 Karma

LukeMurphey
Champion

I'm struggling to determine what is happening here. Do the logs have a stacktrace? Also, we can take this discussion to email too if you want.

0 Karma

LukeMurphey
Champion

I would love to get the details for configuring Cisco ISE. BTW: I'm researching that bug you found. As soon as I can get a repro, I'll fix it.

0 Karma

mortenn_hapro_n
New Member

Doing the search, I find this:
RESTException: [HTTP 409] [{'code': None, 'type': 'ERROR', 'text': "In handler 'Scripted-auth': The configuration 'radius_auth_script' already exists."}]

But I did erase the configuration file I added for the script.. is the restart after installing the app not enough, maybe?

I can provide you with details on how to configure Cisco ISE, if you want to update the wiki-page the app refers to, btw.

0 Karma

LukeMurphey
Champion

Sorry for the delay. What is the error message that you are seeing? Also, could you run a search for the following and let me know what errors you see? index=_internal sourcetype="radius_auth*"

0 Karma

mortenn_hapro_n
New Member

The error mentioned in my last comment only happens when I try to enable RADIUS authentication. I have been able to successfully configure and test the app. Any ideas as to what the problem could be?

0 Karma

mortenn_hapro_n
New Member

Thanks, I have been trying it out now, but I keep getting this message while configuring the app: Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/radius_auth/admin/radius_auth/default

0 Karma

LukeMurphey
Champion

I just tested it. The app works fine on Splunk 6.0. I'll update the app page to note that 6.0 is supported.

0 Karma

LukeMurphey
Champion

I think it will support 6.0 even though it isn't marked as such. I'll test it and verify that it works on 6.0 (or fix it if it doesn't).

0 Karma

mortenn_hapro_n
New Member

Unfortunately, that app does not support splunk 6.0..

0 Karma
Get Updates on the Splunk Community!

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...

New Splunk APM Enhancements Help Troubleshoot Your MySQL and NoSQL Databases Faster

Splunk Observability has two new enhancements to make it quicker and easier to troubleshoot slow or frequently ...