Hello,
I am currently integrating Splunk 6.0 with our Cisco ISE to handle authentication.
Rather than having a static user mapping list as the sample script suggests, I want to handle it over Radius.
For this purpose, I decided to go with the Service-Type Radius attribute.
I now have this:
root@Splunk1:/opt# radclient -s -r 2 ise.hapro.no auth xxxxxx
NAS-IP-Address="10.100.26.34",User-Name="xxxxx",User-Password="xxxxxxxxx"
Received response ID X, code 2, length = 125
User-Name = "xxxxx"
Service-Type = Administrative-User
State = xxxxxx
Class = xxxxxx
Total approved auths: 1
Total denied auths: 0
Total lost auths: 0
Unfortunately, I do not know/like python enough to fix the script to parse the Service-Type attribute and use that in stead of the lookup it uses by default.
If someone would be kind enough to touch up the radiusScripted.py sample for me, I would be very greatful!
-- Cheers, Morten
Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.
All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).
Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.
All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).
The issue was a leftover authentication.conf, after deleting that, enabling the radius authentication worked.
Traceback (most recent call last):
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 581, in handleEdit self.configureAuthenticationScript(not disabled)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 201, in wrapper r = fx(self, *args, **kwargs)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 493, in configureAuthenticationScript entity.setEntity( en, sessionKey = self.getSessionKey() )
Sure thing, we can do it on email - my username is my email, just replace the underscores..
I'm struggling to determine what is happening here. Do the logs have a stacktrace? Also, we can take this discussion to email too if you want.
I would love to get the details for configuring Cisco ISE. BTW: I'm researching that bug you found. As soon as I can get a repro, I'll fix it.
Doing the search, I find this:
RESTException: [HTTP 409] [{'code': None, 'type': 'ERROR', 'text': "In handler 'Scripted-auth': The configuration 'radius_auth_script' already exists."}]
But I did erase the configuration file I added for the script.. is the restart after installing the app not enough, maybe?
I can provide you with details on how to configure Cisco ISE, if you want to update the wiki-page the app refers to, btw.
Sorry for the delay. What is the error message that you are seeing? Also, could you run a search for the following and let me know what errors you see? index=_internal sourcetype="radius_auth*"
The error mentioned in my last comment only happens when I try to enable RADIUS authentication. I have been able to successfully configure and test the app. Any ideas as to what the problem could be?
Thanks, I have been trying it out now, but I keep getting this message while configuring the app: Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/radius_auth/admin/radius_auth/default
I just tested it. The app works fine on Splunk 6.0. I'll update the app page to note that 6.0 is supported.
I think it will support 6.0 even though it isn't marked as such. I'll test it and verify that it works on 6.0 (or fix it if it doesn't).
Unfortunately, that app does not support splunk 6.0..