All Apps and Add-ons

How to improve radius sample script to read Service-Type from radius response

mortenn_hapro_n
New Member

Hello,

I am currently integrating Splunk 6.0 with our Cisco ISE to handle authentication.
Rather than having a static user mapping list as the sample script suggests, I want to handle it over Radius.

For this purpose, I decided to go with the Service-Type Radius attribute.

I now have this:

root@Splunk1:/opt# radclient -s -r 2 ise.hapro.no auth xxxxxx

NAS-IP-Address="10.100.26.34",User-Name="xxxxx",User-Password="xxxxxxxxx"
Received response ID X, code 2, length = 125
User-Name = "xxxxx"
Service-Type = Administrative-User
State = xxxxxx
Class = xxxxxx

       Total approved auths:  1
         Total denied auths:  0
           Total lost auths:  0

Unfortunately, I do not know/like python enough to fix the script to parse the Service-Type attribute and use that in stead of the lookup it uses by default.

If someone would be kind enough to touch up the radiusScripted.py sample for me, I would be very greatful!

-- Cheers, Morten

0 Karma
1 Solution

LukeMurphey
Champion

Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.

All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).

View solution in original post

0 Karma

LukeMurphey
Champion

Have you tried using the RADIUS authentication app? That app allows you to define an attribute which specifies the roles that the Splunk roles that the user ought to be assigned.

All you have to do is setup your RADIUS server with an Vendor specific attribute that defines the roles (comma separated) and then configure the Splunk RADIUS app accordingly (via the setup user-interface).

0 Karma

mortenn_hapro_n
New Member

The issue was a leftover authentication.conf, after deleting that, enabling the radius authentication worked.

0 Karma

mortenn_hapro_n
New Member

Traceback (most recent call last):
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 581, in handleEdit self.configureAuthenticationScript(not disabled)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 201, in wrapper r = fx(self, *args, **kwargs)
File "/opt/splunk/etc/apps/radius_auth/bin/radius_auth_rest_handler.py", line 493, in configureAuthenticationScript entity.setEntity( en, sessionKey = self.getSessionKey() )

0 Karma

mortenn_hapro_n
New Member

Sure thing, we can do it on email - my username is my email, just replace the underscores..

0 Karma

LukeMurphey
Champion

I'm struggling to determine what is happening here. Do the logs have a stacktrace? Also, we can take this discussion to email too if you want.

0 Karma

LukeMurphey
Champion

I would love to get the details for configuring Cisco ISE. BTW: I'm researching that bug you found. As soon as I can get a repro, I'll fix it.

0 Karma

mortenn_hapro_n
New Member

Doing the search, I find this:
RESTException: [HTTP 409] [{'code': None, 'type': 'ERROR', 'text': "In handler 'Scripted-auth': The configuration 'radius_auth_script' already exists."}]

But I did erase the configuration file I added for the script.. is the restart after installing the app not enough, maybe?

I can provide you with details on how to configure Cisco ISE, if you want to update the wiki-page the app refers to, btw.

0 Karma

LukeMurphey
Champion

Sorry for the delay. What is the error message that you are seeing? Also, could you run a search for the following and let me know what errors you see? index=_internal sourcetype="radius_auth*"

0 Karma

mortenn_hapro_n
New Member

The error mentioned in my last comment only happens when I try to enable RADIUS authentication. I have been able to successfully configure and test the app. Any ideas as to what the problem could be?

0 Karma

mortenn_hapro_n
New Member

Thanks, I have been trying it out now, but I keep getting this message while configuring the app: Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/radius_auth/admin/radius_auth/default

0 Karma

LukeMurphey
Champion

I just tested it. The app works fine on Splunk 6.0. I'll update the app page to note that 6.0 is supported.

0 Karma

LukeMurphey
Champion

I think it will support 6.0 even though it isn't marked as such. I'll test it and verify that it works on 6.0 (or fix it if it doesn't).

0 Karma

mortenn_hapro_n
New Member

Unfortunately, that app does not support splunk 6.0..

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...