Other Admin
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Authentication with Radius Server

Amira
Explorer
‎11-06-2024 09:00 PM

We are experiencing issues configuring RADIUS authentication within Splunk. Despite following all required steps and configurations, authentication via RADIUS is not working as expected, and users are unable to authenticate through the RADIUS server.

- Installed radius client on splunk machine and configure the radiusclient.conf file with radius server data
- Updated the authentication.conf file located in $SPLUNK_HOME/etc/system/local/, as well as updates to web.confto support RADIUS authentication requests in Splunk Web.
- Used the radtest tool to validate the connection between the Splunk RADIUS client

- Monitored the Splunk authentication logs in $SPLUNK_HOME/var/log/splunk/splunkd.log to identify any errors, and consistently encountered the following error: Could not find [externalTwoFactorAuthSettings] in authentication stanza.
- Integrated radiusScripted.py to assist with RADIUS authentication, configuring it to work with the authentication settings.
It appears that Splunk is unable to successfully authenticate with the RADIUS server, with repeated errors indicating missing configuration stanzas or settings that are not recognized.

Environment Details:

  • Splunk Version: 9.1.5
  • Authentication Configuration Files: authentication.conf, web.conf
  • Additional Scripts: radiusScripted.py

Please advise on troubleshooting steps or configuration adjustments needed to resolve this issue. Any insights or documentation on RADIUS integration best practices with Splunk would be highly appreciated.

thanks 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-07-2024 12:24 AM

Splunk does not have native capability to authenticate users against RADIUS server. If you're using an external app (there is at least one on Splunkbase but it doesn't seem to be actively maintained), you probably have to either dig into the script code or try to contact the author. I don't suppose it's a very popular way of authentication with Splunk.

0 Karma
Reply

Amira
Explorer
‎11-09-2024 11:29 PM

Thank you, Pickle for your response.

I attempted to follow the Splunk documentation below, which does not contain a lot of information; however, I attempted to change the configuration file "authentication.conf" with the stanza containing the radius information [IP secret port], as well as to use the python script and fill it with the necessary data, but with no success.
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/ConfigureSplunkToUsePAMOrRADIUSAuthentic...

I also tested my linux server's connectivity by installing the radius client and using the radtest function to examine the delivered request, but I received no response from the server.

So I'm looking for a trustworthy manual to follow, but I can't locate one, and I'm not sure if that program is available to use and test via.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-10-2024 01:25 AM

Well, Splunk lets you use external script to use any not natively supported authentication scheme but it's up to you to implement it. RADIUS is here listed only as one of examples of authentication methods you could want to integrate this way but it's in no way a manual how to do so.

0 Karma
Reply

Amira
Explorer
‎12-04-2024 09:43 PM

Hi Pickle,

I wanted to update you that I made a mistake with the configuration in authentication.conf. Instead of defining a specific stanza for RADIUS, I should have used the [Scripted] stanza.

With this correction, the Python script is now working properly. It handles local authentication for dumped users and successfully authenticates one user via the script configured for RADIUS.

I’m now working on customizing the script further to directly authenticate users from RADIUS.

Thank you!

0 Karma
Reply

Amira
Explorer
‎11-10-2024 01:32 AM

thank you Pickle, I now understand why it is not mentioned in details.

so it is a customized approach to use external methods.

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...