WE performed a test this morning with DUO\SPLUNK and it worked fine, however it also forced our local splunk accounts to use DUO. We are also not sure on how this would impact those local accounts that are used in scripts that access the API.
Is there a way around this or is it all or nothing?
so these docs are great, however I already had DUO setup, the issue I ran into is that built in ADMIN account when logging on the UI is also pushed through 2 factor auth. We use Active directory, which that account is not part of. So I was actually looking to see if there was a configuration setting that allowed certain ID's to bypass 2 factor?
I also use the API from C# and Python, so not sure if that uses the same auth method or not.
I haven't used DUO with Splunk yet, but have used DUO as additional protection for SSH logins.
There, you could exclude certain user accounts, or source IPs from having to use the DUO two-factor.
It was simply available in the DUO admin interface on their website - look for something like bypass.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂